Imperva App Protect
Content delivery network (CDN) software
Web application firewalls (WAF)
DDoS protection software
Website security software
DevSecOps software
Web security software
- Features
- Ease of use
- Ease of management
- Quality of support
- Affordability
- Market presence
Take the quiz to check if Imperva App Protect and its alternatives fit your requirements.
Contact the product provider
Free Trial
Free version unavailable
Small
Medium
Large
- Healthcare and life sciences
- Banking and insurance
- Energy and utilities
What is Imperva App Protect
Imperva App Protect is an application security service that helps protect web applications and APIs from common web threats using a web application firewall (WAF), bot mitigation, and DDoS protection capabilities. It is used by security and DevOps teams to reduce risk for internet-facing applications, including sites hosted in public cloud, private infrastructure, or hybrid environments. The product is typically delivered as a managed/hosted service with policy configuration, traffic inspection, and reporting. It is often deployed in front of production applications to enforce security controls without requiring application code changes.
Broad L7 threat coverage
The service combines WAF controls with bot management and DDoS protections to address multiple common attack types against web applications and APIs. It supports rule-based protections for OWASP-style vulnerabilities and can apply mitigations at the edge before traffic reaches origin infrastructure. This consolidated approach can reduce the number of separate tools needed for application perimeter security.
Managed service operations option
Imperva offers managed security services for tuning policies, responding to events, and maintaining protections over time. This can help teams that lack dedicated WAF specialists or 24/7 coverage operate the platform more consistently. It also reduces the operational burden of ongoing rule updates and false-positive tuning compared with fully self-managed deployments.
Deployment flexibility for apps
Imperva App Protect is commonly deployed in front of web applications across different hosting models, including cloud and on-prem environments. This helps organizations standardize application security controls across multiple business units and application stacks. It can be used to protect both traditional web apps and API endpoints with centralized policy management and reporting.
Tuning and false positives
Like most WAF-based approaches, effective protection often requires iterative tuning to balance blocking with application availability. Complex applications, custom headers, and non-standard API patterns can increase the risk of false positives. Organizations should plan for testing, staged rollouts, and ongoing policy maintenance.
Edge and routing dependencies
Deployments typically require DNS, routing, or reverse-proxy changes to place the service in the traffic path. These changes can introduce coordination overhead across networking, application, and security teams. In some architectures, adding an intermediary layer can also complicate troubleshooting and performance analysis.
Cost and feature packaging
Pricing and packaging can vary by traffic volume, protected assets, and enabled modules (for example, bot mitigation and DDoS features). This can make it harder to predict total cost as applications scale or as protections expand to more endpoints. Some advanced capabilities may require higher-tier subscriptions or managed service add-ons.
Plan & Pricing
| Plan | Price | Key features & notes |
|---|---|---|
| App Protect Core | Contact sales (not publicly listed) | Cloud-based Web Application Firewall; managed security rules; up to 50 custom security rules per site; basic DDoS protection for websites; CDN features (dynamic content acceleration, smart caching, edge cache rules); 30 days data retention. Source: Imperva product/plans pages and App Protect/Core feature matrix. |
| App Protect Professional | Contact sales (not publicly listed) | Superset of Core entitlements; includes Advanced DDoS Protection for Websites, ATO Detect (Account Takeover Detect), CSP Detect (Client-side Protection Detect) — noted as added entitlements when customers were migrated from App Protect Essentials. |
| Enterprise Services (add-on) | Contact sales (not publicly listed) | Enterprise Services available as an add-on for App Protect plans (professional/core); historically offered for higher-touch managed services. |
| App Protect Essentials (End of Sale) | End of sale — not available for new purchases after Dec 31, 2023 | Legacy plan; existing customers were migrated to App Protect Professional on Jan 1, 2024 and will receive additional entitlements for the remainder of their term. |
Notes: Public list prices for App Protect plans are not published on Imperva's official website — customers are directed to contact sales or request a quote. Free trial information (30-day trial) is published separately on Imperva's site.
Seller details
Thales Group
Meudon, France
1893
Public
https://www.thalesgroup.com/
https://x.com/thalesgroup
https://www.linkedin.com/company/thales/
