Classical WAAP inspects HTTP request payloads for known attack signatures — SQL injection, XSS, command injection. That work is still essential, and most attacks still hit it. But the attack surface is no longer just signed HTTP payloads.
Public APIs carry traffic that doesn't look like a browser request, and traditional WAAP rules miss them. Automated bots emulate real users, evade signature checks, and exhaust credentials at scale. Account takeover happens through credential stuffing campaigns that hit valid login endpoints with valid-looking traffic. Third-party JavaScript on your pages exfiltrates form data straight to the attacker — and your WAAP never sees it, because the data leaves the browser before it reaches your server.
The industry's answer is WAAP — Web Application and API Protection — a single umbrella that adds API security, bot management, account takeover prevention and client-side defense on top of the WAAP. TR7 implements that umbrella as one platform, on-prem, attached to the same vService that already delivers your application.
Each of these is valuable alone. Together, they redefine what a web application and API protection platform looks like when it does not depend on someone else's cloud.
Most modern WAAP options route your traffic through an edge cloud you don't operate. TR7 WAAP runs on your hardware, in your data center, under your network controls. No third-party traffic interception, no out-of-perimeter request decryption, no shared multi-tenant edge.
WAAP (OWASP Top 10 + custom signatures + virtual patching), API security (discovery + OpenAPI schema enforcement), bot management, account takeover prevention, L7 DDoS protection, client-side and Magecart defense. One platform; not a stitched suite of separate appliances.
10,000+ active signatures continuously updated. 10/10 OWASP Web Top 10 and 10/10 OWASP API Top 10 coverage. Every detection mapped natively to 100+ CWE codes, 30+ CAPEC patterns and 30+ MITRE ATT&CK techniques — so your SOC and compliance team see WAAP events in the same taxonomy they already use.
11-factor behavioral scoring engine adapts to your application's normal traffic — TLS fingerprints, IP reputation across 23 categories, request rhythm, and more. On top of that: a content-aware rule engine that can rate-limit or act on any traffic attribute, including parsed JSON body values, header content or cookie contents — without writing a single line of script.
Volumetric DDoS absorbed at the edge of your network, WAAP-blocked requests, bot challenges and rate-limited traffic — none of it counts toward your bandwidth meter. The harder your WAAP works, the bigger the gap between throughput and billable bandwidth.
Every capability below ships as part of the WAAP platform and attaches to your existing vServices.
10/10 coverage on both the OWASP Web Application Top 10 and the OWASP API Security Top 10. SQL injection, XSS, command injection, CSRF, path traversal, broken object-level authorization and the rest — all covered by managed signatures with continuous updates.
Continuously updated signature set covering known attack patterns, exploit primitives and emerging CVEs. Virtual patching turns a new CVE into a deployed rule in hours, not weeks.
Every detection mapped to its CWE code (100+ codes), CAPEC attack pattern (30+ patterns) and MITRE ATT&CK technique (30+ techniques). SOC investigations, SIEM correlation and compliance reports speak the same taxonomy as the rest of your security stack.
Add organization-specific signatures, exception rules and virtual patches. Per-vService rule scoping so a policy on one service does not affect another.
API discovery surfaces endpoints actually in use. OpenAPI schema enforcement validates request method, path, parameters and body against the contract. Per-endpoint rate limits and method restrictions.
11-factor weighted scoring engine analyzes TLS fingerprints, IP reputation across 23 categories, request rhythm and request shape. Behavioral baseline adapts to your application's normal traffic over time, with an exponential scoring curve tuned for low false positives.
Rate limit, challenge or block on any traffic attribute — header values, cookie contents, URL parameters, and even values inside parsed JSON request bodies. All configured visually in the same rule builder used elsewhere on the platform. No proprietary scripting language.
Detects credential stuffing patterns on login endpoints. Recognises distributed low-and-slow attempts, impossible travel and abnormal session-creation rates that single-IP rate limiting misses.
HTTP-flood, slow-loris and application-layer volumetric attacks absorbed at the WAAP layer. Pair with TR7's L4 DDoS protection for the full vector range.
Monitors third-party scripts loaded by your pages. Detects unauthorized script changes, suspicious form-data exfiltration patterns and supply-chain skimming attacks that the server-side WAAP cannot see.
Signature databases for WAAP, bot fingerprints and IP reputation feeds update continuously — no manual download cycle, no version skew between sites.
TLS termination supports post-quantum cipher suites alongside classical ones — ready for the migration without re-architecting when it becomes mandatory.
Group services by tenant or business unit; apply policy at the group level. One ruleset for the corporate tenant, another for the customer tenant, both on one platform.
Branded block pages per policy. Show the right message to the right blocked request; serve a maintenance page when an attack triggers an automated lockdown.
When payload inspection is not enough — the request looks clean but the attacker is targeting browser-rendered DOM — the ZeroLeak isolation layer renders the application off-device, so there is nothing on the user's machine for the attacker to exfiltrate.
Every WAAP decision — blocked, challenged, allowed — emits structured telemetry. Investigate any request end-to-end through the same console used to manage the vService.
Six well-defined stages. Every stage configurable per vService. Every stage visible as a diagram in the Dynamic Flow Panel.
The request reaches the vService listener. TLS terminates here so the WAAP layers can inspect cleartext. Modern ciphers, hardware-accelerated handshakes.
L7 DDoS protection, IP reputation feeds and geo policy run before deep inspection. Obvious flood traffic and known-bad sources are dropped without consuming inspection budget.
OWASP signature checks, custom rules, structural attack detection, parameter and argument validation. Request scored and decided: allow, block, virtual patch, or pass to behavior analysis.
Signature and behavior signals score the request as human, known bot or unknown automation. Mitigation per policy: allow, challenge, throttle, or drop.
For requests targeting an API endpoint, the OpenAPI schema check validates method, path, parameters and body against the contract. Mismatches trigger configured action.
The decision is applied — pass through to backend, return a block page, issue a challenge, or rate-limit. The full decision chain is logged for investigation and compliance.
Bot management blocks credential stuffing and carding bots during high-traffic events. WAAP rules stop OWASP Top 10 attacks; client-side defense prevents skimmers from harvesting card data at checkout.
OWASP-mandated controls, account takeover prevention on login endpoints, API protection for open-banking flows, and audit-ready logging for regulatory review.
Patient data protection at the application layer, on-prem deployment keeps PHI inside the hospital perimeter, schema validation on portal APIs to prevent injection-style data leakage.
On-prem WAAP for citizen-facing services where data residency is non-negotiable. OWASP coverage for compliance frameworks, audit logging for the security operations team.
Schema validation against the OpenAPI contract, per-endpoint rate limiting, method restrictions, parameter validation. Combined with bot management to stop API scraping and credential stuffing.
Login endpoints under continuous credential-stuffing pressure. ATO detection recognises distributed attempts, impossible travel and abnormal session-creation rates that single-IP rate limiting misses.
Capabilities referenced by this solution — the technical pieces that compose the controls described above.
Complete missing HttpOnly, Secure and SameSite flags at the response layer — no application changes required.
WAAP inspection, mTLS identity and data masking keep working even as traffic flows to backends over TLS.
Turn JSON body fields and JWT content into first-class signals for every traffic decision.
Mask, replace or inject HTML into response content — without changing a line of backend code.
Observe behavior instead of blocking instantly — isolate sources that exceed a threshold and release them automatically.
One expression language — traffic, health, logging, GTM, security and access decisions in the same model.
See production traffic request by request — turn observation directly into rule actions.
30+ breakdown dimensions, three formats (PDF / XLSX / HTML), up to 10 years of on-device history — no separate management server.
3000+ rules, OWASP / API Top 10 / CWE taxonomy, 14 correlation axes, per-host-group + cross-group rollups.
Hide cookie values from the client — protect session integrity without touching backend code.
Move beyond headers — make body content part of the traffic and security decision.
Move TLS beyond file-based configuration — turn it into a per-service security profile, certificate lifecycle and post-quantum readiness layer.
Insert TR7 ADC into the traffic path without touching backend IP addresses, gateways or routes.
Manage FTP not as an open port, but as a command-by-command controlled secure file transfer session.
ADC, routing and L3/L4 security from a single console.
Combine signature, score and context in a single engine — manage known attacks with confidence.
Generation, delivery and verification — all inside the ADC. Zero calls to any third-party cloud service.
Add your own WAAP logic alongside the built-in signature set — same scoring engine, same logs, same policy pipeline.
Turn country and ASN context into access decisions — without dependency on external services.
TR7's central feed, external URL lists and your own exceptions converge in a single IP reputation engine.
Collect, classify, replicate and forward UDP and TCP syslog traffic in front of your SIEM.
Accelerate enterprise DNS traffic and block malicious queries — in a single layer.
Not just an IP list — real traffic intelligence across 60+ criteria, AND/OR/NOT groups and Smart Function chains.
Close a vulnerability at the traffic layer in minutes — no code change required.
Do not treat GraphQL traffic as a plain POST body — catch introspection, nested DoS and query batching patterns inside your WAAP.
Apply 8 security headers at the ADC layer without touching application code.
Replace the generic 'access denied' screen with a controlled, branded experience that carries your message, language and reason code.
Request a live demo of TR7 WAAP. We will configure WAAP, API security, bot management and client-side defense on your environment in one session.