Akamai Beats Other WAAP Vendors in Third-Party Evaluation

Choosing the right WAAP or WAF solution is a critical security decision, but vendor comparisons often rely on marketing claims instead of measurable results. The SecureIQLab 2025 WAAP Security Efficacy Test offers the first head-to-head, third-party evaluation of Akamai vs. AWS, Akamai vs. Cloudflare, Cloudflare vs. AWS, and Akamai vs. Azure, among others.

The results of the evaluation are illustrated in the figure.

The test was rooted in real attack traffic, not synthetic benchmarks. It leveraged frameworks like the Open Worldwide Application Security Project (OWASP), MITRE ATT&CK, and Lockheed Martin’s Cyber Kill Chain to stage more than 1,360 unique attack scenarios and measure how well each platform could detect, block, and withstand threats across their WAAP stack. 

The results are more than just a scorecard; they reflect the very things that security teams and CISOs care about most: true positive protection, minimal false positives, operational resilience, and career-relevant assurance.

Whether you're comparing Akamai vs. Cloudflare, Akamai vs. AWS, Akamai vs. Azure, or Cloudflare vs. AWS, this blog post summarizes the findings to help you cut through the noise and evaluate your options based on facts. 

The SecureIQLab report breaks results into core protection areas including:

• OWASP
• OWASP API
• API protocols
• Bot defense
• False positives
• Resiliency

Use this breakdown or download the full SecureIQLab report to inform your own WAAP comparison.

An independent industry consortium developed the OWASP Top 10. It’s a globally recognized standard for application security, making it a vital benchmark for evaluating any WAAP solution. The Akamai AppSec platform blocked 100% of the OWASP Top 10 attack categories in SecureIQLab's test — stopping injection attacks, cross-site scripting (XSS), server-side request forgery (SSRF), broken access control, and more.

In contrast, Cloudflare, AWS, and Azure failed to block attacks across 30 categories combined, leaving customers exposed to some of the most common web exploits.

• Offers complete protection from the OWASP Top 10
• Eliminates gaps that attackers can exploit
• Supplies confidence in compliance and security assessments

The OWASP Top 10 API Security Risks, which was  developed by industry experts, highlights the most critical API security risks — making it an essential yardstick for measuring how well an application security (AppSec) platform defends your growing API surface. 

Akamai stood alone in blocking 100% of all OWASP API attack types tested. These included complex threats like privilege escalation, one-time password (OTP; referred to as “unauthorized password changes” in the report) bypasses, and SSRF within APIs; such real-world vulnerabilities are often missed by WAF-only solutions.

Cloudflare blocked just 28.7%of API attacks, while AWS blocked none.

• Stops modern API abuse and logic-based threats
• Protects APIs across microservices and apps
• Eliminates blind spots that can lead to data loss

Comprehensive protection means securing every API protocol in use — including REST, GraphQL, SOAP, and gRPC — and not just the ones that are easy to cover. Only Akamai delivered full protection across all major API protocols.

Comparatively, Cloudflare missed nearly every layer except SOAP. AWS and Azure offered no protection at all for GraphQL or REST.

• Provides unified coverage across legacy and modern APIs
• Offers future-ready support as protocols evolve
• Eliminates the need to retrofit new defenses for new services

Bots make up a large portion of the malicious traffic that targets apps and APIs — from credential stuffing and scraping to business logic abuse. A strong WAAP must do more than detect bots; it needs to stop the evasive, persistent ones that blend in with legitimate users. 

Bot protection is no longer optional. It’s essential to defend revenue, reputation, and performance.

Akamai blocked 100% of all bot-based attacks, including evasive techniques like spoofed user agents and rate manipulation.AWS and Azure missed multiple vectors. Cloudflare struggled with advanced tactics like user-agent spoofing.

• Prevents credential theft or scraping
• Defends against bot-led denial of service (DoS) and automation
• Provides peace of mind that threat actors are stopped at the edge

False positives create friction, slow innovation, and erode trust in security controls. When legitimate user activity is mistakenly blocked, it doesn’t just disrupt experiences; it triggers costly investigation cycles and delays deployments. 

A WAAP solution with high accuracy ensures that your defenses are effective without becoming a burden to your business or your customers.

Akamai was the only vendor to pass 100% of the legitimate traffic tests — proving that it blocks attackers, not your customers.

AWS and Azure scored below 70% by failing to recognize legitimate login flows, form submissions, and app interactions. Cloudflare also flagged safe behavior, forcing costly tuning.

• Stops failed logins or blocked sessions for legitimate users
• Reduces tuning overhead to suppress false alerts
• Provides frictionless protection that customers never notice

Security isn’t just about what your WAAP solution blocks; it’s also about whether it keeps blocking when systems are stressed. Resiliency measures how well a solution maintains protection during traffic surges, failovers, and policy changes. When defenses degrade under pressure, organizations are left vulnerable at their most critical moments.

Akamai scored 100% in SecureIQLab’s resiliency testing, maintaining full protection during failovers, traffic spikes, policy changes, and degradations.

The other vendors dropped protections or degraded under stress, exactly when you need defenses most.

• Protects during outages, peaks, and upgrades
• Reduces risk during operational transitions
• Provides assurance that your defenses are always on

If you're looking to compare WAAP solutions or to determine which WAF offers the best protection in 2025, the SecureIQLab 2025 Cloud WAAP CyberRisk Comparative Vendor Report provides the data that security leaders need to make confident decisions. 

We learned that Akamai scored 40% higher than Cloudflare and 109% higher than AWS in WAAP security efficacy. Since efficacy numbers are publicly available, choosing suboptimal protection is now a measurable, accountable risk. Will security leaders be accountable for vendor selection in security incident reviews?