Imperva Application Security Platform Reviews

There is no need to have an in-house WAF to manage and maintain. We are now able to bring a new website live within minutes, without false positive alerts. It has Improved user/customer experience and website performance.

IncapRules is one of the most valuable features, as you can create your own security and access control rules on top of your security policy. Using IncapRules we were able to easily block Layer 7 DDoS attacks several times.

Real-time monitoring is also a great tool, as you may watch several parameters in real time.

It would be better if we were able to manage and apply changes to multiple websites/web applications, and search WAF logs for multiple websites, via the Incapsula dashboard.

The first year we faced one or two incidents, but since then we not had any stability issues.

No issues with scalability. You need not worry about scalability. Incapsula takes care of the CDN infrastructure and bandwidth volume, providing several enterprise "load balancing" features.

Incapsula’s support personnel is very good, positive, and most of them passionate. Sometimes a second-level support might be required for more complex requests. Additionally, you may see a slight delay in replying to support tickets, but you are able to contact them via phone for critical cases and prompt response.

We were using Akamai and we switched to Incapsula mainly due to the WAF effectiveness and total cost.

Not only the initial, but also the final setup, is straightforward.

For enterprise contracts you will be in touch with a dedicated account manager who will guide you regarding licensing.

We evaluated Akamai. Akamai had a bigger CDN network and probably better performance worldwide (especially on the Chinese mainland) but their WAF is very pure and not effective at all.

Go for it and request a free trial.

• DDoS protection
• CDN
• WAF
• Good API for managing services

Thanks to Incapsula, we got easily manageable DDoS protection; HTTP2 and SSL certificates for all the services; CDN in good locations; and we're now sure that our web services can't be exploited remotely because of the WAF feature. Also, we can chose to whitelist/blacklist network(s) access to specific services/resources.

I have used it for a few years.

We have not encountered any deployment issues.

We had a few hiccups in the past, but they were small with no impact to important services.

We have not encountered any scalability issues.

They need to work on the customer support; in my opinion, this is their weakest point. Some of their support representatives really have no idea how their service works.

We did not previously use a different solution.

An in-house team implemented it.

Before choosing this product, we did not evaluate other options.

Try it.

Hands down, the WAF is the most valuable feature; being able to identify, block, whitelist or blacklist as needed, are all valuable.

We now have visibility into our traffic in a scope that we never had before, especially being able to review bot vs human traffic and country of origin.

Reporting and the main Sites dashboard could use refinement. We have a lot of sites, and scrolling through the dashboard becomes cumbersome.

I have used it for six months.

The only deployment issue we encountered was getting Incapsula and Akamai to play nice. However, the Incapsula engineers were very helpful in helping us configure our sites in the WAF correctly.

We have not encountered any stability issues.

We have not encountered any scalability issues.

I have yet to need customer service.

I rate the level of technical support as very high.

We had not used a WAF before deploying Incapsula.

The setup was straightforward and simple.

We implemented it ourselves with the guidance of the Incapsula team.

It is too soon to tell regarding ROI.

Know your bandwidth requirements.

Before choosing this product, we evaluated so, so, so many other options.

Content monitoring is a marvelous feature that I haven't seen in other Web Application Firewalls. It also has a good content filter. We do a lot of penetration testing on our servers, and the Imperva standalone solution for identifying a payload and its signature by deep analysis was very good.

We never used to know about threat and attack signatures. By using Imperva WAF, we could identify our weak points where an attacker was trying to gain access.

They could improve by minimizing false positive results. Although this occurs less with Imperva, we would like to see some further improvements.

We have been using this product for last 1 years, it's result is very impressive. But due to the excessive load on the Web site where thousands of requests‎ are generated from legitimate users, however the request in which any sequential or specialised characters are requested would be directly blocked by impreva . Currently imperva blocks the special character request generated from the user, as I conduct a test where I am parsing the encoded html values of the same special characters to the input field, imperva bypasses these encoded values for example : ' i.e. %27 or / i.e %2F, the WAF bypasses these encoded characters. I hope that this device should have a capability to detect the pattern which is associated with Xss or Xsrf, rather then by not blocking the request which contains any special characters.

I have used it for one year.

‎We did not encounter any stability issues.

We never encountered any scalability issues.

We were impressed with the technical support.

We have examined different vendor WAF solutions but this solution was unique.

Initial setup was straightforward.

Pricing was a little higher but when compared to performance; it's very cheap.

‎We evaluated Akamai and F5.

Imperva Incapsula WAF is an awesome solution for implementing a WAF with good support and reliable hardware performance.

The most valuable feature is the grouping of multiple targets via the scan policy. It is valuable because of the large number of targets and governmental requirements to conduct periodic scans.

With acquisition of a license to use the product, we received the ability to standardize database scanning and data protection across the enterprise around one product.

Many features are buried under not-straight-forward options and, at times, hard to find screens. Very few import features have clearly defined format requirements. Agent installation for data usage/blocking activities on target boxes requires the involvement of OS admins and DBA’s, which complicates coordination of installation and delays implementation. The discovery feature does not accurately discover the instances and instead identifies auxiliary end points (SQL – 1434) and TCP listeners (Oracle – 1521).

I’ve used and administered Imperva SecureSphere for 2 years.

Periodically, the site stops functioning and the appliance requires a reboot to restore functionality.

Scalability capabilities are well thought through by product development. Installation of additional MX servers and gateways on remote networks ensures coverage of scanning and data usage monitoring/data protection capabilities.

Technical support is probably the biggest drawback. No contact with technical support ever results in an immediate response and the solution is usually preceded with series of emails, going on for up to a week, before a live person gets on the phone. But, even then, their task is to observe the manifestation of the problem and request a collection of additional information (logs, traces, etc.) without any attempt to solve the problem during the call/WebEx session. Their technical support staff has at most two or three engineers that have a good working knowledge of the product, but most of the time, a level one technician is running the case. When support staff finally gets on the phone, their first statement is a disclaimer that they are on the call ONLY to collect information and that the customer should not expect any resolution.

This pattern of providing technical support greatly differs from what IBM offers for their Guardium product (competitor solution).

We attempted to use several previous solutions. One was Tenable SecurityCenter with its custom, XML-like scripting where each check had to be written by the Database Security Specialist (myself). We also attempted to use AppDetectivePRO, though its performance, lack of customization, scalability, and licensing costs prevented us from continuing with it.

The setup is very straightforward considering that it’s either a physical or virtual (OVF template) appliance. The wizard-like initial setup and configuration are somewhat awkward, but can be completed after reviewing the instructional videos available to the customers.

Licensing should be chosen based on the current infrastructure setup and growth plans. Purchasing appliances of different types may lead to unnecessary/unjustified expenditures and ultimately lead to complications in administration.

The product that was evaluated and was chosen as the recommendation was IBM Guardium. Unfortunately, its licensing cost was a lot higher. Therefore, the management decided not to proceed with the purchase.

Be prepared to obtain every piece of documentation that comes with the product. Thoroughly research it to obtain a clear understanding of how to implement the product and ensure you have a dedicated Imperva first-response engineer that can answer your questions without going through a normal support channel. Be patient when encountering a bug or a feature failure, as well as discrepancies between the product interface and/or behavior with the accompanied documentation. Their support is not prepared to jump in and start working on a fix or update the documentation.

In many cases, the documentation remains outdated referring to old releases regardless how long you’ve been asking for an update. Their instructional videos are also out of date, but references to them are consistently sent by their support whenever you may have a question. And finally, thoroughly document your deployment and license-related information, because every email to technical support is responded with an automated reply requesting this information. Not replying to this automated email with correct info will lead to further delays.

• Very easy to configure, which quickly allows us to add significant security to our websites.
• Nice dashboard, which shows us details about traffic, security, performance, real-time utilization and an activity log.
• Easy to configure caching, content optimization and other advanced settings, which allows us to improve the customer experience if necessary, or keep the defaults if any change is unnecessary.

With our IT infrastructure more secure, our customers receive a great website experience without encountering website defacements and other fallout from attacks on our web servers. Our IT department is not spending the time we used to on website remediation after attacks.

An Incapsula website configuration instance can be in a "Pending DNS changes" state, where further work is needing to be done by the customer, while website access is otherwise fully functional. While in this state, the PCI Compliance Report for the website in question, which I have set to email me monthly, doesn't get generated and sent. Imperva should decouple the "Pending DNS changes" state from the process that periodically emails the PCI Compliance Report. Until that happens, the workaround is to manually generate the report monthly.

Since May 2014.

We haven’t had any stability issues. I get emails about internal Incapsula technical issues that they’re working on. However, they haven’t ever impacted me as an administrator and I’m unaware of any customers experiencing issues getting to our websites.

Incapsula scales nicely.

Technical support is excellent.

Prior to Incapsula, we only used inline IPS, anti-virus, etc. Incapsula is our first web application firewall.

Initial setup was very easy. The default configuration usually has done the trick for us. We simply haven’t needed to deviate much from default. Online documentation is good and if we still had questions, we contacted support who helped us make configuration changes to address our needs.

Gain an understanding of pricing for the various advanced features and figure out what features you need to meet your objectives. We have done very well with the first tier feature package to address the needs at our two data centers and our cloud environments.

We got a feel for pricing and capabilities of other competing systems. However, Incapsula came highly recommended by our trusted security VAR as they had many customers who experienced great results with it. With that ringing endorsement, and the reasonable cost, we tried it out, loved it, and have been using it ever since.

Do a proof-of-concept. It’s quick and easy to set up, and you’ll have Incapsula support to help you if needed. Embrace the ease-of-use of the administrative interface and marvel “can a WAF really be this easy?!”. Monitor the dashboard and enjoy the results. The ease of testing Incapsula and then implementing it into production is one of the most remarkable product experiences in my IT career. It’s clear that Incapsula engineers are busy behind the scenes, which is in contrast to my appreciation of what I would otherwise be doing tuning other WAF options.

• Easy-to-set-up CDN with PCI-level IDS/IPS

We offer Incapsula for every customer project we host, as a default.

The default service is great!

I have used it for two years.

Sometimes, the SSL setup can be a bit slow/inconsistent.

There was only one minor incident with service availability, if I remember correctly.

Nope; we have not encountered any scalability issues.

Some tickets seem to hang for some reason and some of the more-technical tickets seem to go through lot of different people before they get solved, but generally the customer service has been good.

General documentation is good enough that we haven't needed technical support that much, but the answers have been good once you go through the "Off-the-shelf" answers.

We did try CloudFlare, but the pricing didn't suit our use case too well.

The initial setup is fairly straightforward for a technical person.

An in-house team implemented it all the way.

ROI is ~90%.

Pricing is a good match for the features we use.

Before choosing this product, we also evaluated CloudFlare because it appeared first in Google.

Basic setup is simple but, as with any caching/WAF setup, there are tricks you need to learn. But it works really nice out of the box!

• Bad-IP blocking and signature-based blocking for web application security

• Security compliance and temporary remediation of application vulnerabilities

Management of policies and rules can be complicated and the physical setup of the product has implications on HA.

I have used SecureSphere for 3-4 years.

Performance of the smaller boxes can be sluggish depending on the load.

We haven’t had any scalability issues.

We did not have a previous solution.

Initial setup was straightforward, but ongoing management of rules and policies are time-consuming and complicated.

Try to use a cloud-based and/or managed solution instead of managing a WAF internally; that should be the first preference.

Before choosing, we also evaluated F5 ASM.

While implementation is not hard, the process and resources for ongoing management should be thought through and agreed to before implementation.