This is the story of Company A and Company B, whose seemingly different web application and API security approaches share a subtle yet crucial flaw. This flaw resulted in data breaches (and all the associated negative outcomes) for both.
Company A has the most secure API protection possible. They block all schema violations, rate limit excessive requests, and use the latest threat intelligence to blocklist known malicious IP addresses. Their password-based API authentication could be more secure if it were replaced with mutual TLS, but they have never had a breach yet.
But their API security, threat intelligence feed, and WAF are all from different vendors. And thanks to vendor updates, the threat intelligence informing their API security is no longer compatible with their WAF, which protects their account login page. Consequently, an attacker is able to use a new SQL injection exploit on this page and obtain a legitimate user's username and password. The attacker then sends authenticated, schema-validated requests to their API, and obtains reams of sensitive data.
Meanwhile, Company B's web application is fully secured against DDoS attacks. Company B also exposes an API to paying users who want to integrate with Company B's application.
The attacker purchases a legitimate paying user's API key on the dark web. Armed with this key, the attacker launches a low-and-slow DDoS attack against Company B's API server. The attacker activates a bot that sends requests at irregular intervals. Each API request the bot sends is accepted as legitimate by the API server, because it comes with an acceptable API key. And unfortunately for Company B, their backend team forgot to proxy their API server through their DDoS mitigation provider — even though all their other servers are protected.
As the requests pile up on top of each other, the API server becomes overwhelmed, and finally cannot serve Company B's other users at all. Many of them cancel their paid accounts out of frustration.
What issue did Companies A and B have in common?
In these examples, both companies’ web application and API security approaches were patchwork combinations of solutions from multiple vendors. The solutions were not integrated and also prone to manual error.
To understand why this is a problem, consider the typical components of a web application and API security framework:
WAF: Blocks attacks against web applications and web properties
Bot management: Responsible for challenging or blocking probable malicious bots
DDoS mitigation: Keeps web properties online in the face of DDoS attacks of any kind (whether volumetric or low and slow)
API protection: Includes rate limiting, schema validation, authentication, and so on for APIs
Company A and Company B had adopted all of these protections. But because their web application security solutions were disparate (even if best-in-class), they had flaws that the attacker was able to exploit.
For Company A, both their WAF and API protection, being layered rather than integrated, had to face and block the attack. Attacks that one might stop could get by the other. Company B's DDoS protection did not protect their API infrastructure, their bot management did not detect API requests that originated from bots, and their authentication was weak and easily compromised.
These are just a couple of examples of potential gaps. Other common gaps in web application security include:
Limited threat intelligence: Threat intelligence that’s not up to date, does not go to the right place, or is not in a compatible format. This happened to Company A.
Too much threat intelligence from too many sources: Resulting in false positives, redundancy, and other inefficiencies.
Bot false positives: This can frustrate users, slow down service, and lead to lax enforcement.
Alert fatigue: A 2025 Ponemon Institute study confirms that the average enterprise deploys 45 distinct security tools, an echo of previous findings but still reflective of tool proliferation and rising alert fatigue. In fact, more recent industry analysis suggests many organizations now use 60–80 different security solutions — and some manage up to 140 — further escalating complexity and management burdens.
Insufficient authentication: Both Company A and Company B were vulnerable to credential theft in some form.
Non-scalable threat defense: Hardware security appliances bottleneck traffic and become overwhelmed during large attacks or with a variety of attacks.
These gaps are becoming even more risky as the complexity and sophistication of cyber attacks increase. Per McKinsey, since the launch of ChatGPT, phishing sites detected have surged by 138%, driven by generative AI’s role in crafting more convincing emails and deepfakes, greatly accelerating attacker capabilities.
 Modern attackers are often moving faster and improving their tactics more quickly than their targets.
APIs are increasingly important to the modern organization's web application infrastructure. Today, a significant portion of the dynamic traffic processed by Cloudflare is API-based—and that share continues to grow. In fact, many organizations describe themselves as API-first. Moreover, Cloudflare blocks a greater percentage of API traffic as malicious than web traffic, demonstrating that attackers have APIs firmly in their crosshairs.
With APIs so often embedded deeply within web applications, their security must be paramount. Yet well-meaning internal teams often deploy APIs quickly — and often without consulting security. The result: Many web application breaches can be traced back to poor API security.
A stark example of the growing risks tied to insecure APIs comes from TotalEnergies. In 2025, flawed API infrastructure led to a staggering 105‑fold escalation in exposed data, surging from just 210,715 records in 2024 to over 22 million shared on dark web markets . This dramatic leap underlines the urgent need for energy — and all sectors — to treat API security as core infrastructure, not an afterthought.
What if, instead of using a patchwork of security products, Company A and Company B had combined all of their web application and API security services onto one consolidated platform? And those different services all integrated with each other? And data about the state of the company's infrastructure appeared in a single location, so they could quickly assess attacks and their security posture?
Company A could have ensured all their web application and API security framework components had the latest threat intelligence and stopped the attack before it started — since it would all be on one platform. Company B could have more easily extended their DDoS protection to all their servers.
Using a platform would mean easier management, with fewer gaps.
This consolidated approach to web application security requires highly scalable infrastructure, able to proxy all types of traffic. In previous decades, organizations bought appliances when they needed to defend themselves from new attacks, or when they needed to scale up. But a cloud-based service scales up more easily and should be able to proxy any type of infrastructure. And while a consolidated platform is no guarantee against all attacks, it certainly would have helped our hypothetical companies.
This is not merely a hypothetical thought experiment. WAAP (Web Application and API Protection) platforms are quickly becoming essential infrastructure — not just a theoretical best practice. The global cloud WAAP market was valued at USD 6.12 billion in 2023, and it's projected to grow at a 17.8% CAGR through 2032, according to DataHorizzon Research.
This growth reflects the rising need to consolidate WAF, bot mitigation, DDoS protection, and API security into scalable cloud services — especially as web applications and APIs face a growing volume of complex threats across multicloud environments.
WAAP is not just another acronym: Consolidating WAF, bot management, DDoS protection, API security, and other services is increasingly essential for modern organizations. The global nature of the internet opens web applications and APIs to varied — and increasingly complex — attack vectors. Not surprisingly, data breach costs continue to escalate. In 2023, the global average breach cost climbed to $4.45 million, with U.S. organizations bearing some of the highest financial burdens — around $9.48 million per incident. As of early 2024, that global figure has grown further to approximately $4.88 million — a 10% increase in just one year.
If Company A and Company B were to build their applications and APIs from scratch today, they might host them entirely in the cloud, perhaps with one hosting provider for ease of deployment. But in reality, most organizations have deployed hybrid infrastructure with legacy on-premise database servers, cloud-based third-party APIs, and application services hosted in multiple clouds. These deployments offer many advantages but also come with security challenges of their own.
For instance, native security in a given cloud provider's offering may not extend to the entirety of their infrastructure. To begin with, discovering and mapping all their infrastructure in order to then defend it may also prove a challenge. And last, their security products may not be compatible with other solutions in your tech stack.
Therefore, in addition to consolidating crucial web application security capabilities, WAAP needs to be infrastructure-agnostic, meaning it has to be able to sit in front of any type of infrastructure or cloud deployment.
Cloudflare is cloud-native and infrastructure-agnostic, has offered web app security for well over a decade, and offers all these capabilities as one consolidated platform, within a single pane of glass. Cloudflare also has the advantage of seeing a large percentage of the Internet's traffic, serving over 78 million HTTP requests per second and blocking ~190 billion cyber threats each day on average. This gives Cloudflare unique visibility into zero-day threats and new attacks.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Learn how Cloudflare became a Leader in The Forrester Wave™: Web Application Firewall Solutions, Q1 2025 report.
Get the report!
After reading this article you will be able to understand:
How disparate security solutions can create security gaps
Examples of how these gaps might manifest
Why Gartner recommends consolidating with a infrastructure-agnostic web application security platform