Imperva Application Security Platform Reviews

The solution increases the amount of protection for a client's products and solutions in their country.

They're quite easy to install and quite easy to set up. Clients really like that. Especially when you're dealing with the cloud, it's really easy. 

It also has the ability to integrate with other firewalls. That's really important today. Most end-users are looking for something that can integrate with other solutions and with APIs. They're looking for solutions that have an open API. 

The solution needs to ensure they are compliant and can show the customer in a visual way, like a ticked box, that they are protected. They need to ensure their solution is showcasing if their system is getting attacked so clients know if or when they are under attack.

Clients also often complain about the cost of the solution. They should consider adjusting their pricing models.

We would like them to hire people in Sweden because it's quite hard when people are sitting in the UK or Belgium because some of the customers really want them to be local.

In the next version, they could include more products or more solutions in this solution that you can add on. They need to build more features that they can add so they can help the customers who don't have a particular solution in hand. Most of the end-users are looking for an easy way to manage all of their solutions. Today we're selling a lot of smaller solutions, and they need to have a lot of different management solutions that we can offer to clients. 

The solution is really stable. It's good. It's a product that I can stand by and recommend because I know it's going to work for the customer.

The scalability is good, especially when you sell a solution that's in the cloud. That's easier to scale; you can just upgrade it. 

We don't directly deal with technical support, but I've never heard of any problems or complaints from clients.

The initial setup is straightforward.

We deploy the solution for our client. Sometimes Imperva also assists.

The licensing depends on the client. Usually, it's yearly, but we do offer monthly financing.

The only thing I hear complaints about is that in some cases clients want to be able to scale down. They don't want to buy everything. That could be, in Sweden anyway, a big problem, because they need to buy more licenses than they will use. In some cases, some of the resellers would like if it was possible to scale down, to have smaller option. However, they don't have that.

I'm a distributor for this product.

With the ease of implementation, I think is a good product. A lot of the other products need a lot of professional services to make it work. With this solution, it's very, very easy to implement, which is a strong selling point.

They also have a good range of products that they sell.

I would rate the solution seven out of ten. It's more than one issue that has me rating it at seven. It's quite a big solution, so it's hard to get a smaller company to buy it. They don't have people in Sweden either. That's really important for us, because it's harder for Swedish companies to be serious about the product when there's a lot of other vendors that have local people, and that's preferred by clients.

The primary use is the protection of our environment and client environments from intrusion and malicious attacks.

The product improves our organization by defending infrastructures from malicious behaviors. It also allows us to provide a reliable product to our clients who need a similar solution.

The most valuable features for our organization are auditing capabilities and compliances. The product meets the needs of our business model and we can see the health of the architecture at a glance. There are some instances where a client needs to meet with compliances in their industry, and this product is capable of meeting those needs.

One thing that they really could improve on is the depth of the analytics. The company needs to think more about the risk and analytic side of the application to supply the user with more information to evaluate and use in resolving issues. It is good to be able to depend on the product to provide a reliable solution, but it is better to take steps to resolve issues overall. This means giving information to the user that will help them identify exactly what the issues are. Risk analytics need to improve and this can be done easily.

This is a very stable product. Our clients have never complained about downtime or issues with functionality.

The product is easily scalable. We currently work with five to six customers who are on this solution. They are organizations of mixed size from small to enterprise. There is no problem adjusting the scale up or down to meet their needs and budget.

We have not needed to have much interaction with the support teams but when we do they address the problem quickly and with a high level of accuracy. The support, in my opinion, is very good.

Deployment is always straightforward. You just follow the instructions. With our experience, the product takes very little time to install and configure.

As we are a partner and a reseller, we are familiar with the product we do the installations for clients ourselves. We rarely have any issues with the installations.

On a scale from one to ten where one is the worst and ten is the best, I would rate the Incapsula platform as somewhere between an eight to nine. The obvious fault is the lack of better reporting. However, it is a good, functional product and we recommend it to clients who will not have to do very much to maintain the product.

The solution has good DDoS protection, and some good common features, such as no attack surfaces, parameter sanitization, and attack analytics.

The dashboard of the solution is complex. It is complex in the sense that there are too many options. There are two types of Incapsula dashboards. One is the on-prem version and one is cloud-based. Cloud-based is okay. The on-prem one needs some work.

The solution needs to improve Integration with third parties for their on-prem deployment models. The integration is not that good yet.

The solution is stable.

Scalability is pretty easy on the base platform. You just add another, and you're ready to go. We deal mostly with enterprise-level clients.

The company has really improved its technical support over the past year. Before that, I wouldn't rate them as very good, but they are much better now.

The difficulty of the initial setup depends on the customer. If it's a complex environment that they're processing, and/or if there's a downtime period, it may take more or less time. It depends on the number of applications that we have to integrate as well. 

We are Imperva partners, so we work with clients that use different deployment models, including on-premises and cloud.

I'd recommend to those considering implementation to look at your organization's requirements and then compare your options.

I would rate the solution 7.5 or eight out of ten.

This is one of the solutions that we provide to our customers.

We use this solution for application-level security, above layer four protection where the firewall cannot reach.

I have worked with both on-premises and cloud deployments.

The most valuable feature is the out-of-the-box detection engine. It has the ability to detect some of these things without being configured. There are some features that are configured by default, so even without doing much, it can still provide a level of protection.

The visibility provided by this solution can be improved. I often tell my customers that "You can't fight what you can't see". I can recall a time when I did a presentation after a deployment, and it prompted them to put the solution into enforcement mode immediately. Normally, we wait one week with the solution in monitoring mode. However, once they saw the types of vulnerabilities they had, they wanted to take action right away. It gave them a great deal of knowledge, and knowing that they are protected from these types of attacks has boosted their confidence.

This solution has a lot of features, and some of the students were confused when I was discussing them. It would be helpful to have a "recommended deployment", or even a list of basic features that should either be used or turned on by default. If somebody has installed the product several times but is doing the same thing incorrectly, then they get experienced in doing the wrong thing. You should be able to specify which assets you need to be protected, and the solution will tell you the minimum in terms of features that need to be turned on. If you need more advanced protection then the others will become relevant.

Imperva partner training is something that I would be interested in if it ever came my way. There should be partner-specific webinars, meetings, and other training provided to us,

So far, I don't think that we've had any issues with this solution in terms of stability. People discussing this solution have given the same remark.

This solution is used on almost a daily basis.

Scalability of this solution is based on the design. If you get your design right, then you shouldn't have a problem with the scalability.

While we were installing this solution, we had contact with technical support and they were good. I have referenced information that is on their site and it is helpful, as well.

During the initial installation, there was a warning that was not part of the known CVEs. When I checked with support, they told me that this type of problem is blocked out-of-the-box. However, if I wanted to be really sure, they showed me how to create a custom policy, or custom rule, to specifically deal with it.

I have used other solutions, but I usually follow the Gartner reports and their suggestions. My previous solution had not been doing too well.

Also, as I became more familiar with this solution, it became easier for me to identify issues. I had also read research on Imperva blocking denial-of-service attacks, and I like practical evidence of issues such as this. By reading these articles, and about other people's experiences, it is like seeing it for myself. With other solutions, you are not privy to such visibility.

Complexity and cost are two important factors when it came to choosing this solution.

Unless the client has as serious issues and does not want Imperva, this is my first choice.

The initial setup of this solution was not too straightforward. We did have to contact Imperva during the deployment. The length of time for deployment depends on the experience of the people performing the installation, as well as the environment.

My team and I performed the implementation of this solution. To make sure that we were on track, we contacted Imperva support for some clarification. Most of the things that we do, we follow best practices.

Everybody complains about the price of this solution. 

This is a security device, and it is used almost every day. It is not just used when there is an issue. Based on what the dashboard or the reports say, you can change policies to meet your security requirements or business needs.

Based on my experience, and what I know this product can do, I would never recommend another solution. I advise most of my customers to go for this.

I would rate this solution a nine out of ten.

We are a reseller and integration partner, and we have customers who are using this solution in on-premises deployments.

This solution has helped in securing our clients' assets, which is key. It mitigates all of the availabilities of risks around web applications.

The most valuable feature of this solution is web application security.

This is a user-friendly solution.

This solution has good performance ratings.

I would like to see more support available for this product online. Some customers find this to be a real limitation.

The virtual processing could be improved.

Their portal is very limited and needs improvement.

This is a very stable solution.

The solution is very scalable, but of course, the scalability comes with a cost.

I think that technical support needs to be improved by making it more localized, or regionalized. Our support is currently coming from the US, and it is not very good. They need to take care of their global customers.

We previously used Fortinet, but this solution has better performance ratings.

I don't want to say that the initial setup is straightforward, but it is manageable. It requires a bit of technical knowledge.

This is a solution that I highly recommend.

The biggest lesson that I have learned from this solution is that Imperva is not a one-house solution. They create a specialized solution, and that comes with a lot of value.

I would rate this solution a nine out of ten.

The primary use was to cover the database. Imperva we recognized on the market as the best solution for techs on databases. The banks here in Chile always ask for these types of solutions.

The compliance is the most valuable aspect.

I just need it to be a stable and normal version. I'd want to hear about the new features to see which I would need.

I find this solution stable. We have 2,000 users in financial services.

The solution is scalable.

The setup initially was simple, but when we tried to run it we had problems with the log parameters and it was complicated to use. The operation was complicated to use, but that is just the experience of my team. It took two months to deploy. The setup and installation of the technologies took one week, and after that, one month to set up the parameters and after that, in order to set up the logs, it took about two weeks. So two months total. We have three engineers, including an architect and a security engineer. We also had a fourth engineer that knew the application.

We have a yearly license, but I'm unsure of the pricing.

We didn't evaluate other options, just Imperva.

I would rate the solution as an 8 out of 10, simply because of the difficulty of operation management. It's a complicated tool to keep.

Our primary use case is to protect our cloud production environment.

We have a co-location that we do with our QA and Dev and our pre-production environment. We do everything there. We built it for the production environment so we deploy everything in the cloud. We have the web application firewall in the cloud, after the proxy.

It has threat intelligence and we are using Incapsula. With threat intelligence, we can separate HTTP and HTTPS traffic. We can use Incapsula to send all the threat intelligence to the WAF.

The interface is very user-friendly. You get used to it. It's very convenient.

There could be some limitations rom the converged infrastructure perspective: when you want to converge with everything and you want Imperva to get there easily, because it's not a cloud component. For example, when you want to build servers and you're using OneView to manage your software-defined networks, implementing Imperva right away is not that simple. But if you're doing just a simple cloud infrastructure with servers in there, you're good to go.

Also, we are not able, with Imperva, to block by signatures. Imperva by itself needs to be complemented with another service to do URL filtering. That's why you need Incapsula.

No issues with stability. It has never crashed.

Scalability is affordable. There are no issues with the process of scaling.

They have centralized management, in terms of scalability. They have centralized policy control, they have centralized application profile information. On the dashboard they have Signature Update, Monitoring, Reporting. They clearly thought about the large-scale when they made this product.

We use a partner here in Puerto Rico for Imperva. We have a guy in our shop every day, full-time.

We used Fortigate. We switched because it's not a WAF. When you have a WAF, you want that WAF to do all kinds of configurations, to promote the firewall, to work the way you want it. Imperva came with everything, the whole package.

The initial setup was a little bit complex. But a third-party took care of everything. It's not like putting milk on cereal when you are working with these kinds of configurations. The effectiveness of a web application is going to come from the analysis of what your organization needs. If you don't have that information before you go into Imperva, you're going to have a lot to do when you get there. You need to know what you're doing. It's not something you can take out of the box and put in your infrastructure. It's somewhat hardcore to deal with these kinds of solutions. 

Make sure you understand the way that Imperva charges. It's very affordable. However, I would like to see a package with the Virtual Patching included. You get to do patching separately.

We had F5, Akamai, Fortinet, Barracuda. We may have looked at Juniper as well, I don't remember. Not too many companies have a WAF. Not all the firewall companies are WAF makers.

I think it's perfect. It's a very good application. When you do large-scale deployment you want to protect your physical web application with Imperva, trust me. It gives me peace of mind.

These are guys are from Israel and you should see that place. These guys are the best I have ever seen. They do all kinds of stuff and there is nothing that they cannot do. These people are incredible. They can configure and develop anything, customized, if you want it. Everything has a price, but they can do it right now. They don't have a "no."

We use Imperva with Incapsula so we have web security, we have DDoS protection, we have content delivery networking, we have load-balancing. We do everything with Incapsula cloud. For example, if you have an internet threat, that threat is trying to access your web application. Depending on the threat that you are receiving, the activity monitor is going to be triggered. Once that activity monitor gets triggered, the vulnerability management is going to defend you. It doesn't work for everything the same way. It's very intelligent.

Without tuning, it blocked 88 percent of the vulnerabilities, and when we tuned it, it blocked 98 percent. Whatever was not blocked didn't harm us. We use a third-party for tuning. We tell them what to do it and they do it. They get it done fast, sometimes in two to three days. It depends on what you're asking for. If you're asking for more accuracy, they go the distance to solve your problem. For example, the other day I had some keywords, some attack signatures that they were looking at for false-positives and false negatives, which are two different things. One of the main reasons we got Imperva is that we wanted to block attacks while limiting the number of false positives. I wanted the application scanner not to generate false positives by creating violations. I gave them the information, and the next day it was solved.

To put it in a high-level perspective, you are paying to see the things that are important, but you get a lot of noise. I wanted to reduce that noise. They allowed me to do that. 

Make sure you have the right testing methodology for Virtual Patching. If you want to take your patching to under 30 days, this is the product for you. We reduced it to five days. I think we are the only company where the patching is under five days. We are only doing it at the database-level right now. But we took it down to five days. 

There are proper ways to test a WAF, but the main advice I can give you is that you should not just generate attack traffic. The most effective method, for me, would be to generate both attack and legitimate traffic. That kind of approach will give you a way to rate the ability of the WAF to detect malicious traffic and to distinguish malicious traffic from good traffic. Provide real-world testing scenarios, in which the WAF must block attacks and avoid blocking good traffic at the same time. You will be able to measure how many false positives you're getting. That is the best way to test a WAF: Don't only to generate attack traffic.

Another piece of advice, and here I will jump  to the main fears of this environment - SQL injections, cross-site scripting, which I hate, DT's (Directory Traversals) - is that you need to provide another layer here which is IPS. IPS products will all rely on signatures. They are going to be created by the scanner to stop anything, that's just the basics of threat prevention. If these signatures are easy to circumvent, by using comments and encoding at the same time, they will be available for the WAF to stop any kind of session or cookie tampering. What I'm saying is that there should be technical attack protection. You should be thinking not only about WAF but combining WAF and IPS.

You need to find an IPS that works with it. Imperva has something similar to an IPS, it's not an IPS per se. For example, an IPS cannot detect or stop fraud malware. For that, you need to add certain other levels of security and combine it with employee training. If you get the web application, which is called SecureSphere, the WAF, it will protect you against web page fraud because they go by black IPs. So you can help the IPS on that side and the IPS can help you letting you know what to block from the internal network. You should be considering a combination of WAF and IPS.

Another thing to take into consideration for people who are starting, with respect to deploying a WAF, is that they should validate the accuracy of the solution and the ability it has to protect any application and help you with monitoring and management. It's not just technical stuff.

The first use case was due to the need to protect DDoS attacks as well as protection for SQL injection. The existing application was no longer supported, and to prevent further attacks from occurring, WAF Imperva was applied. The rollout was very fast due to the need for DNS notes only.

In the old days, we experienced many problems with denial of service attacks, and identifying them was very difficult because we did not have a WAF solution. After the deployment, the solution gave us the visibility we needed.

Anti-DDoS protection, as well as other protections like SQL injection, Cross-Site Scripting, and antiscanner. These types of protection are valuable to the business due to the daily attacks on our portals, and that often cannot be seen without a tool like this.

Imperva now offers add-ons to add functionality, but I would like to see these included in the product, even if it would cost more.

No issues with stability.

No issues with scalability.

Very good, although I have not had any problems so far.

No, this is the first solution I have used.

It was straightforward, very simple. I only entered the domain and Incapsula returned the DNS data that I needed to change for the protection to be configured.

I did not participate in the process of choosing the solution.

Only configure it by enabling all protections. This is very important for preventing attacks.