The WAF-Bot Management Acquisition Waltz
With F5 Networks buying itself a $1 billion Christmas present in Shape Security, it’s a good time to review the state of the bot management market. The Shape Security sale caps off a year of bot management acquisitions by web application firewall (WAF) vendors. In January, Radware announced that it had acquired ShieldSquare, and in June, Imperva added Distil Networks to its application security portfolio.
As Forrester noted in the “New Tech: Bot Management, Q4 2019,” “Web application firewall incumbents are already providing products to eliminate bad traffic, and they see bot management as an adjacent problem to solve.” Akamai, Alibaba, Cloudflare, and Oracle all offer both WAF and bot management. Prior to purchasing Shape Security, F5 touted its own bot management solution, though it had little market traction. Of the four late-stage vendors listed in the New Tech — Imperva, Radware, Shape Security, and WhiteOps — three were part of the 2019 bot management acquisition revelry.
Bot management will turn the WAF market on its head.
With that in mind, two things to watch for in 2020:
How will WAF vendors address their bot management needs? Those WAF vendors without a strong bot management offering are looking at their options. Do they build some functionality in-house? Do they buy or partner? Is it a standalone solution or a feature in their WAF? A caution: Partial or mediocre bot management added to a WAF is being seen for what it is. Imperva and F5 both offered bot management functionality in their WAFs before they purchased Distil Networks and Shape Security.
How long will standalone bot management offerings stay standalone? Forrester continues to see strong investment in the bot management space, and 2019’s acquisition fest looks attractive to early-stage entrants and investors, but they will need to move quickly. Several of the large and midsize WAF vendors have already picked their bot management dance partner. Bot management vendors looking for a strong WAF partnership — or an exit — can help bot management-challenged WAF vendors accelerate their roadmap or bridge feature gaps.
Forrester predicted that bot management would turn the WAF market on its head: “Instead of WAF tools providing bot management to augment their OWASP Top 10 defense, bot management tools will garner the most customer interest, and OWASP Top 10 protection will be a secondary, add-on benefit.” The rash of bot management acquisitions bears that out and sets us up for a dynamic market in 2020 — watch for more acquisitions in the new year.