Security pros use web application firewall (WAF) solutions to protect web applications and APIs from well-known and zero-day attacks, meet and demonstrate compliance with key standards, and apply consistent, global security policies — and add specific ones — all while trying to avoid false positives, performance lags, outages, and misconfigurations that would threaten their credibility with the product team. As part of the research for The Forrester Wave™: Web Application Firewall Solutions, Q1 2025, we interviewed reference customers about their WAF usage. Security leaders should use this report to inform best practices when selecting a WAF vendor or as a benchmark for their current vendor.