Gcore Web application and API protection (WAAP)
API security tools
Web application firewalls (WAF)
Bot detection and mitigation software
DDoS protection software
Cloud security software
DevSecOps software
Web security software
- Features
- Ease of use
- Ease of management
- Quality of support
- Affordability
- Market presence
Take the quiz to check if Gcore Web application and API protection (WAAP) and its alternatives fit your requirements.
€25 per month
Free Trial
Free version unavailable
Small
Medium
Large
- Media and communications
- Accommodation and food services
- Retail and wholesale
What is Gcore Web application and API protection (WAAP)
Gcore Web application and API protection (WAAP) is a security service that combines a web application firewall with API protection, bot management, and DDoS mitigation to protect internet-facing applications and APIs. It is typically used by security and platform teams operating web apps behind CDN/edge infrastructure and needing managed, always-on protection. The product is delivered as a cloud service and is positioned to integrate with Gcore’s broader edge network services for traffic inspection and mitigation. It focuses on protecting HTTP/S traffic paths rather than endpoint agents.
Converged WAAP capabilities
The product groups WAF, API protection, bot mitigation, and DDoS protection into a single service, which can reduce the need to deploy multiple point tools. This is useful for teams that want consistent policy enforcement across web apps and APIs. It also simplifies operational ownership by centralizing configuration and monitoring for these controls.
Edge-based traffic mitigation
Because WAAP is delivered as a network service, it can mitigate volumetric and application-layer attacks before traffic reaches origin infrastructure. This approach can reduce load on application stacks during spikes and attacks. It is a practical fit for organizations already routing traffic through an edge/CDN layer.
API-focused protection coverage
WAAP is designed to address API-specific risks in addition to traditional web threats, which matters for organizations exposing public or partner APIs. It supports use cases where API endpoints need protection from abuse patterns such as automated scraping, credential stuffing, and anomalous request behavior. This aligns with teams that treat APIs as first-class production surfaces rather than only as application internals.
Additional layer for non-Gcore CDN users
Organizations using Cloudflare or Akamai benefit from WAAP capabilities integrated with their existing CDN platform. Adopting Gcore WAAP separately adds a reverse proxy layer in front of the existing CDN, introducing an extra network hop. While Gcore supports multi-CDN configurations, buyers on established CDN platforms should evaluate whether an integrated WAAP from their current provider offers a simpler operational path.
Smaller market footprint than established rivals
Compared with Cloudflare, AWS WAF, Akamai, and Imperva, Gcore has a smaller installed base in the WAAP segment. This may mean fewer community resources, third-party tutorials, and documented reference architectures. Organizations that prioritize vendor ecosystem maturity and peer benchmarking should weigh this against Gcore's technical capabilities.
Established technology under new ownership
Gcore WAAP launched in September 2024, built on WAF technology with commercial roots dating back to 2016 (StackPath) and core engine development from 2008 (Fireblade). The underlying rule library and detection capabilities have a track record, but the product is operating under new ownership and infrastructure. Buyers should evaluate how the platform transition has affected support, roadmap continuity, and integration with Gcore's broader service ecosystem.
Plan & Pricing
| Plan | Price | Key features & notes |
|---|---|---|
| Free (Trial) | €0 / mo (Trial: 30 days or up to 5 GB, whichever comes first) | Trial access to WAAP; limited features; trial will be suspended if usage exceeds trial quota. (Official site marks the Free plan as a trial.) |
| Start | €25 / mo | 4 domains/zones; 5 GB included monthly ingress; L7 DDoS protection included; IP firewall rules: 10; WAF rules: 5; Advanced WAF/CMS/IP reputation/Bot management/API protection: Not included; Traffic overage: $0.83 per GB (per billing docs). |
| Pro | €125 / mo | 10 domains/zones; 10 GB included monthly ingress; L7 DDoS protection included; IP firewall rules: 50; WAF rules: 50; CMS protection: Included; IP reputation: Included; Bot management & Behavioral WAF: Included; API discovery/API protection: Not included; Traffic overage: $0.83 per GB. |
| Enterprise | Custom pricing | Custom domains, custom traffic quotas, Advanced WAF rules, full API security (API Discovery & API Protection), custom overage and feature set — contact sales for quote. |
Notes: Prices on Gcore site are shown in EUR and do not include VAT. Sources: Gcore pricing page and WAAP billing/docs.
Seller details
Gcore
Luxembourg, Luxembourg
2014
Private
https://gcore.com/
https://x.com/gcore_official
https://www.linkedin.com/company/g-core-labs/
