Context-parsing detection you can deploy anywhere against network-scale rules at the edge — two modern WAF philosophies compared.
Winner depends on your workload.
Winner depends on: whether you need a WAF that deploys inside any architecture — containers, on-prem, other CDNs — or one that lives at the edge of the network already fronting your traffic; and whether your team’s scarce resource is tuning time or budget.
Side by side
| Fastly Next-Gen WAF | Cloudflare WAF | |
|---|---|---|
| Heritage | Signal Sciences (acquired 2020, $775M) | Cloudflare-native, evolved with the network |
| Detection | SmartParse — contextual parsing of how a payload would execute | Managed rulesets + ML scoring + network telemetry |
| Deployment | Anywhere: Edge WAF, hosted Cloud WAF, on-prem agent/module, other CDNs | At Cloudflare’s edge, on Cloudflare-fronted traffic |
| Blocking confidence | ~90% of customers run full automated blocking | Widely run in blocking mode; per-rule overrides trivial |
| Failure mode | Module fails open if the agent is unavailable | In-line at the edge; no agent to fail |
| Pricing | Packaged tiers (Core / Core Plus / Total), sales-quoted | Published tiers: Pro $20/mo → Business $200 → Enterprise |
Two answers to the false-positive problem
Both products exist because regex-era WAFs cried wolf so often that teams ran them in log-only mode, which is to say: off. Their fixes differ. Fastly’s Next-Gen WAF — the Signal Sciences technology Fastly acquired in 2020 — attacks the problem with SmartParse, which doesn’t pattern-match a request but parses it in context, asking how the payload would actually execute at its destination; SQL syntax in a blog comment isn’t SQL injection in a query. Cloudflare attacks it with scale: managed rules refined against traffic from a vast share of the web, ML scoring, and telemetry that turns one customer’s attack into everyone’s signature. Both approaches genuinely work — the tell is blocking mode. Fastly reports nearly ninety percent of its WAF customers run full automated blocking in production, and Cloudflare’s per-rule override workflow makes blocking the default posture rather than the aspiration.
The deployment split is the real difference
Architecture decides most of these shortlists. Cloudflare’s WAF protects traffic that flows through Cloudflare — superbly, but that is the deal. Fastly’s product is deliberately promiscuous: run it as an Edge WAF on Fastly’s network, as a hosted Cloud WAF, or on your own infrastructure via the module-and-agent pattern — in containers, on legacy VMs, behind another vendor’s CDN entirely. The agent (written in Go) makes decisions locally against synced rules and fails open if unreachable, so the WAF never becomes your outage. For estates that cannot funnel everything through one edge — multi-CDN media stacks, internal APIs, regulated on-prem systems — that deploy-anywhere property is frequently the entire decision.
Coverage beyond the core
Around the WAF core, the platforms diverge by temperament. Cloudflare bundles wider: unmetered DDoS at every tier, rate limiting, API Shield’s schema enforcement, bot signals — one console, one bill, with the heavyweight pieces gated to Enterprise, as we mapped in Cloudflare WAF vs App & API Protector. Fastly’s adjacent strengths are operational: the Network Learning Exchange sharing attacker reputation across its customer base, rate limiting and API protections that ride the same agents, and — for Fastly CDN customers — a security layer that shares the control plane engineers already like, per Fastly Compute vs Cloudflare Workers.
Money and the 128-kilobyte footnote
Cloudflare publishes its ladder — real managed WAF from $20/month, Business at $200, Enterprise by quote — and remains the price-performance benchmark of the category. Fastly prices in packaged tiers (Core, Core Plus, Total) through a sales motion, and typically lands above Cloudflare on license cost; its counter-argument is tuning economics, since near-zero false positives convert directly into analyst hours returned. One technical footnote worth surfacing in any bake-off: Cloudflare’s non-Enterprise plans inspect request bodies up to 128 KB, while Fastly’s agent-based deployments inspect what your architecture hands them — a distinction that occasionally decides API-heavy evaluations by itself. Figures checked against provider documentation, July 2026.
How to decide
Let architecture vote first, economics second. All traffic already on Cloudflare, or happily headed there: its WAF is the rational default and the cheapest serious protection in the market. Hybrid estate, multi-CDN, on-prem obligations, or a DevOps culture that wants security shipped like code: Fastly’s deploy-anywhere model was built for exactly you, and the premium buys back tuning time. Teams running both edges — more common than vendors admit — should let each WAF protect its own edge and unify visibility downstream in the SIEM.
Running a WAF bake-off across a hybrid estate? The assessment tests both engines against your real traffic shapes and architecture.
