Impreva Incapsula
Imperva Incapsula DDoS Product Line
Incapsula is a company founded by Imperva in 2009. It spun off on its own for a short while, but was then re-acquired by Imperva in 2014. Incapsula started as a cloud-based WAF, but like many similar services became a CDN+WAF+DDOS cloud solution. It served SMB originally, but with time its DDoS appetite increased and it started to compete at the enterprises level. Because of this, it had to complete its BGP-based offering (on top of its traditional DNS diversion method). This latest addition was followed by a unique IP Protection diversion method fully released in 2016. With its acquisition by Imperva, the joined brand has Imperva WAFs, which also has on-premises DDoS capabilities. Together, the vendor has hybrid protection and the portfolio is very mature.

The following ‘Deployment’ section analyzes the Incapsula service and Imperva WAF product, while the rest of the analysis focuses on the Incapsula cloud service.
Incapsula Enterprise
Deployment & Service Options
On the cloud front, Incapsula supports all diversion methods, including DNS and BGP, and has introduced a new diversion method - IP Protection - to the market (read more). The significance of supporting all diversion methods must be emphasized; the Incapsula service can be shaped to support any organization, but more important is the fact that it reduces risks. If the organization migrates some of its services to the cloud, acquires a Class C network, forfeits a Class C, or undergoes any other architectural change, Incapsula will still be able to follow and provision the new architecture.
On the on-premises front, Imperva offers both a physical and virtual WAF. The company, however, does not offer a dedicated DDoS appliance.
Imperva-Incapsula has two deployment limitations. The first is that it does not have a DDoS-dedicated appliance. Organizations that wish to invest in very strong on-premises DDoS protection are likely to avoid Incapsula. The second limitation is that it does not have a fully managed service, although a partially managed service can be added on top of its Enterprise plan.
![]() | Incapsula’s deployment and service options cater to most organizations. Imperva also has a WAF appliance. | ||
---|---|---|---|
Diversion Method: DNSThe diversion of traffic from the customer to the DDoS cloud provider using a Domain Name Server (DNS) change. DNS diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more) | |||
Always-onA DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) | |||
On-demandA DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) | |||
Non-web protocolsNon-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more) | (IP Protection) |
Incapsula’s unique ‘IP Protection’ can protect non-web services even if the organization does not have a class C network. | |
Diversion Method: BGPBorder Gateway Protocol (BGP) is one of the prominent techniques used in DDoS mitigation to divert an organizations’ traffic to a cloud service provider for inspection before it reaches the enterprise network. (read more) | |||
Always-onA DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) | |||
On-demandA DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) | |||
Service Features | |||
SSL support – HSMA hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. (read more) | |||
Fully managed serviceA DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more) |
The Incapsula service is partially managed, but is not a fully managed service.
| ||
Emergency responseA team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more) | |||
Number of data centersThe number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more) | 30 see locations | ||
Entry Level | |||
SMB plansDDoS SMB mitigation plans are intended for SMBs (Small-Medium Business) and are defined here as plans with a cost lower than $5,000 annually. (read more) |
SMBs and enterprises with modest budgets have a lower entry level. |
![]() | Incapsula’s deployment and service options cater to most organizations. Imperva also has a WAF appliance. | ||
---|---|---|---|
Diversion Method: DNSThe diversion of traffic from the customer to the DDoS cloud provider using a Domain Name Server (DNS) change. DNS diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more) | |||
Always-onA DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) | |||
On-demandA DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) | |||
Non-web protocolsNon-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more) | (IP Protection) |
Incapsula’s unique ‘IP Protection’ can protect non-web services even if the organization does not have a class C network. | |
Diversion Method: BGPBorder Gateway Protocol (BGP) is one of the prominent techniques used in DDoS mitigation to divert an organizations’ traffic to a cloud service provider for inspection before it reaches the enterprise network. (read more) | |||
Always-onA DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) | |||
On-demandA DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) | |||
Service Features | |||
SSL support – HSMA hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. (read more) | |||
Fully managed serviceA DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more) |
The Incapsula service is partially managed, but is not a fully managed service.
| ||
Emergency responseA team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more) | |||
Number of data centersThe number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more) | 30 see locations | ||
Entry Level | |||
SMB plansDDoS SMB mitigation plans are intended for SMBs (Small-Medium Business) and are defined here as plans with a cost lower than $5,000 annually. (read more) |
SMBs and enterprises with modest budgets have a lower entry level. |
Imperva-Incapsula Deployment
Mitigation
Application Protection
Incapsula Web Protection is fully loaded with mitigation technology and is almost complete (96%). The wide technology coverage combined means that virtually all type of attacks can be blocked, and can be blocked accurately (with minimal significant false positives).
Infrastructure Protection
The network mitigation is a black-box, so that the customer cannot assess the quality of the protection nor control it.
![]() | |||
---|---|---|---|
Proxy / CachingA server that receives the client’s request, and then requests it indirectly from the web server. | |||
Reverse ProxyA server that receives the client’s request, and then requests it indirectly from the web server. | |||
CachingIn DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more) | |||
Web ChallengesA set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more) |
Incapsula offers almost all the web challenges in the spectrum. | ||
Cookie ValidationA type of Web Challenge used in DDoS mitigation to filter out DDoS attackers from legitimate clients by sending a web cookie and requesting the client to send it back. (read more) | |||
JavaScript ChallengeA Web Challenge that is used in DDoS mitigation to filter out attackers from legitimate clients by sending a JavaScript code that most attackers are unable to process and pass successfully. (read more) | |||
Silent Bot DetectionAn advanced web challenge technology that detects bots using passive and active checks to validate if the client is a human or a bot – for example, by checking for the existence of mouse and keyboard. (read more) | |||
Modern CAPTCHAA type of challenge intended to differentiate between computers and humans. A modern CAPTCHA is designed to be easier to pass for humans than CAPTCHA. (read more) | |||
CAPTCHAA type of challenge-response that helps mitigate DDoS attacks by blocking attacking computers while allowing entry to legitimate human users. (read more) | |||
SignaturesA detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more) | |||
VendorVendor signatures come in large number and are based on the vendor research. | |||
CustomerCustomer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it. | |||
Blacklist (BL) / WhitelistBlacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more) | |||
BL IP | |||
BL URL | |||
BL Geo-protection | |||
Whitelist | |||
Rate LimitA technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more) | |||
IP | |||
URL | |||
Geo-protection | |||
DNS | |||
DNS protectionThe technology or service in charge of protecting DNS Servers. (read more) | |||
SCORE | 96% |
Incapsula mitigation technologies are very complete. |
![]() | |||
---|---|---|---|
Proxy / CachingA server that receives the client’s request, and then requests it indirectly from the web server. | |||
Reverse ProxyA server that receives the client’s request, and then requests it indirectly from the web server. | |||
CachingIn DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more) | |||
Web ChallengesA set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more) |
Incapsula offers almost all the web challenges in the spectrum. | ||
Cookie ValidationA type of Web Challenge used in DDoS mitigation to filter out DDoS attackers from legitimate clients by sending a web cookie and requesting the client to send it back. (read more) | |||
JavaScript ChallengeA Web Challenge that is used in DDoS mitigation to filter out attackers from legitimate clients by sending a JavaScript code that most attackers are unable to process and pass successfully. (read more) | |||
Silent Bot DetectionAn advanced web challenge technology that detects bots using passive and active checks to validate if the client is a human or a bot – for example, by checking for the existence of mouse and keyboard. (read more) | |||
Modern CAPTCHAA type of challenge intended to differentiate between computers and humans. A modern CAPTCHA is designed to be easier to pass for humans than CAPTCHA. (read more) | |||
CAPTCHAA type of challenge-response that helps mitigate DDoS attacks by blocking attacking computers while allowing entry to legitimate human users. (read more) | |||
SignaturesA detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more) | |||
VendorVendor signatures come in large number and are based on the vendor research. | |||
CustomerCustomer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it. | |||
Blacklist (BL) / WhitelistBlacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more) | |||
BL IP | |||
BL URL | |||
BL Geo-protection | |||
Whitelist | |||
Rate LimitA technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more) | |||
IP | |||
URL | |||
Geo-protection | |||
DNS | |||
DNS protectionThe technology or service in charge of protecting DNS Servers. (read more) | |||
SCORE | 96% |
Incapsula mitigation technologies are very complete. |
Incapsula Mitigation
UX & Reporting
Configuration
Incapsula’s user experience (UX) is at the top level of a modern SaaS service. Both beginners and experts will find it efficient.
Incapsula offers other services (CDN, WAF, LB). The downside of this is that there is no single DDoS view on the system and DDoS features are spread over two or three locations. Overall, this is a minor issue.
The User Signatures, called 'IncapRules', use a very intuitive language, allowing even beginners to compose complex signatures including rate-limit rules. Nevertheless, this language does have limitations, and not everything you wish can be expressed. In this case, Incapsula’s professional support team can be used to compose such rules.
Incapsula User Interface
Real-Time Reporting
Real-Time Monitoring
Incapsula provides sufficient real-time monitoring (RTM) that is especially valuable while under attacks. The RTM graph is very granular, clearly showing allowed traffic in comparison to blocked traffic, and the response time is excellent. It takes only 15 seconds for the traffic to appear, which is very good for a distributed cloud service.
![]() | |||
---|---|---|---|
Look and FeelThe overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more) | Excellent |
Incapsula’s look and feel is excellent, making the user experience both enjoyable and productive.
| |
Ease-of-Navigation | Excellent | ||
Deployment | |||
New website (DNS) | Excellent | ||
New network (BGP) | Full Service | ||
Security | |||
Block IP | Excellent | ||
Block URL | Excellent | ||
Web ChallengeA set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more) | Excellent |
Incapsula’s vendor signatures cannot be viewed or configured
| |
Signatures (vendor)Vendor signatures come in large number and are based on the vendor research. | Black-box |
Incapsula’s user signatures ‘IncapRules’ are both powerful and intuitive to use.
| |
Signatures (customer)Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it. | Excellent | ||
Security | |||
Real Traffic | Excellent | ||
Blocked Traffic | Excellent | ||
Block IP | Response Time | ||
Events | |||
Web logs | Excellent |
Multiple methods to receive alerts.
| |
Call | |||
Syslog | |||
REST |
Detailed alerts, but capture files cannot be extracted.
| ||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity. ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement | |||
Detailed alert | Excellent | ||
Event capture file | |||
RT capture file | |||
Score | 77% |
![]() | |||
---|---|---|---|
Look and FeelThe overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more) | Excellent |
Incapsula’s look and feel is excellent, making the user experience both enjoyable and productive.
| |
Ease-of-Navigation | Excellent | ||
Deployment | |||
New website (DNS) | Excellent | ||
New network (BGP) | Full Service | ||
Security | |||
Block IP | Excellent | ||
Block URL | Excellent | ||
Web ChallengeA set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more) | Excellent |
Incapsula’s vendor signatures cannot be viewed or configured
| |
Signatures (vendor)Vendor signatures come in large number and are based on the vendor research. | Black-box |
Incapsula’s user signatures ‘IncapRules’ are both powerful and intuitive to use.
| |
Signatures (customer)Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it. | Excellent | ||
Security | |||
Real Traffic | Excellent | ||
Blocked Traffic | Excellent | ||
Block IP | Response Time | ||
Events | |||
Web logs | Excellent |
Multiple methods to receive alerts.
| |
Call | |||
Syslog | |||
REST |
Detailed alerts, but capture files cannot be extracted.
| ||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity. ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement | |||
Detailed alert | Excellent | ||
Event capture file | |||
RT capture file | |||
Score | 77% |
Incapsula UX & Reporting
WORTH NOTING |
Incapsula User Interface Standard Driving Incapsula is like driving a spaceship. It starts with a comfortable feeling by just gazing at the screen. It continues with the navigation process, which is very intuitive. For example, it is very easy to find the location of a certain property you configured a month ago. Real-time reporting is immediate and flexible. The IncapRules presentation and syntax allow a novice user to create expert signatures. This intuitive UI increases productivity and improves security, and can shorten mitigation time when under real-time attacks. |
Reporting
Incapsula provides multiple reporting methods:
- Syslog
- Call from Incapsula support
Incapsula does support REST API for a multitude of its functions, but not for security events, as it has the Syslog option to compensate for that.
DDoS Forensic
Incapsula’s DDoS Forensic is comprised of detailed and very accessible alerts. It offers a multitude of other real-time and historical reports that are not covered here, some of which can be used for DDoS.
An important caveat is that there are no logs for Infra. Protection at all, and there is no ability to extract a capture file.
Forensic Function | Exist |
Detailed alert | |
Real-time capture file | |
Historical capture file |
Forensic Function | Exist |
Detailed alert | |
Real-time capture file | |
Historical capture file |
Incapsula Forensics
Pricing
Incapsula, like most vendors, does not publish its Enterprise pricelist, so the only way to know it is to request a quote.
Price Model
Incapsula’s pricing model is not a fully Customer-Oriented Pricing Model. We don’t like the fact that the pricing factor is based on the ‘maximal attack size’ because it rolls to the customer a responsibility that is difficult to address.
Pricing Factors |
Always-on / On-demand |
Clean traffic |
Number of websites and data centers |
Maximal attack size |
Pricing Factors |
Always-on / On-demand |
Clean traffic |
Number of websites and data centers |
Maximal attack size |
Incapsula Pricing Model
Incapsula Business (for SMB)
Incapsula’s Business plan costs $300 monthly ($3,600 USD annually) per web site, and gives you DDoS protection with some important limitations: no phone support, no real-time monitoring, and no network protection (BGP). Despite these limitations, it provides a good DDoS entry point for organizations with clear DDoS needs but without the budget for full-fledged protection.
Additional Relevant Chapters:
- Individual vendor reviews: F5, CloudFlare
- Next steps - completing your evaluation
Additional Relevant Chapters:
- Individual vendor reviews: F5, CloudFlare
- Next steps - completing your evaluation