Press Release

New Report: WAFs Fail to Protect Against Bot Attacks

Cequence Security and Osterman Research publish research revealing the security challenges and productivity impact of bot attacks targeting large enterprises.

December 11, 2018 – Sunnyvale, CA – Cequence Security today released a new report that highlights both the security and productivity challenges resulting from the growing number of bot attacks targeting today’s hyper-connected organizations. The research, commissioned by Cequence Security and conducted by Osterman Research, is based on data from 211 large enterprises across the US. All of these organizations have been the victim of automated bot attacks.

Bot attacks often use previously stolen user credentials to gain unauthorized access to the web, mobile, and API application services that organizations rely on to support business processes and engage with their customers. “Companies in our research have deployed an average of 482 different applications, on premises or in the cloud, and they are being targeted more than 500 times each day,” explained Michael Osterman, CEO of Osterman Research. “The top three attack types most disruptive to their businesses are account takeover, application denial of service, and API/business logic abuse.”

The research revealed that 90% of these organizations have deployed a web application firewall (WAF) as an essential line of defense, and 85% have at least one full-time person focused on bot defense. Despite these investments, organizations reported that they spend an average of 2,880 minutes (48 hours) to detect the bot attack, plus another 48 hours to effectively mitigate the event. Based on their reported labor costs, it means that enterprises are spending more than $177,000 annually on human capital to manage bot attacks.

“If you dig a little deeper, you discover that more than a third of these companies have also deployed first-generation bot management tools in addition to their WAF,” explained Franklyn Jones, CMO at Cequence Security. “That sounds like a smart move until you realize that 100% of those companies must continuously spend time modifying hundreds of Web and mobile apps in an attempt to detect bot traffic. That’s a poor use of skilled labor and likely a big contributor to their labor costs.” First-generation bot management tools helped to reduce detection time to 600 minutes (10 hours) on average, but the time required for bot mitigation remained unchanged at 2,880 minutes.

The report also revealed the top three capabilities customers would like to have integrated into a bot management solution:

  • Automatic discovery all web, mobile, and API application assets deployed on premises and in the cloud.
  • AI-based machine learning and behavioral analysis technologies that can accelerate the accurate detection of bot attacks.
  • Automated mitigation options that enable security teams to quickly stop a bot attack before it can achieve its objectives.

“The data from this research report reveals two key requirements,” said Osterman, “large enterprises want innovative solutions that can strengthen the security posture of their organizations, and almost as important, they want automated solutions that will improve the productivity of their security teams.”

Cequence Security and Michael Osterman will present more details from this research during a live webinar scheduled for January 30, 2018. To download the report and register for the event, please click here.

About Cequence Security

Cequence Security delivers automated security software solutions for today’s hyper-connected organizations that rely on web, mobile, and API application services to connect customers, partners, and suppliers. The Cequence Application Security Platform can be deployed on premises or in the cloud to automatically strengthen the security posture of application infrastructures, while improving the productivity and efficiency of IT resources. The Cequence Security management team includes former leaders of Palo Alto Networks and Symantec. The company is venture-backed and headquartered in Sunnyvale, CA. Learn more at