CyCognito Research Reveals More Than Half of Enterprise External Assets Lack WAF Protection

Research finds that even high-traffic, PII-collecting pages at world’s largest Enterprises remain exposed.

Palo Alto, California – September 9, 2025

CyCognito the leader in external attack surface management, today released new research uncovering critical gaps in enterprise web application firewall (WAF) coverage. The report, based on analysis of more than 500,000 internet-exposed assets from Forbes Global 2000 companies, found that over half of enterprise cloud assets (52.3 percent) and nearly two-thirds of off-cloud assets (66.4 percent) lack WAF protection.

Considered table stakes in application security, WAFs are a baseline safeguard assumed to be in place across all business-critical applications. CyCognito’s research shows that this assumption is dangerously misplaced. Even among the world’s most iconic enterprises, investigators identified high-traffic applications without WAF protection, including pages that collect personally identifiable information (PII) such as login portals, registration forms, and checkout pages.

Key Findings:

• Widespread Gaps Across Cloud and Off-Cloud Assets: More than half of cloud-hosted enterprise assets lacked WAF protection, with off-cloud assets faring worse.
• Exposure of Sensitive Data: Nearly 40 percent of PII-collecting assets in cloud environments and 63.4 percent of off-cloud PII-collecting assets had no WAF coverage.
• Fragmented Deployments: On average, enterprises operated 12 different WAF products (median of 11), with some deploying more than 30. This sprawling mix of technologies, often managed by separate teams, creates inconsistent coverage and leaves assets exposed.
• Evidence from Global Enterprises: Manual review of traffic across a dozen leading enterprises in industries such as finance, retail, and media revealed multiple high-traffic applications operating without WAF protection, sometimes alongside fully protected flagship applications.

“The findings of this research identify security gaps that organizations must take action on. It’s not that enterprises do not lack WAFs, they lack consistent implementation,” said Zohar Venturero, Data Scientist at CyCognito. “Fragmented deployments, siloed security practices, and the challenge of unknown assets make it nearly impossible for organizations to achieve full coverage. This leaves sensitive systems open to credential stuffing, injection attacks, and exploitation of unpatched vulnerabilities.”

CyCognito research attributes many of these gaps to organizational complexity rather than technology limitations. Years of overlapping procurement and decentralized management have resulted in enterprises running dozens of different WAFs without a unified deployment framework. This fragmentation means that even high-value applications can slip through the cracks, leaving businesses exposed to attacks.

From the findings of this research, CyCognito expects that enterprises will rethink their assumptions about coverage. Most security leaders believe WAFs are in place everywhere they need to be, but the data shows that isn’t the case. Organizations should acknowledge the potential for this visibility gap and realize that not every external-facing asset is actually protected, even inside well-resourced companies.

“WAFs still play a critical role in protecting enterprise applications, end users and sensitive data. Our hope is that these insights empower security leaders to re-evaluate their coverage strategies and close the gaps before attackers find them,” added Venturero.

Access the full report at: https://www.cycognito.com/blog/state-of-waf-protection/