Security Automation, powered by the Cloud

Qualys Web Application Firewall

Qualys Web Application Firewall (WAF) is a next-generation cloud service that brings an unparalleled combination of scalability and simplicity to web app security. Its automated, adaptive approach lets you quickly and more-efficiently:

  • Block attacks

    on web server vulnerabilities
    and app security defects.

  • Prevent Disclosure

    of sensitive information.

  • Control

    where and when your applications are accessed.

Built on the world’s leading Cloud security and compliance platform, Qualys WAF complements the global scalability of Qualys Web Application Scanning (WAS). Together, they make identifying and mitigating web app risks seamless, whether you have a dozen apps or thousands. Qualys WAF can be deployed in minutes, supports SSL, and doesn’t require special expertise to use. It delivers a new level of web app security and compliance while freeing you from the substantial cost, resource and deployment issues associated with traditional products.


Global Scalability & Manageability
powered by the Qualys Cloud Platform

As part of the award-winning Qualys Cloud Platform, Qualys WAF is designed specifically to be efficient and easy to use, whether you have a few apps or thousands to protect.

  • Immediate deployment — no hardware to set up,
    always up-to-date
  • Global scalability — add more apps anytime, throughout
    the world
  • Multiple, unified solutions — one console for WAF,
    WAS, VM and more
  • Centralized management — apply policies consistently across apps
  • XML APIs — publish data to other enterprise systems
    (e.g., SIEM)

Integrated Web App Security:
Detect with WAS, protect with WAF

Qualys WAF works together with Qualys Web Application Scanning (WAS) to provide true, integrated web application security. From a single console, you can detect application vulnerabilities with WAS and then rapidly protect them from attack with WAF, even at global scale. The Qualys Cloud Platform keeps everything in sync, avoiding the redundancies and gaps that come with trying to glue together separate, siloed solutions.

Cloud Deployment

Fast deployment for public or private cloud apps

With Qualys WAF, there is no special hardware to buy or maintain. Instead, virtual machine images containing Qualys WAF sensor software are deployed alongside your web applications (SSL or plain text) in either your public or private cloud environment. These sensor virtual machines scale seamlessly, so you can add new applications quickly and transparently. Application traffic stays within your environment, minimizing latency and allowing you to retain control.

Available in AMI format for Amazon EC2 and in OVA format for VMware vCenter, the WAF sensor virtual machines are fully managed by Qualys 24x7x365. They are easy to deploy, enabling you to start protecting your apps in 30 minutes or less.


Easy-to-use, adaptive security policies that are always up-to-date

Qualys WAF brings a new approach to web application security. You simply describe the level of security that you would like for each application with a few quick clicks, and Qualys WAF automatically figures out what to do and how to adapt to different situations. No specialized expertise is required, and there are no complicated rule sets to configure or maintain.

Customizable protection against current and future threats

Qualys WAF provides built-in protection against a wide range of attacks such as Cross-Site Scripting (XSS), SQL injection, corrupted requests, and more. You can easily tailor how Qualys WAF handles different types of threats, from simply logging to actively blocking them. As new threats emerge, additional defenses created by Qualys’s worldwide security experts are automatically added.

Protection against clickjacking, Cross-Site Scripting (XSS), and other browser-based attacks

In addition to defending your apps, Qualys WAF helps protect your users. With Qualys WAF, you can enable security features in modern web browsers – without having to modify your applications – to reduce the likelihood of:

  • Cookie stealing
  • Clickjacking
  • Cross-site scripting (XSS)

Blocking access from prohibited countries or networks

Qualys WAF helps you comply with policies and regulations that prohibit access to certain types of web applications or information from particular locations. You can restrict access from specific countries or network address blocks, and even set hours of operation.

Preventing transmission of sensitive content or files

With Qualys WAF, you can block users from uploading or downloading content or files that are in formats that aren’t supposed to be used by your application. This can help you limit contamination of your web server and prevent the theft of administrative files (such as backups, source code, or data) that aren’t supposed to be accessed.


  • Visual dashboard showing status at a glance

    Qualys WAF makes it easy to understand the security of all your applications at once. A concise, visual dashboard summarizes the various events that have occurred, when they took place, and where they came from to help you spot unusual patterns.

  • Interactive insights into potential threats

    Qualys WAF categorizes each potential threat it detects according to a variety of attributes, including: the apps affected, severity, geographic location, source network address, how the threat was handled, and more. Interactive filters help you search for unexpected activity and determine how it impacts your applications.

  • Detailed understanding of each threat

    Qualys WAF helps you investigate suspicious activity by providing detailed information about each potential threat it detects. With a click, you can see what happened as well as where and when it took place. Links to Qualys’ comprehensive KnowledgeBase provide additional information about each threat and how to address it.



Gartner: Web App Firewalls Are
Worth the Investment for Enterprises

Image of whitepaper


7 Myths of
Web Application Firewall

Image of webcast

Product Guide

Getting Started Guide for Web
Application Firewall

Image of guide

Qualys is trusted by the majority of the Forbes Global 100
and thousands of organizations big and small!

  • BASF
  • Dupont
  • HP
  • Oracle
  • Pfizer
  • eBay
  • Thomson
  • Cisco
  • Adobe
  • Daimler
  • Microsoft
  • Sony
  • Cigna
  • Nissan

Customer Testimonials

Qualys Cloud Platform

& Integrated Suite of Security & Compliance Applications

Qualys solutions can also be purchased a la carte — as your security needs grow.
There’s nothing to install or maintain.

Qualys Solutions
Qualys Community
Free Trial & Tools
Free Trial

Nothing to install or download!

1 (800) 745 4355