WAF in Numbers: What Recent Data Shows About Pressure at the Application Edge

Executive summary

A Web Application Firewall should not be defended only with conceptual arguments. The layer matters because exposed applications operate under continuous pressure: exploitation of known vulnerabilities, automation against sensitive routes, authentication abuse, layer-7 denial of service, enumeration and malformed requests.

Recent public data helps dimension the problem. In May 2026, CISA's public catalog of known exploited vulnerabilities contained 1,602 records. In 2025 alone, 245 vulnerabilities were added; by May 22, 2026, another 118 had already been added. This does not represent every attack in the world, but it shows an operational reality: known vulnerabilities continue to be exploited in production while many organizations are still inside remediation windows.

What the numbers say about the edge

The application edge is where external intent meets internal logic. Each request carries signals: route, method, headers, cookies, body, source, session, size, format, frequency, history and context. A mature WAF turns these signals into decisions before the application has to process everything alone.

The most important fact is not only the number of exploited vulnerabilities. It is how quickly risk becomes operational. Between disclosure, proof of concept, automated scanning and real exploitation, the response window can be shorter than a company's patch cycle.

Availability is also application security

Recent European public reports have highlighted availability threats as one of the strongest incident categories, including denial-of-service campaigns against public administration. For WAF operations, this matters because availability failures do not always begin at the network layer. They can begin in expensive application routes: authentication, search, uploads, report generation and dynamic APIs.

A layer-7 attack can have lower raw volume than a network attack and still cause more impact if it targets the right path. This is why WAF metrics must be read by route and function, not only by IP or total request count.

Internal numbers a WAF should produce

Public data justifies attention, but maturity comes from internal data. A company operating a WAF should know which applications are covered, which routes concentrate decisions, how much traffic is observed, challenged, limited or blocked, which policies create false positives and which events remain after remediation.

• Coverage: protected applications, critical routes and active environments.
• Decision: allow, observe, challenge, rate-limit, block and exception.
• Context: route, method, tenant, source, policy, version and criticality.
• Quality: false positives, confirmed misses, latency and review rate.
• Evolution: recurring events, adjusted policies, closed exceptions and reduced exposure.

Do not confuse activity with value

A million blocks can mean good protection, but it can also mean noise, overly aggressive policy or traffic that would never reach the application. The number matters only when it comes with context. Blocking a generic scan against a nonexistent path is not the same as blocking repeated attempts against an authenticated export endpoint.

Virtual protection and remediation windows

The time between identification and remediation is one of the strongest arguments for WAF. In complex environments, fixing a vulnerability may require testing, compatibility analysis, change windows and rollback plans. During that window, edge policy can reduce exposure.

Virtual protection should be temporary, scoped and validated. It is not a replacement for remediation. It is containment while engineering fixes the root cause.

Conclusion

Recent numbers point to a simple reality: exposed applications live under continuous pressure. A WAF is more than a list of blocks. It is a real-time decision layer, a sensor of external pressure, a containment mechanism during remediation windows and a source of evidence for engineering.