Enterprise Web & Infrastructure Protection
Incapsula vs F5
The Enterprise Web & Infrastructure Protection’ is for an enterprise that needs to protect both the website and network assets (VPNs, Class C networks, etc). Enterprises that look for an end-to-end DDoS solution will require web protection (DNS-based), infrastructure protection (BGP-based), and possibly even an on-premises appliance. The annual budget for a DDoS solution would start at a range of $50-100K.
In this report, two vendors provide a ‘full-scale enterprise’ solution: F5 Silverline and Incapsula. CloudFlare was not included because we did not have sufficient data to warrant if its infrastructure protection is good enough to enter the category.

Deployment & Service Options
![]() | ![]() | |||
---|---|---|---|---|
Diversion Method: DNSThe diversion of traffic from the customer to the DDoS cloud provider using a Domain Name Server (DNS) change. DNS diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more) | ||||
Always-onA DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) | ||||
On-demandA DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) | ||||
Non-web protocolsNon-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more) | (IP Protection) |
Both vendors support non- web protocols. | ||
Diversion Method: BGPBorder Gateway Protocol (BGP) is one of the prominent techniques used in DDoS mitigation to divert an organizations’ traffic to a cloud service provider for inspection before it reaches the enterprise network. (read more) | ||||
Always-onA DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) | ||||
On-demandA DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) | ||||
Service Features | ||||
SSL support – HSMA hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. (read more) | ||||
Emergency responseA team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more) | ||||
Fully managed serviceA DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more) |
F5 offers fully managed service.
| |||
Number of Data CentersThe number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more) | 30 see locations | 4
see locationsSan Jose, CA US; Ashburn, VA US; Frankfurt, DE; Singapore, SG |
Incapsula has 30 data centers, F5 has only 4.
|
![]() | ![]() | |||
---|---|---|---|---|
Diversion Method: DNSThe diversion of traffic from the customer to the DDoS cloud provider using a Domain Name Server (DNS) change. DNS diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more) | ||||
Always-onA DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) | ||||
On-demandA DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) | ||||
Non-web protocolsNon-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more) | (IP Protection) |
Both vendors support non- web protocols. | ||
Diversion Method: BGPBorder Gateway Protocol (BGP) is one of the prominent techniques used in DDoS mitigation to divert an organizations’ traffic to a cloud service provider for inspection before it reaches the enterprise network. (read more) | ||||
Always-onA DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) | ||||
On-demandA DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) | ||||
Service Features | ||||
SSL support – HSMA hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. (read more) | ||||
Emergency responseA team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more) | ||||
Fully managed serviceA DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more) |
F5 offers fully managed service.
| |||
Number of Data CentersThe number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more) | 30 see locations | 4
see locationsSan Jose, CA US; Ashburn, VA US; Frankfurt, DE; Singapore, SG |
Incapsula has 30 data centers, F5 has only 4.
|
Incapsula vs. F5 - Deployment
Incapsula Enterprise and F5 Silverline deployment options are very similar. Both offer DNS and BGP-based diversion, a solution for non-web protocols, and On-Demand and Always-On. F5 offers fully managed service, whereas Incapsula is only partially managed. Although not directly effecting DDoS, Incapsula offers web acceleration and has 30 POPs vs. F5 which only has 4 POPs. This can also effect organizations that do not wish to accelerate but only maintain their existing latency.
Mitigation
The Web Protection of both vendors is extremely good. They are both fully or almost fully loaded with all the required protection.
The Infrastructure Protection of both F5 and Incapsula is based on a black-box approach, which is less than perfect. Realistically, though, this is the common practice in cloud services.
![]() | ![]() | |||
---|---|---|---|---|
Proxy / CachingA server that receives the client’s request, and then requests it indirectly from the web server. | ||||
Reverse ProxyA server that receives the client’s request, and then requests it indirectly from the web server. | ||||
CachingIn DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more) | ||||
Web ChallengesA set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more) |
F5 is the only one offering the entire web challenge spectrum.
| |||
Cookie ValidationA type of Web Challenge used in DDoS mitigation to filter out DDoS attackers from legitimate clients by sending a web cookie and requesting the client to send it back. (read more) | ||||
JavaScript ChallengeA Web Challenge that is used in DDoS mitigation to filter out attackers from legitimate clients by sending a JavaScript code that most attackers are unable to process and pass successfully. (read more) | ||||
Silent Bot DetectionAn advanced web challenge technology that detects bots using passive and active checks to validate if the client is a human or a bot – for example, by checking for the existence of mouse and keyboard. (read more) | ||||
Modern CAPTCHAA type of challenge intended to differentiate between computers and humans. A modern CAPTCHA is designed to be easier to pass for humans than CAPTCHA. (read more) | ||||
CAPTCHAA type of challenge-response that helps mitigate DDoS attacks by blocking attacking computers while allowing entry to legitimate human users. (read more) | ||||
SignaturesA detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more) | ||||
VendorVendor signatures come in large number and are based on the vendor research. | ||||
CustomerCustomer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it. | ||||
Blacklist (BL) / WhitelistBlacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more) | ||||
BL IP | ||||
BL URL | ||||
BL Geo-protection | ||||
Whitelist | ||||
Rate LimitA technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more) | ||||
IP | ||||
URL | ||||
Geo-protection | ||||
DNS | ||||
DNS protectionThe technology or service in charge of protecting DNS Servers. (read more) | ||||
SCORE | 96% | 100% |
Both vendors have excellent mitigation technology coverage. |
![]() | ![]() | |||
---|---|---|---|---|
Proxy / CachingA server that receives the client’s request, and then requests it indirectly from the web server. | ||||
Reverse ProxyA server that receives the client’s request, and then requests it indirectly from the web server. | ||||
CachingIn DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more) | ||||
Web ChallengesA set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more) |
F5 is the only one offering the entire web challenge spectrum.
| |||
Cookie ValidationA type of Web Challenge used in DDoS mitigation to filter out DDoS attackers from legitimate clients by sending a web cookie and requesting the client to send it back. (read more) | ||||
JavaScript ChallengeA Web Challenge that is used in DDoS mitigation to filter out attackers from legitimate clients by sending a JavaScript code that most attackers are unable to process and pass successfully. (read more) | ||||
Silent Bot DetectionAn advanced web challenge technology that detects bots using passive and active checks to validate if the client is a human or a bot – for example, by checking for the existence of mouse and keyboard. (read more) | ||||
Modern CAPTCHAA type of challenge intended to differentiate between computers and humans. A modern CAPTCHA is designed to be easier to pass for humans than CAPTCHA. (read more) | ||||
CAPTCHAA type of challenge-response that helps mitigate DDoS attacks by blocking attacking computers while allowing entry to legitimate human users. (read more) | ||||
SignaturesA detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more) | ||||
VendorVendor signatures come in large number and are based on the vendor research. | ||||
CustomerCustomer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it. | ||||
Blacklist (BL) / WhitelistBlacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more) | ||||
BL IP | ||||
BL URL | ||||
BL Geo-protection | ||||
Whitelist | ||||
Rate LimitA technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more) | ||||
IP | ||||
URL | ||||
Geo-protection | ||||
DNS | ||||
DNS protectionThe technology or service in charge of protecting DNS Servers. (read more) | ||||
SCORE | 96% | 100% |
Both vendors have excellent mitigation technology coverage. |
Incapsula vs. F5 - Mitigation
UX and Reporting
Incapsula has a clear advantage with user experience (UX). F5 Silverline configuration screens seem to have paused in the “network appliance age”, with certain screens of the Cloud WAF service resembling the F5 ASM product.
To balance this picture slightly, F5 Silverline real-time traffic monitoring screens are much better.
When you deploy a new web asset to protect the UX will be better with Incapsula. However, if you want to protect a new network, with F5 it is a self-service and with Incapsula you need full-service.
In forensics, F5 has an advantage, while Incapsula will provide you the basic alert details, with F5 you can get the event capture file, you can also record the traffic in real time and even instantly open a request to investigate by their SOC.
![]() | ![]() | |||
---|---|---|---|---|
Look and FeelThe overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more) | Excellent | Basic |
Incapsula’s look and feel and ease of navigation is much better than F5’s. | |
Ease-of-Navigation | Excellent | Basic | ||
Deployment | ||||
New website (DNS) | Excellent | Basic | ||
New network (BGP) | Full Service | Excellent | ||
Security | ||||
Block IP (BGP) | Excellent | Excellent | ||
Block URL | Excellent | Good | ||
Web ChallengeA set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more) | Excellent | Basic | ||
Signatures (vendor)Vendor signatures come in large number and are based on the vendor research. | Signatures (vendor) | Basic |
Incapsula’s user signatures ‘IncapRules’ is both powerful and intuitive. F5’s ‘iRules’ is powerful but less intuitive.
| |
Signatures (customer)Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it. | Excellent | Good | ||
Security | ||||
Real Traffic | Excellent | Excellent | ||
Blocked Traffic | Excellent | Excellent | ||
Response Time | Excellent | Unknown | ||
Events | ||||
Web logs | Excellent | Excellent | ||
Call | ||||
Syslog | ||||
REST | ||||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity. ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement |
F5 provides decent forensics with capture files (real-time and per-event). | |||
Detailed alertn | Excellent | Excellent | ||
Event capture file | Good | |||
RT capture file | Full | |||
SCORE | 77% | 65% |
![]() | ![]() | |||
---|---|---|---|---|
Look and FeelThe overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more) | Excellent | Basic |
Incapsula’s look and feel and ease of navigation is much better than F5’s. | |
Ease-of-Navigation | Excellent | Basic | ||
Deployment | ||||
New website (DNS) | Excellent | Basic | ||
New network (BGP) | Full Service | Excellent | ||
Security | ||||
Block IP (BGP) | Excellent | Excellent | ||
Block URL | Excellent | Good | ||
Web ChallengeA set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more) | Excellent | Basic | ||
Signatures (vendor)Vendor signatures come in large number and are based on the vendor research. | Signatures (vendor) | Basic |
Incapsula’s user signatures ‘IncapRules’ is both powerful and intuitive. F5’s ‘iRules’ is powerful but less intuitive.
| |
Signatures (customer)Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it. | Excellent | Good | ||
Security | ||||
Real Traffic | Excellent | Excellent | ||
Blocked Traffic | Excellent | Excellent | ||
Response Time | Excellent | Unknown | ||
Events | ||||
Web logs | Excellent | Excellent | ||
Call | ||||
Syslog | ||||
REST | ||||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity. ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement |
F5 provides decent forensics with capture files (real-time and per-event). | |||
Detailed alertn | Excellent | Excellent | ||
Event capture file | Good | |||
RT capture file | Full | |||
SCORE | 77% | 65% |
Incapsula vs. F5 – UX & Reporting
Pricing
Both vendors do not publicly provide their enterprise plans. Their pricing factors are relatively similar. The only difference is that Incapsula also adds attack traffic as a pricing factor, which we consider a disadvantage (see Customer Oriented Pricing Model).
Bottom line
The technical comparison of the two vendors shows that there is no clear-cut conclusion. Both vendors offer rich deployment and mitigation options.
Enterprises looking for a fully-managed service will find a better home with F5. The user-interface of Incapsula is clearly better and today this is not a luxury item anymore.
Another factor that may be relevant in the decision is that Incapsula offers a CDN while F5 Silverline does not. This can also be a critical advantage if you need the data center to be in specific geographical areas either due to regulation or to reduce latency.
How to make a decision? |
• Receive quote. • Investigate the stability and support of reach vendor. • Read the How to Complete the Vendor Selection Section |
Addional Relevant Chapters:
- Individual vendor reviews: Incapsula, F5
- Next steps - completing your evaluation
Addional Relevant Chapters:
- Individual vendor reviews: Incapsula, F5
- Next steps - completing your evaluation