Imperva Application Security Platform Reviews

• DDoS protection
• CDN
• WAF
• Good API for managing services

Thanks to Incapsula, we got easily manageable DDoS protection; HTTP2 and SSL certificates for all the services; CDN in good locations; and we're now sure that our web services can't be exploited remotely because of the WAF feature. Also, we can chose to whitelist/blacklist network(s) access to specific services/resources.

I have used it for a few years.

We have not encountered any deployment issues.

We had a few hiccups in the past, but they were small with no impact to important services.

We have not encountered any scalability issues.

They need to work on the customer support; in my opinion, this is their weakest point. Some of their support representatives really have no idea how their service works.

We did not previously use a different solution.

An in-house team implemented it.

Before choosing this product, we did not evaluate other options.

Try it.

Hands down, the WAF is the most valuable feature; being able to identify, block, whitelist or blacklist as needed, are all valuable.

We now have visibility into our traffic in a scope that we never had before, especially being able to review bot vs human traffic and country of origin.

Reporting and the main Sites dashboard could use refinement. We have a lot of sites, and scrolling through the dashboard becomes cumbersome.

I have used it for six months.

The only deployment issue we encountered was getting Incapsula and Akamai to play nice. However, the Incapsula engineers were very helpful in helping us configure our sites in the WAF correctly.

We have not encountered any stability issues.

We have not encountered any scalability issues.

I have yet to need customer service.

I rate the level of technical support as very high.

We had not used a WAF before deploying Incapsula.

The setup was straightforward and simple.

We implemented it ourselves with the guidance of the Incapsula team.

It is too soon to tell regarding ROI.

Know your bandwidth requirements.

Before choosing this product, we evaluated so, so, so many other options.

Content monitoring is a marvelous feature that I haven't seen in other Web Application Firewalls. It also has a good content filter. We do a lot of penetration testing on our servers, and the Imperva standalone solution for identifying a payload and its signature by deep analysis was very good.

We never used to know about threat and attack signatures. By using Imperva WAF, we could identify our weak points where an attacker was trying to gain access.

They could improve by minimizing false positive results. Although this occurs less with Imperva, we would like to see some further improvements.

We have been using this product for last 1 years, it's result is very impressive. But due to the excessive load on the Web site where thousands of requests‎ are generated from legitimate users, however the request in which any sequential or specialised characters are requested would be directly blocked by impreva . Currently imperva blocks the special character request generated from the user, as I conduct a test where I am parsing the encoded html values of the same special characters to the input field, imperva bypasses these encoded values for example : ' i.e. %27 or / i.e %2F, the WAF bypasses these encoded characters. I hope that this device should have a capability to detect the pattern which is associated with Xss or Xsrf, rather then by not blocking the request which contains any special characters.

I have used it for one year.

‎We did not encounter any stability issues.

We never encountered any scalability issues.

We were impressed with the technical support.

We have examined different vendor WAF solutions but this solution was unique.

Initial setup was straightforward.

Pricing was a little higher but when compared to performance; it's very cheap.

‎We evaluated Akamai and F5.

Imperva Incapsula WAF is an awesome solution for implementing a WAF with good support and reliable hardware performance.

The most valuable feature is the grouping of multiple targets via the scan policy. It is valuable because of the large number of targets and governmental requirements to conduct periodic scans.

With acquisition of a license to use the product, we received the ability to standardize database scanning and data protection across the enterprise around one product.

Many features are buried under not-straight-forward options and, at times, hard to find screens. Very few import features have clearly defined format requirements. Agent installation for data usage/blocking activities on target boxes requires the involvement of OS admins and DBA’s, which complicates coordination of installation and delays implementation. The discovery feature does not accurately discover the instances and instead identifies auxiliary end points (SQL – 1434) and TCP listeners (Oracle – 1521).

I’ve used and administered Imperva SecureSphere for 2 years.

Periodically, the site stops functioning and the appliance requires a reboot to restore functionality.

Scalability capabilities are well thought through by product development. Installation of additional MX servers and gateways on remote networks ensures coverage of scanning and data usage monitoring/data protection capabilities.

Technical support is probably the biggest drawback. No contact with technical support ever results in an immediate response and the solution is usually preceded with series of emails, going on for up to a week, before a live person gets on the phone. But, even then, their task is to observe the manifestation of the problem and request a collection of additional information (logs, traces, etc.) without any attempt to solve the problem during the call/WebEx session. Their technical support staff has at most two or three engineers that have a good working knowledge of the product, but most of the time, a level one technician is running the case. When support staff finally gets on the phone, their first statement is a disclaimer that they are on the call ONLY to collect information and that the customer should not expect any resolution.

This pattern of providing technical support greatly differs from what IBM offers for their Guardium product (competitor solution).

We attempted to use several previous solutions. One was Tenable SecurityCenter with its custom, XML-like scripting where each check had to be written by the Database Security Specialist (myself). We also attempted to use AppDetectivePRO, though its performance, lack of customization, scalability, and licensing costs prevented us from continuing with it.

The setup is very straightforward considering that it’s either a physical or virtual (OVF template) appliance. The wizard-like initial setup and configuration are somewhat awkward, but can be completed after reviewing the instructional videos available to the customers.

Licensing should be chosen based on the current infrastructure setup and growth plans. Purchasing appliances of different types may lead to unnecessary/unjustified expenditures and ultimately lead to complications in administration.

The product that was evaluated and was chosen as the recommendation was IBM Guardium. Unfortunately, its licensing cost was a lot higher. Therefore, the management decided not to proceed with the purchase.

Be prepared to obtain every piece of documentation that comes with the product. Thoroughly research it to obtain a clear understanding of how to implement the product and ensure you have a dedicated Imperva first-response engineer that can answer your questions without going through a normal support channel. Be patient when encountering a bug or a feature failure, as well as discrepancies between the product interface and/or behavior with the accompanied documentation. Their support is not prepared to jump in and start working on a fix or update the documentation.

In many cases, the documentation remains outdated referring to old releases regardless how long you’ve been asking for an update. Their instructional videos are also out of date, but references to them are consistently sent by their support whenever you may have a question. And finally, thoroughly document your deployment and license-related information, because every email to technical support is responded with an automated reply requesting this information. Not replying to this automated email with correct info will lead to further delays.

• Very easy to configure, which quickly allows us to add significant security to our websites.
• Nice dashboard, which shows us details about traffic, security, performance, real-time utilization and an activity log.
• Easy to configure caching, content optimization and other advanced settings, which allows us to improve the customer experience if necessary, or keep the defaults if any change is unnecessary.

With our IT infrastructure more secure, our customers receive a great website experience without encountering website defacements and other fallout from attacks on our web servers. Our IT department is not spending the time we used to on website remediation after attacks.

An Incapsula website configuration instance can be in a "Pending DNS changes" state, where further work is needing to be done by the customer, while website access is otherwise fully functional. While in this state, the PCI Compliance Report for the website in question, which I have set to email me monthly, doesn't get generated and sent. Imperva should decouple the "Pending DNS changes" state from the process that periodically emails the PCI Compliance Report. Until that happens, the workaround is to manually generate the report monthly.

Since May 2014.

We haven’t had any stability issues. I get emails about internal Incapsula technical issues that they’re working on. However, they haven’t ever impacted me as an administrator and I’m unaware of any customers experiencing issues getting to our websites.

Incapsula scales nicely.

Technical support is excellent.

Prior to Incapsula, we only used inline IPS, anti-virus, etc. Incapsula is our first web application firewall.

Initial setup was very easy. The default configuration usually has done the trick for us. We simply haven’t needed to deviate much from default. Online documentation is good and if we still had questions, we contacted support who helped us make configuration changes to address our needs.

Gain an understanding of pricing for the various advanced features and figure out what features you need to meet your objectives. We have done very well with the first tier feature package to address the needs at our two data centers and our cloud environments.

We got a feel for pricing and capabilities of other competing systems. However, Incapsula came highly recommended by our trusted security VAR as they had many customers who experienced great results with it. With that ringing endorsement, and the reasonable cost, we tried it out, loved it, and have been using it ever since.

Do a proof-of-concept. It’s quick and easy to set up, and you’ll have Incapsula support to help you if needed. Embrace the ease-of-use of the administrative interface and marvel “can a WAF really be this easy?!”. Monitor the dashboard and enjoy the results. The ease of testing Incapsula and then implementing it into production is one of the most remarkable product experiences in my IT career. It’s clear that Incapsula engineers are busy behind the scenes, which is in contrast to my appreciation of what I would otherwise be doing tuning other WAF options.

• Easy-to-set-up CDN with PCI-level IDS/IPS

We offer Incapsula for every customer project we host, as a default.

The default service is great!

I have used it for two years.

Sometimes, the SSL setup can be a bit slow/inconsistent.

There was only one minor incident with service availability, if I remember correctly.

Nope; we have not encountered any scalability issues.

Some tickets seem to hang for some reason and some of the more-technical tickets seem to go through lot of different people before they get solved, but generally the customer service has been good.

General documentation is good enough that we haven't needed technical support that much, but the answers have been good once you go through the "Off-the-shelf" answers.

We did try CloudFlare, but the pricing didn't suit our use case too well.

The initial setup is fairly straightforward for a technical person.

An in-house team implemented it all the way.

ROI is ~90%.

Pricing is a good match for the features we use.

Before choosing this product, we also evaluated CloudFlare because it appeared first in Google.

Basic setup is simple but, as with any caching/WAF setup, there are tricks you need to learn. But it works really nice out of the box!

• Bad-IP blocking and signature-based blocking for web application security

• Security compliance and temporary remediation of application vulnerabilities

Management of policies and rules can be complicated and the physical setup of the product has implications on HA.

I have used SecureSphere for 3-4 years.

Performance of the smaller boxes can be sluggish depending on the load.

We haven’t had any scalability issues.

We did not have a previous solution.

Initial setup was straightforward, but ongoing management of rules and policies are time-consuming and complicated.

Try to use a cloud-based and/or managed solution instead of managing a WAF internally; that should be the first preference.

Before choosing, we also evaluated F5 ASM.

While implementation is not hard, the process and resources for ongoing management should be thought through and agreed to before implementation.

• Extensive cache control like cache purging and cache rule propagation
• Availability features
• Cross-datacenter solution (active and passive environments)
• CDN and DDoS protection with 24/7 support

Automatic failover between primary and secondary sites enables high availability and accelerates disaster recovery. As soon as it detects that the primary site has gone down, it automatically kick-starts our standby data center.

The dashboard is not accessible on occasion. This is probably due to a high load. However, the sites’ protection seems intact.

We have been using this solution for four years.

There are no stability issues as of now.

There are no scalability issues, but the custom SSL has a terrible price point that puts it out of range for our clients. If they need custom or EV SSL, they are paying significantly more than their overall hosting.

The technical support is impressive.

We used Akamai previously, but due to full PCI DSS compliance, we needed a proprietary solution for two-factor authentication. We then switched to Incapsula.

The setup was so straightforward. It didn’t require to us to make any major changes.

If you don't have custom SSL, get it!

We switched to Incapsula from Akamai.

Imperva has a very impressive core feature set. Imperva has made security analysts scratch their heads. We allow them in from the inside so they can actually hit something worthwhile.

We are very confident in the reports we get from Imperva. Its bot identification has allowed us to plan bandwidth appropriately.

Identification for good bots (people who hit our site using automation, but for good business reasons) has allowed us to work with our customers who use our services in new ways.