Services and use cases

Security Evaluations Services

SCA helps you understand which attacks your security controls can currently prevent, identifies missing protections and detection gaps, and highlights broken mitigations and uncovered corner cases.

This evaluation ensures that when incident response is needed, you know exactly what arsenal you have, what additional defenses can be deployed, and which weaknesses must be avoided.

Measuring security is vital for the security value zone

Web Application Threats:

Common Attack Vectors (CAV)
Automated Traffic Threats (ATT)
Bots and Botnets
Attack Modus Operandi (AMO)

Security Control Assessment (SCA)

SCA - Products and Services

Risk Mitigation Score (RMS) determines your “Security Value Zone,” where negative values indicate poor security practices, while positive values reflect investments in effort, tools, and effective incident response.

Assessment of Enforcement Levels

Assessment measure the current “Enforcement” level, predicting how effectively you can prevent the next attack when incident response is triggered.

Assessment of Security Exposure

Assessment also measure “Security Exposure,” highlighting reductions in protection levels and identifying limitations critical to effective incident response.

Web application
WAF
Bot manager

Key Value Points

Security Visibility

Know your security level and policy capabilities

Security Exposure

Map the missing protection rules and controls bypass holes

Incident readiness

Next attack readiness and mitigation time improvement

Feedback Loop

Know where and what to look for in the WAF reporting (GUI)

Policy Optimization

Get the right policy for your risk and needs

WAF aaS Capabilities

Know who manages what and the real fit to attack mitigation

WAF Assessment Types

Security Controls Assessment (SCA)

Purpose: Evaluate WAF’s ability to detect and mitigate known attack techniques.
Tests Include:

Signature effectiveness (XSS, SQLi, RCE, etc.)
Custom payload detection
Evasion technique handling
Entity-level protection (parameters, headers)
Policy tuning gaps
Outcome: Risk Mitigation Score (RMS) for control coverage.

Bot Protection Assessment

Purpose: Evaluate how WAF handles automated threats.
Tests Include:

OWASP Automated Threats (carding, scraping, credential stuffing)
Bot client simulation (headless browsers, replay tools)
CAPTCHA and JS challenge handling
Outcome: Bot defense score and bypass feasibility.

Policy Configuration Analysis

Purpose: Validate WAF policy logic and alignment to application behavior.
Tests Include:

Policy enforcement review
Positive security model checks
Custom rules review (regex, IP, Geo)
Outcome: Policy quality score and hardening recommendations.

Custom Use Case Simulation

Purpose: Validate WAF in real-world incident scenarios.
Tests Include:

Simulated red team campaigns
Attack chain testing (multi-step exploit)
Application-specific threat modeling
Outcome: Application-aware mitigation score.

WAF SCA

Web App – Common Attack Vector (WA-CAV )

Testing for common attack vectors detection is the minimum WAF requirements that should reflect your WAF security value on any web application.

Web Exploits
App Brute Force
App DoS/DDoS

Web App – Automated Traffic Threats (ATT)

Bots activity are still a major concern to web application owners

Readers & Submitter
Tweaker & Diverter
Device & Client types

Any Location

Each location provides the value and together they form layer 7 protection strategy

On Prem
Cloud
SaaS
Mesh

Any WAF Testing

No matter which WAF type and where it resides, our unique WAF everywhere testing methodology have all the right test plans.

All Types
All Vendors
All Locations

Learn more about:

AMI3A: Power process for modern web app security .
Risk Mitigation Score (RMS): A financial measure of your security effectiveness.
DSMM – Defensive Security Management Methodology.