What to Look for in a WAF (Recorded live at the Comprehensive Cybersecurity Event)

Not all WAFs are created equal, and most companies are asking the wrong questions. This episode was recorded live at a special event hosted by GlobalDots and CloudFlare, focused on WAF for SaaS and cloud-native security. We spoke with Moshe Weis (CISO, Aqua Security) and Eran Gutman (VP IT & Security, Pixellot) about what truly matters when evaluating WAF solutions — from visibility and false positives to automation, business context, and real-world readiness. Short interviews. Deep takeaways.

This transcript was generated automatically by AI. If you find any mistakes, please email us.

Tomer: In cloud security, the threats are evolving, but so are the misconceptions. Hello everyone, you're listening to Cloud Next, your go-to source for Cloud innovation and leaders' insight brought to you by Global Dots. Welcome to a special short on the ground edition of Cloud Next. I'm Tomer Molfudsen and this episode was recorded live at a closed event hosted by GlobalDots and Cloudflare, focused on one of the hottest topics in modern cloud security, WAF or SaaS and cloud native environments. We sat down for two quick but powerful conversations with people who truly know the space. Moshe Weiss, CISO at Aquasecurity and and Eran Gutman, VP of IT and Security at Pixellot. Short Talks Deep takeaways let's dive in. As someone who knows this space from the inside, what do you think are the most important things to consider when evaluating a WAF solution?

Moshe Weis: Okay, so really I think it comes down to a few different types of features that WAFs provide for the organization. So number one, first and foremost, anything related to what I like to call negative security, being able to black out the objective bad, and then you have the whole area of positive security. So it's not sufficient to just block out the objective bad. You need to also know what you're protecting. You have to understand your applications and based on that you need to create your rule sets for what you want to allow. Because we know that any zero day can easily bypass the negative security modules on waf. So we have the negative security, we have the positive security and then we had everything that has to do with, you know, DDoS or application DDoS, prevention, anything that's to do with flow control. So again there's the objective bad, what's considered a DDoS attack or a volumetric attack which needs to be blocked, or bot classification and protection. And there's also the positive flow control that I know what my application can consume and I want to be able to provide the maximum parameters for that. So I think those three areas pretty much sum up what I would be looking for in a waf.

Tomer: While Moshe focuses on the layered technical capabilities a WAF should offer, Rand Gutman brings a different perspective, emphasizing the importance of visibility and the real time understanding before diving into remediation.

Eran Gutman: First of all, I think the most important thing is visualization. So we need to know what happened, how it happened, from when it happened. So when we got all the visualization then we go into the next level. So the next level is to try to remediate it. Sometimes you have to, you're doing automatic remediation. Sometimes you have to think about the purpose and the process. But eventually you are remediate and you prevent non attack or a dedicated tag on your site or something like that.

Tomer: What's a common mistake you see companies make when it comes to securing cloud native applications? And what should they do differently?

Eran Gutman: I think the most current mistake is to look on the small picture and not all the overall picture. Because cloud security, it's a name but you need all the ecosystem so you need to identify the resources from one side. You need to identify your client or customer, your feature, sometimes your feature maybe look like best practice vulnerabilities and there are not vulnerabilities. This is the one side, that's the other thing. Look over the overall picture. So you need to have visibility of all. You don't use only the cloud security tools, you must have other tools that integrate it. Like let's say the secure code code sometimes because all the problem because you are develop, because you have developed the thing and you came from the code to the production to you understand all the process. Of course the the most thing is to understand the business need. So when you take advisor or integrated some companies they need to understand the business, the value of the business, the way the business work before taking any consumption or other things to remediate security things.

Tomer: While Iran stresses the need to see the bigger picture, the full ecosystem, the business logic and the development process. Moshe Vais takes it a step further pointing to a critical gap in security teams themselves. The lack of modern cloud native expertise.

Moshe Weis: So when it comes to securing cloud native applications, Cloud native applications are different in nature than what we call legacy workloads due to the fact that their lifecycle spans over everything from developers to runtime operations. And that's how cloud native differs and technology is different. We don't use static endpoints, we don't use static IPs. We kind of lost our control in the infrastructure level. And I think that the main mistake that companies make is not having the technological know how in the security staff to be able to secure that. And therefore I believe that security teams need to be more knowledgeable in the DevSecOps and the modern CICD areas. And they need to be able to onboard a proper security tool that understands the cloud native applications both from a runtime perspective, from a shift left perspective and from a posture management perspective when.

Tomer: Dealing with WAF or broader security tools. Where do you think automation brings the most value and where do you still rely on people to get it right?

Moshe Weis: I Think that automation can primarily benefit the reduced time of being operational, ready to implement blocking mode on your waf. And this is simply because one of the main pain points of wafs that we have today is being able to fine tune the system by with the false positive and true negative ratio, which is always the hardest part of operationalizing the waf. And I think that automation can go ahead and be able to assist with creating the fine tuned and granular rules that on one hand will not block false positives and on the other hand will give enough value that it actually block attacks. I think that the human factor is needed because we all know that automation alone, even with the assistance of AI is just not there yet. And it definitely needs the oversight to be able to know what we're actually blocking in production.

Tomer: While Moshe drills into the operational challenge of false positives and the role of fine tuned automation, Ran Gutman takes a broader view, framing automation as an unstoppable shift, a revolution that security leaders must embrace.

Eran Gutman: So the world go into automation, we call it today AI, tomorrow we'll carry something else. But the automation is coming, so you need to be reliable on automation. It should be reliable. It should understand the behavior of the process of the service that you are delivering. And I think we'll go over there. So somehow on the future we don't do the paper just to check if there is no false positive and things like that. Especially not to do the work, the manual work. But I think the world is going to there and you need to align, audit and hug it and join the revolution.

Tomer: If you can't beat them, join them.

Moshe Weis: Right?

Eran Gutman: Yes, of course.

Tomer: Thank you very much for your time and your insights.

Eran Gutman: Thank you.

Tomer: Enjoy the event.

Eran Gutman: Thank you.

Moshe Weis: Thank you very much.

Tomer: There you go folks. Two perspectives, one clear message. WAF is no longer just about blocking threats. It's about visibility, context and knowing what not to block. Thanks again to Moshe Weiss and Aran Gutman for sharing their thoughts and to everyone who joined us at the event. Until next time, stay secure, stay curious. Ask Global DOTS.

Ganesh: This episode was produced and edited by Daniel Ohana and Thoma Morvenson. Sound editing and mix by Bren Russell I'm Ganesh the Awesome and if you're ready to deep dive and start transforming the way you approach cloud practices and cybersecurity strategies, then the team and myself at Global Dots are at your disposal. We are cloud innovation hunters and we search the globe looking for the future tech solutions so we can bring them to you. We've been doing it for over 20 years. It's what we do. And if I don't say so myself, we do it pretty well. So have a word with the experts, don't be shy, and remember that conversations are always for free.

Related Solutions

  • Web Security
    A short, expert-driven episode recorded live at the Comprehensive Cybersecurity Event. Discover what really matters when evaluating a WAF — from visibility and automation to business logic and false positives.
    Read More

Related Content

  • Web Application Firewalls (WAFs): The Evolving First Line of Defense in Cloud Security
    Web Security
    Web Application Firewalls (WAFs): The Evolving First Line of Defense in Cloud Security

    Modern applications are built for speed, not simplicity. Containers, microservices, and cloud-native deployments have blown up the security perimeter. Traditional tools can’t keep up with this complexity. That’s why Web Application Firewalls (WAFs) matter. But the WAF of 2025 isn’t just an appliance sitting in front of a static website. It’s a flexible, cloud-aware security […]

  • What is an API Security Audit?
    Web Security
    What is an API Security Audit?

     In January 2024, a misconfigured API exposed 650,000 private messages. These included passwords and internal communications. No exploit chain. No zero-day. Just a public-facing endpoint with no authentication. This wasn’t an isolated incident. From T-Mobile and Twitter (now X) to Kronos Research and the US Treasury, attackers have consistently used APIs as entry points. They […]

  • The Ultimate API Security Checklist for 2025
    Web Security
    The Ultimate API Security Checklist for 2025

    APIs are now the top attack vector in enterprise apps. In 2024 alone, breaches tied to APIs cost an average of $4.88 million, and that number is rising fast. Attackers exploit gaps in API authentication, input validation, and outdated endpoints to compromise systems. Legacy controls no longer suffice, and the OWASP API Top 10 outlines […]

  • 10 API Security Best Practices for 2025
    Web Security
    10 API Security Best Practices for 2025

    APIs are the backbone of today’s interconnected software. They power everything from mobile apps and SaaS platforms to internal microservices and partner integrations. But their rapid growth has left many security teams flat-footed. In 2025, many attackers prefer to exploit API misconfigurations hiding in plain sight. What used to be fringe cases (token leakage, zombie […]

  • API Security in 2025: Practical Assessment & Modern Protection Strategies
    Web Security
    API Security in 2025: Practical Assessment & Modern Protection Strategies

    APIs are no longer an edge case. In 2025, they’re a core requirement for maintaining trust, compliance, and operational continuity. As organizations build more API-driven systems—from customer apps to internal microservices—the exposure risk compounds. And quickly, too. Even mature security teams are finding that traditional tools can’t keep pace with the volume, velocity, and nuance […]

  • SAST vs DAST vs IAST: Application Security Testing Explained
    Web Security
    SAST vs DAST vs IAST: Application Security Testing Explained

    A great majority of security flaws are introduced during development, but most aren’t found until much later, when they’re costlier to fix. That delay is precisely why application security testing (AKA AppSec testing) needs to occur early, frequently, and at multiple layers. SAST, DAST, and IAST are designed to do just that. But too often, […]

  • Application Security Frameworks: A Practical Guide to OWASP SAMM, ASVS, and More
    Web Security
    Application Security Frameworks: A Practical Guide to OWASP SAMM, ASVS, and More

    As teams ship faster in cloud-native environments, the attack surface grows just as quickly. This makes application security a moving target. Yet most AppSec programs still feel like patchwork. Teams rely on ad hoc policies, chase compliance, or struggle to scale controls across the SDLC. Application security frameworks change that. They give you a structure […]

  • Application Security Posture Management (ASPM): A Complete Guide
    Web Security
    Application Security Posture Management (ASPM): A Complete Guide

    Too many tools and alerts can overwhelm your team with excessive noise. A survey of 500 CISOs found they manage 49 AppSec tools on average, with 95 percent deploying 20 or more just to cover basics. In Q4 2024, 178 organizations logged 101 million findings in 90 days, and only 2-5 percent needed urgent action. […]

  • Application Security Best Practices: A Lifecycle Approach for Modern Teams
    Web Security
    Application Security Best Practices: A Lifecycle Approach for Modern Teams

    Application security isn’t just a developer’s concern or a security team’s checklist anymore. It’s a full-spectrum challenge that cuts across the software lifecycle, from the code you write to the containers you deploy to the pipelines and people in between. In 2024 alone, researchers flagged over 40,000 software vulnerabilities, most of which were inherited through […]

  • How NetRefer Cut Observability Costs by €96,000 Per Year in Just 3 Months with GlobalDots
    Monitoring, Logging & Observability
    How NetRefer Cut Observability Costs by €96,000 Per Year in Just 3 Months with GlobalDots

    Overview NetRefer, a leading iGaming affiliate marketing platform, utilized Azure cloud-native monitoring tools. Shortcomings needed to be resolved, and the business required next-generation observability.  Problems that needed to be solved: Through GlobalDots’ expertise in selecting and implementing the right observability solution, NetRefer achieved €96,000 in annual savings and gained real-time observability across their entire platform […]

  • DevOps Responsibility Shift – Gal Porat, Global Director of DevOps @Plarium
    DevOps & Cloud Management
    DevOps Responsibility Shift – Gal Porat, Global Director of DevOps @Plarium

    As AI tools become more accessible and infrastructure evolves, developers are taking on more responsibility, and DevOps is changing fast. In this episode, Gal Porat, Global Director of DevOps at Plarium, breaks down what the shift looks like inside teams. From debugging culture and tool selection to managing without formal training, Gal shares lessons and practical advice for today’s up-and-coming engineering leaders.

  • Inside Playtika’s SOAR Strategy: Liran Sheinbox, CISO
    Cloud Security
    Inside Playtika’s SOAR Strategy: Liran Sheinbox, CISO

    Most security teams chase alerts. Liran’s team builds systems. Playtika’s CISO, Liran Sheinbox, reveals how automation with a developer mindset helped reduce MTTR to seconds, even with a lean team. He shares how real design partnerships build trust, why AI is no longer “just a feature,” and how working with startups can drive innovation and retain top talent. A must-listen for security leaders, vendors, and tech decision-makers alike.

  • MVP to Production-Grade: How to Fix Scaling Bottlenecks Before They Break You
    DevOps & Cloud Management
    MVP to Production-Grade: How to Fix Scaling Bottlenecks Before They Break You

    This webinar & podcast are built for founders, CTOs, and VPs navigating the critical shift from MVP to production-grade infrastructure. Learn how to avoid scaling pitfalls, build resilient systems without over-hiring, and make the right decisions now to support rapid, sustainable growth. Join us to unlock practical strategies and real-world lessons from companies that have […]

  • MVP to Production-Grade: How to Fix Scaling Bottlenecks Before They Break You
    Automated Kubernetes Optimization
    MVP to Production-Grade: How to Fix Scaling Bottlenecks Before They Break You

    Scaling after Series A? This webinar-podcast hybrid is built for founders, CTOs & VPs ready to move beyond duct-tape infrastructure. Discover how Aquant tackled rapid growth, migrated from Heroku to AKS, and optimized observability and cost—without hiring an army. Plus: Git power tips from the King of Git himself, Nir Geier, that'll save your team hours each week. Watch now to avoid painful rebuilds later.

Amplify Your Web Security

GlobalDots builds robust, cost-effective, and secure cloud infrastructures to help your business tap into the cloud’s agility and speed. GD’s customers enjoy a best-of-breed suite of tools and managed services fully customized to fit their ecosystems by our expert teams.

Discover GlobalDots’ services now

    GlobalDots' industry expertise proactively addressed structural inefficiencies that would have otherwise hindered our success. Their laser focus is why I would recommend them as a partner to other companies

    Marco Kaiser
    Marco Kaiser

    CTO

    Legal Services

    GlobalDots has helped us to scale up our innovative capabilities, and in significantly improving our service provided to our clients

    Antonio Ostuni
    Antonio Ostuni

    CIO

    IT Services

    It's common for 3rd parties to work with a limited number of vendors - GlobalDots and its multi-vendor approach is different. Thanks to GlobalDots vendors umbrella, the hybrid-cloud migration was exceedingly smooth

    Motti Shpirer
    Motti Shpirer

    VP of Infrastructure & Technology

    Advertising Services