New study finds even high-traffic, PII-collecting applications at global enterprises remain exposed due to fragmented WAF deployments
CyCognito, a leader in external attack surface management, has released new research that exposes major shortcomings in enterprise web application firewall (WAF) coverage. Despite WAFs being considered a baseline safeguard for modern application security, the study reveals that more than half of enterprise external assets remain unprotected, leaving critical systems vulnerable to cyberattacks.
The report analyzed more than 500,000 internet-exposed assets from Forbes Global 2000 companies and found that 52.3% of cloud-hosted assets and 66.4% of off-cloud assets lacked WAF protection. Alarmingly, many of these unprotected applications handle sensitive data, including login portals, registration forms, and checkout pages.
“It’s not that enterprises do not lack WAFs, they lack consistent implementation.”
— Zohar Venturero, Data Scientist, CyCognito
“The findings of this research identify security gaps that organizations must take action on,” said Zohar Venturero, Data Scientist at CyCognito. “Fragmented deployments, siloed security practices, and the challenge of unknown assets make it nearly impossible for organizations to achieve full coverage. This leaves sensitive systems open to credential stuffing, injection attacks, and exploitation of unpatched vulnerabilities.”
The study further highlighted that enterprises operate, on average, 12 different WAF products, with some deploying more than 30. This fragmented approach, often managed by separate teams, results in inconsistent protection and gaps that attackers can exploit.
A manual review of traffic across multiple Fortune Global 2000 enterprises, including those in finance, retail, and media, revealed high-traffic applications running without WAF protection, sometimes alongside flagship applications that were fully covered. This disparity underscores the operational complexity driving the problem rather than a lack of technology.
CyCognito’s analysis suggests that years of overlapping procurement and decentralized security management have created an illusion of complete WAF coverage. Security leaders often assume that critical assets are protected, but the data demonstrates otherwise.
“WAFs still play a critical role in protecting enterprise applications, end users, and sensitive data,” added Venturero. “Our hope is that these insights empower security leaders to re-evaluate their coverage strategies and close the gaps before attackers find them.”
The findings serve as a wake-up call for enterprises to reassess their baseline defenses. Without consistent and unified WAF deployment, organizations risk exposing high-value systems to preventable attacks.
