Application security, Firewalls, Routers, Endpoint/Device Security

More than half of internet-exposed assets have no web application firewall

More than 50% of internet-exposed assets from Forbes Global 2000 companies lack web application firewall (WAF) protection, CyCognito revealed Tuesday.

CyCognito researchers reviewed more than 500,000 external enterprise assets between Jan. 1 and June 30, 2025, and found that 52.3% of cloud-hosted assets and 66.4% of off-cloud assets had no WAF protection.

WAFs are considered a basic, fundamental security layer for web applications, especially pages that collect personally identifiable information (PII) such as log in portals and checkout pages. These firewalls protect pages against attacks such as credential stuffing, SQL injection and exploitation of web app vulnerabilities.

Despite this, CyCognito also found that more than a third (39.3%) of cloud-hosted PII-collecting assets and nearly two-thirds (63.4%) of off-cloud PII-collecting assets were not protected by a WAF, raising concerns about exposure to cyberattacks.

The researchers noted that the problem is most often not due to a lack of resources but due to a lack of visibility into all of an enterprise’s internet-exposed assets, and use of too many different tools across different assets, allowing coverage gaps to form.

“It’s not that enterprises do not lack WAFs, they lack consistent implementation. Fragmented deployments, siloed security practices, and the challenge of unknown assets make it nearly impossible for organizations to achieve full coverage,” CyCognito Data Scientist Zohar Venturero said in a statement.

This is demonstrated by the fact that enterprises used a dozen different WAF products on average, with some organizations using more than 30 different products at once. In several cases and among some of the largest enterprises included in the study, high-traffic applications went uncovered by a WAF while running alongside fully covered applications, representing a lack of consistency rather than an inability to apply protection.

CyCognito recommended organizations ensure full WAF coverage across their external assets by first ensuring a complete inventory of these assets, using methods such as black-box discovery to uncover hidden areas of the organization’s attack surface.

Assets should then be triaged, with uncovered assets receiving WAF protection or being removed if they are not needed, especially those dealing with PII and other sensitive information, CyCognito said.

Overall WAF deployment and management practices across organizations should be reviewed to determine whether tool sprawl, fragmented ownership, silos and other issues may be creating a barrier to consistent coverage. Tool consolidation and centralized ownership may be necessary to avoid gaps that can leave assets exposed to attacks.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

ACK PiggybackingAccess Control List (ACL)Antivirus SoftwareBannerEndpoint SecurityFail-ClosedFiltering RouterFirewallReflexive ACLs (Cisco)Registry

You can skip this ad in 5 seconds