Web Application Firewall

An AI-based one-stop web business protection solution


Tencent Cloud Web Application Firewall (WAF) helps internal and external Tencent Cloud users fight security issues such as web attacks, intrusions, exploits, trojans, tampering, backdoors, crawlers and domain name hijacking. By deploying WAF, corporate users can redirect the threat and pressure of web attacks to the protection cluster nodes of WAF, obtaining the web business protection capabilities of Tencent Cloud in just minutes to safeguard websites and secure the operations of web businesses.


AI+ Web Application Firewall

Web attack recognition is based on AI+ rules. It is anti-bypass and low in both false negative and false positive rates. Web attack recognition defends effectively against common web attacks including the OWASP top 10 web security threats (SQL injection, unauthorized access, cross-site scripting, cross-site request forgery, web shell trojan upload, etc).

Virtual Patches for Zero-day Vulnerabilities

The 24/7 monitoring service from Tencent's security team identifies and responds to vulnerabilities proactively. Within 24 hours, it issues virtual patches to combat zero-day and high-risk web vulnerabilities. Protected users can get zero-day and emergency vulnerability protection instantly and automatically, reducing vulnerability response time dramatically.

Webpage Tampering Prevention

Users can cache core web contents to the cloud and publish cached web pages, which act as substitutes and can prevent the negative consequences of web page tampering.

Data Leakage Prevention

Backend data is well protected by pre-event server and application concealing, mid-event attack prevention and post-event sensitive data replacement and concealing.

CC Attack Prevention

WAF’s customized access control, human-machine identification and frequency limitation can effectively filter spam access and reduce CC attacks.

Crawler and Bot Behavior Management

The AI+ rules-based webpage crawler and bot management feature of WAF helps enterprises avoid business risks caused by malicious bot behaviors, including website user data leakage, content infringement, competing price comparison, inventory search, malicious SEO and business strategy leakage.

DNS Hijacking Detection

WAF performs nationwide DNS verification of the domain names submitted by the customer to detect and display the hijacking conditions of the protected domain names in various regions, helping avoid data theft and financial losses caused by the hijacking of website users.


Tencent Cloud WAF empowers users with top-notch security capabilities and provides protection strategies optimized for web business operations that leverage Tencent's web security protection practices that it implements with its own businesses.
Industry-leading AI+ Rules and Dual Engine

Traditional WAF core engines generally use a collection of regular expressions, which are prone to false negatives bypass and false positives that can result in operation problems. In contrast, Tencent Cloud WAF adopts AI+ rules-based dual engine detection technology to maximize detection and capture of known and unknown threats. It minimizes false positives and adapts to changing web applications.

Utilizing AI for threat prevention, rule-based dual engine, cross-validation and continuous learning, WAF can accurately and effectively identify and block various conventional, zero-day and new types of attacks.

It's possible that common semantic learning-based AI technologies for threat prevention may be bypassed by experienced hackers. However, the AI system of WAF is based on Tencent's proprietary probability map technology and trained with massive amounts of data of attacks and normal access requests to Tencent's business platforms, significantly strengthening WAF's ability to identify threats and adaptively protect constantly changing web applications.

By continuously learning the characteristics of high volumes of business data, WAF can automatically generate business-based personalized protection strategies to prevent false positives of special business access requests.


Internet+ Businesses

WAF protects business data from being intruded on, tampered with and stolen and filters out all kinds of attack and spam traffic, supporting the normal and stable operations of core Internet+ businesses.

It eliminates the negative impact of various issues caused by malicious bots, such as copyright infringements, malicious SEO, data crawling and leakage and spam traffic.

It features high availability and elastic scalability based on business size and reduces protection costs.

O2O Ecommerce Websites

WAF intelligently filters out attacks and spam access requests by malicious crawlers to ensure smooth business access in various high-concurrence scenarios such as flash-sales and marketing campaigns.

It eliminates the negative impact of various issues such as competing price comparison, inventory query and malicious SEO caused by malicious bots and crawlers to ensure the effectiveness of marketing strategies.

It features high availability and elastic scalability based on business size and reduces protection costs.

Finance Websites

WAF effectively detects and identifies access requests with exceptions such as web intrusions, database comparison and DNS hijacking to protect user information from leakage.

It identifies and manages the behaviors of bot programs and assists with the anti-crawler management strategies of financial organizations to help prevent financial information from being crawled on and protect financial strategies from leakage.

Government Service Websites

WAF protects the content of government service websites (such as those for governmental affairs, healthcare, education, social security and taxation) from being hacked and tampered with. It also prevents the intrusion and theft of civic data and ensures the availability of civic services.

Corporate Websites

WAF protects corporate portals from intrusions, trojans and tampering to avoid economic losses and brand image damage caused by website security incidents.

Its hardware-free and OPS-free characteristics help enterprises reduce security-related labor costs.


Tencent Cloud Web Application Firewall is pay-as-you-go with a daily billing cycle. No advanced payment is required. The bill is generated daily according to the QPS peak and billing tier. View more>>