Edge security is bought worse than any other infrastructure line: urgently after incidents, rarely benchmarked, renewed by inertia. A calm buying guide is worth real money.
The three layers, briefly
DDoS mitigation absorbs volumetric attacks in the provider’s network before they reach you. The WAF filters application-layer attacks, injection, cross-site scripting and kin, out of legitimate-looking traffic. Bot management sorts automated traffic: search crawlers and partners in, scrapers and credential-stuffers out. Buying calmly is itself a security control: decisions made mid-incident are made at the vendor’s prices and the attacker’s schedule.
Integrated versus dedicated
CDN-integrated security wins on deployment speed and traffic visibility; dedicated specialist platforms win on depth for extreme threat models. Most organizations are better served by well-tuned integrated protection than by a shelfware specialist, and tuned is the operative word. Tuned is the word doing all the work in that sentence: an integrated stack fitted to your application beats an elite specialist product nobody configured, and the market is full of the latter.
Incident economics belong in the buying math explicitly. Protection pricing should be weighed against the measurable cost of what it prevents: downtime during volumetric attacks, fraud losses from credential stuffing, engineering time consumed by scraper arms races, and compliance exposure from breaches. Organizations that quantify these before procurement buy noticeably differently from those shopping on fear, they buy less in some categories and more in others, and the reallocation is usually the real saving. Fear is a pricing strategy; arithmetic is a defense against it.
Buying it sanely
Specify the capabilities you will actually operate, demand mitigation-time commitments in the contract rather than the deck, clarify whether attack traffic bills against you, and benchmark the line like any other. Security is where padding hides because buyers treat it as impolite to negotiate. It is not. The operability test filters honestly: every capability you buy but never staff becomes shelfware with a renewal date, and shelfware is where security budgets go to hide.
In practice
Inventory what you already pay for before buying anything new: most organizations discover capabilities already licensed, half-enabled and untuned. Then specify requirements as behaviors, block this, allow that, alert on the other, rather than product names, and let vendors map themselves to your list. The inversion sounds small and changes everything: you stop shopping features and start procuring outcomes, which is the entire trick of buying security sanely.
The security assessment covers exposure, tuning and the contract, and routinely finds the same protection for less.
