Technical Evaluation
The technical evaluation of vendors is split into three categories:
Deployment options, mitigation capabilities, and user experience UX. The following table provides a top-level summary of all three categories; a detailed analysis can be found in each of the following sections.

The technical evaluation of vendors is split into three categories:
Deployment options, mitigation capabilities, and user experience UX. The following table provides a top-level summary of all three categories; a detailed analysis can be found in each of the following sections.

![]() | ![]() | ![]() | |||
---|---|---|---|---|---|
Deployment & Service Options | |||||
Cloud ProtectionA DDoS protection provisioned as a service that is based on scrubbing centers on the cloud to which organizational traffic is routed. (read more) | |||||
On-premises ProtectionOn-premises DDoS protection is a term used in DDoS mitigation architecture to describe technologies positioned at customer premises typically an appliance or a virtual appliance inside the customer data center. On-premises is in contrast to cloud based protection. (read more) | |||||
Web Protection (DNS diversion)The diversion of traffic from the customer to the DDoS cloud provider using a Domain Name Server (DNS) change. DNS diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more) | |||||
Infrastructure Protection (BGP diverstion)The diversion of traffic from the customer to the DDoS mitigation cloud provider using a BGP (Border Gateway Protocol) change. BGP diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more) | |||||
Fully Managed ServiceA DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more) |
F5 offers fully managed service. | ||||
Non-web protocols SupportNon-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more) | |||||
Number of Data CentersThe number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more) | 30 | 86 | 4 | ||
SMB plansDDoS SMB mitigation plans are intended for SMBs (Small-Medium Business) and are defined here as plans with a cost lower than $5,000 annually. (read more) |
On top of their Enterprise plan, CloudFlare and Incapsula offer lower-end plans for SMBs. see
SMB Section
| ||||
Overall Deployment Score | 72% | 69% | 65% | ||
Mitigation Completeness |
CloudFlare mitigation is solid, but Incapsula and F5 are much more mature.
| ||||
Reverse Proxy & Caching | |||||
Web ChallengesA set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more) | |||||
SignaturesA detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more) | |||||
Blacklist/WhitelistBlacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more) | |||||
Rate limitA technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more) | |||||
DNS ProtectionThe technology or service in charge of protecting DNS Servers. (read more) | |||||
Overall Mitigation Score | 96% | 73% | 100% | ||
UX and Reporting |
Incapsula User Experience (UX) is excellent, CloudFlare is also very good, F5 is basic.
| ||||
Look and FeelThe overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more) | Excellent | Good | Basic | ||
Easy of Navigation | Excellent | Excellent | Good | ||
Security Configuration | Good | Basic | Basic | ||
Security Events | Excellent | Good | Excellent | ||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity. ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement | Basic | Basic | Excellent |
F5 has excellent DDoS Forensics. | |
Overall UX and Reporting Score | 77% | 69% | 65% |
![]() | ![]() | ![]() | |||
---|---|---|---|---|---|
Deployment & Service Options | |||||
Cloud ProtectionA DDoS protection provisioned as a service that is based on scrubbing centers on the cloud to which organizational traffic is routed. (read more) | |||||
On-premises ProtectionOn-premises DDoS protection is a term used in DDoS mitigation architecture to describe technologies positioned at customer premises typically an appliance or a virtual appliance inside the customer data center. On-premises is in contrast to cloud based protection. (read more) | |||||
Web Protection (DNS diversion)The diversion of traffic from the customer to the DDoS cloud provider using a Domain Name Server (DNS) change. DNS diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more) | |||||
Infrastructure Protection (BGP diverstion)The diversion of traffic from the customer to the DDoS mitigation cloud provider using a BGP (Border Gateway Protocol) change. BGP diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more) | |||||
Fully Managed ServiceA DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more) |
F5 offers fully managed service. | ||||
Non-web protocols SupportNon-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more) | |||||
Number of Data CentersThe number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more) | 30 | 86 | 4 | ||
SMB plansDDoS SMB mitigation plans are intended for SMBs (Small-Medium Business) and are defined here as plans with a cost lower than $5,000 annually. (read more) |
On top of their Enterprise plan, CloudFlare and Incapsula offer lower-end plans for SMBs. see
SMB Section
| ||||
Overall Deployment Score | 72% | 69% | 65% | ||
Mitigation Completeness |
CloudFlare mitigation is solid, but Incapsula and F5 are much more mature.
| ||||
Reverse Proxy & Caching | |||||
Web ChallengesA set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more) | |||||
SignaturesA detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more) | |||||
Blacklist/WhitelistBlacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more) | |||||
Rate limitA technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more) | |||||
DNS ProtectionThe technology or service in charge of protecting DNS Servers. (read more) | |||||
Overall Mitigation Score | 96% | 73% | 100% | ||
UX and Reporting |
Incapsula User Experience (UX) is excellent, CloudFlare is also very good, F5 is basic.
| ||||
Look and FeelThe overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more) | Excellent | Good | Basic | ||
Easy of Navigation | Excellent | Excellent | Good | ||
Security Configuration | Good | Basic | Basic | ||
Security Events | Excellent | Good | Excellent | ||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity. ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement | Basic | Basic | Excellent |
F5 has excellent DDoS Forensics. | |
Overall UX and Reporting Score | 77% | 69% | 65% |
Technical Evaluation Analysis Summary
A Word on Pricing
Pricing is obviously a major factor in selecting a vendor. Where possible we added the pricing of the portrayed services including pricing of SMBs plans and naked pricing factors for F5 and Incapsula. Unfortunately, vendor do not will to share their Enterprise prices and you will need to toil and get a quote from each one.
Deployment & Service Options
This section compares the cloud-based and appliance-based deployment options provided by vendors. This section, more than any other, contains items that are “deal breakers” for the customer and can scope out a vendor.
Cloud Deployment
Diversion Methods
When using a cloud-based protection service, the first question you should ask is how will your traffic traverse your provider data centers (or scrubbing centers, in DDoS jargon)? The first method is DNS diversion, also referred to as web protection. Another method is BGP diversion, also called infrastructure protection. F5 and Incapsula fully support these diversion methods. CloudFlare also claims to support it, but we did not have sufficient data to validate its extent.
There is another more specific diversion method for non-web protocols that only Incapsula and F5 support.
Service Features
Service level options are critical evaluation criteria for many organizations. When under attack (‘War Time’), all vendors will assume full responsibility and provide emergency response. In ‘Peace Time,’ CloudFlare and Incapsula mostly rely on self-service, whereas F5 provides fully managed service.
![]() | ![]() | ![]() | |||
---|---|---|---|---|---|
Diversion Method: DNSThe diversion of traffic from the customer to the DDoS cloud provider using a Domain Name Server (DNS) change. DNS diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more) | |||||
Always-onA DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) | |||||
On-demandA DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) | |||||
Non-web protocolsNon-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more) | (IP Protection) |
Both vendors support non- web protocols.
| |||
Diversion Method: BGPBorder Gateway Protocol (BGP) is one of the prominent techniques used in DDoS mitigation to divert an organizations’ traffic to a cloud service provider for inspection before it reaches the enterprise network. (read more) | |||||
Always-onA DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) | |||||
On-demandA DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) | |||||
Service Features | |||||
SSL support – HSMA hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. (read more) | |||||
Emergency ResponseA team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more) | |||||
Fully managed serviceA DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more) |
F5 offers fully managed service. | ||||
Number of Data CentersThe number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more) | 30 see locations | 86 see locations | 4
see locationsSan Jose, CA US; Ashburn, VA US; Frankfurt, DE; Singapore, SG |
If you have acceleration needs, F5 is likely to be ruled out. | |
Entry Level | |||||
SMB plansDDoS SMB mitigation plans are intended for SMBs (Small-Medium Business) and are defined here as plans with a cost lower than $5,000 annually. (read more) |
F5 and Incapsula offer a plan for SMBs |
![]() | ![]() | ![]() | |||
---|---|---|---|---|---|
Diversion Method: DNSThe diversion of traffic from the customer to the DDoS cloud provider using a Domain Name Server (DNS) change. DNS diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more) | |||||
Always-onA DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) | |||||
On-demandA DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) | |||||
Non-web protocolsNon-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more) | (IP Protection) |
Both vendors support non- web protocols.
| |||
Diversion Method: BGPBorder Gateway Protocol (BGP) is one of the prominent techniques used in DDoS mitigation to divert an organizations’ traffic to a cloud service provider for inspection before it reaches the enterprise network. (read more) | |||||
Always-onA DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) | |||||
On-demandA DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) | |||||
Service Features | |||||
SSL support – HSMA hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. (read more) | |||||
Emergency ResponseA team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more) | |||||
Fully managed serviceA DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more) |
F5 offers fully managed service. | ||||
Number of Data CentersThe number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more) | 30 see locations | 86 see locations | 4
see locationsSan Jose, CA US; Ashburn, VA US; Frankfurt, DE; Singapore, SG |
If you have acceleration needs, F5 is likely to be ruled out. | |
Entry Level | |||||
SMB plansDDoS SMB mitigation plans are intended for SMBs (Small-Medium Business) and are defined here as plans with a cost lower than $5,000 annually. (read more) |
F5 and Incapsula offer a plan for SMBs |
All-in-All Comparison – Cloud Deployment
The number of data centers can be essential. If you want the service to give you acceleration, only CloudFlare and Incapsula offer a CDN with 86 and 30 POPs, respectively. Even if improving acceleration is not a goal, it is still an advantage because it ensures that you will not suffer any performance degradation. It can also be important for regulatory compliance, for example, in cases in which you cannot use a POP outside your own country.
Entry Level
Budget is always a critical factor. If you cannot spend more than 5,000 USD annually on DDoS mitigation, only the CloudFlare Business and Incapsula Business plans targeting SMBs are suitable. (See more under the SMBs section.)
Appliance Deployment
Another way to implement DDoS mitigation is to use appliances: physical or virtual, DDoS dedicated or as a feature inside WAF or IPS. The report does not cover appliances, but it is important to know which vendor has them in case you go for a hybrid approach. F5 offers ASM (Application Security Module), while Imperva Incapsula offers Imperva SecureSphere. Both are WAF (Web Application Firewall) with DDoS capabilities.
![]() | ![]() | |||
---|---|---|---|---|
Dedicated DDoS ApplianceAn appliance whose primary function is DDoS mitigation. A DDoS appliance can be either physical or virtual. (read more) | ||||
Physical Appliance | ||||
Virtual Appliance | ||||
WAF Appliance with DDoSA technology that protects web servers form many types of attacks and also acts as DDoS mitigation layer. (read more) |
Both F5 and Imperva/Incapsula offer DDoS mitigation features on top of their WAF appliances: F5 with ASM and Imperva with SecureSphere. | |||
Physical Appliance | ||||
Virtual Appliance |
![]() | ![]() | |||
---|---|---|---|---|
Dedicated DDoS ApplianceAn appliance whose primary function is DDoS mitigation. A DDoS appliance can be either physical or virtual. (read more) | ||||
Physical Appliance | ||||
Virtual Appliance | ||||
WAF Appliance with DDoSA technology that protects web servers form many types of attacks and also acts as DDoS mitigation layer. (read more) |
Both F5 and Imperva/Incapsula offer DDoS mitigation features on top of their WAF appliances: F5 with ASM and Imperva with SecureSphere. | |||
Physical Appliance | ||||
Virtual Appliance |
![]() | ![]() | |||
---|---|---|---|---|
Dedicated DDoS ApplianceAn appliance whose primary function is DDoS mitigation. A DDoS appliance can be either physical or virtual. (read more) | ||||
Physical Appliance | ||||
Virtual Appliance | ||||
WAF Appliance with DDoSA technology that protects web servers form many types of attacks and also acts as DDoS mitigation layer. (read more) |
Both F5 and Imperva/Incapsula offer DDoS mitigation features on top of their WAF appliances: F5 with ASM and Imperva with SecureSphere. | |||
Physical Appliance | ||||
Virtual Appliance |
Technical Evaluation - Appliance Deployment
Mitigation
DDoS mitigation capabilities are the core of your decision. All vendors can block the majority of DDoS attacks. Nevertheless, there are some differences that are covered below. CloudFlare has significant security gaps because it lacks Rate Limit and its web challenges type is partial.
DDoS mitigation capabilities are the core of your decision. All vendors can block the majority of DDoS attacks. Nevertheless, there are some differences that are covered below. CloudFlare has significant security gaps because it lacks Rate Limit and its web challenges type is partial.
Proxy/Caching
All vendors offer web proxy with caching capabilities. This extremely basic technology is the most effective, and will block many attacks.
However, attackers are persistent today, and can find ways to pass this mitigation, foremost by attacking dynamic pages, leading us to the next most significant mitigation - web challenges.
Web Challenges
Ideally, we want the vendor to address the entire spectrum of challenges. F5 fulfills this demand completely! Incapsula is almost there, with one challenge (NoCAPTCHA ReCAPTCHA) missing. CloudFlare, on the other hand, has more gaps. It does not have the Cookie Validation, which in most cases is all you need to stop an attack with minimal impact on legitimate traffic.
![]() | ![]() | ![]() | |||
---|---|---|---|---|---|
Proxy / Caching | |||||
Reverse ProxyA server that receives the client’s request, and then requests it indirectly from the web server. | |||||
CachingIn DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more) | |||||
Web ChallengesA set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more) |
CloudFlare Web Challenges coverage is partial. | ||||
Cookie ValidationA type of Web Challenge used in DDoS mitigation to filter out DDoS attackers from legitimate clients by sending a web cookie and requesting the client to send it back. (read more) | |||||
JavaScript ChallengeA Web Challenge that is used in DDoS mitigation to filter out attackers from legitimate clients by sending a JavaScript code that most attackers are unable to process and pass successfully. (read more) | |||||
Silent Bot DetectionAn advanced web challenge technology that detects bots using passive and active checks to validate if the client is a human or a bot – for example, by checking for the existence of mouse and keyboard. (read more) | |||||
Modern CAPTCHAA type of challenge intended to differentiate between computers and humans. A modern CAPTCHA is designed to be easier to pass for humans than CAPTCHA. (read more) | |||||
CAPTCHAA type of challenge-response that helps mitigate DDoS attacks by blocking attacking computers while allowing entry to legitimate human users. (read more) | |||||
SignaturesA detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more) | |||||
VendorVendor signatures come in large number and are based on the vendor research. | |||||
CustomerCustomer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it. | |||||
Blacklist/WhitelistBlacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more) | |||||
BL IP | |||||
BL URL | |||||
BL Geo-Protection | |||||
Whitelist | |||||
Rate limitA technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more) |
CloudFlare has a security gap in Rate Limit. | ||||
IP | |||||
URL | |||||
Geo-Protection | |||||
DNS | |||||
DNS ProtectionThe technology or service in charge of protecting DNS Servers. (read more) | |||||
SCORE | 96% | 73% | 100% |
CloudFlare mitigation is good, but F5 and Incapsula mitigation stack is excellent. This allows them to block attacks more accurately. |
![]() | ![]() | ![]() | |||
---|---|---|---|---|---|
Proxy / Caching | |||||
Reverse ProxyA server that receives the client’s request, and then requests it indirectly from the web server. | |||||
CachingIn DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more) | |||||
Web ChallengesA set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more) |
CloudFlare Web Challenges coverage is partial. | ||||
Cookie ValidationA type of Web Challenge used in DDoS mitigation to filter out DDoS attackers from legitimate clients by sending a web cookie and requesting the client to send it back. (read more) | |||||
JavaScript ChallengeA Web Challenge that is used in DDoS mitigation to filter out attackers from legitimate clients by sending a JavaScript code that most attackers are unable to process and pass successfully. (read more) | |||||
Silent Bot DetectionAn advanced web challenge technology that detects bots using passive and active checks to validate if the client is a human or a bot – for example, by checking for the existence of mouse and keyboard. (read more) | |||||
Modern CAPTCHAA type of challenge intended to differentiate between computers and humans. A modern CAPTCHA is designed to be easier to pass for humans than CAPTCHA. (read more) | |||||
CAPTCHAA type of challenge-response that helps mitigate DDoS attacks by blocking attacking computers while allowing entry to legitimate human users. (read more) | |||||
SignaturesA detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more) | |||||
VendorVendor signatures come in large number and are based on the vendor research. | |||||
CustomerCustomer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it. | |||||
Blacklist/WhitelistBlacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more) | |||||
BL IP | |||||
BL URL | |||||
BL Geo-Protection | |||||
Whitelist | |||||
Rate limitA technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more) |
CloudFlare has a security gap in Rate Limit. | ||||
IP | |||||
URL | |||||
Geo-Protection | |||||
DNS | |||||
DNS ProtectionThe technology or service in charge of protecting DNS Servers. (read more) | |||||
SCORE | 96% | 73% | 100% |
CloudFlare mitigation is good, but F5 and Incapsula mitigation stack is excellent. This allows them to block attacks more accurately. |
All-in-All: Mitigation (application protection)
CloudFlare does not have Silent Human Investigation and, in case of a JS passing bot, you will be forced to escalate to intrusive NoCAPTCHA ReCAPTCHA. Another disturbing point is that the CloudFlare JS challenge is visible to the user. It informs the user that it is being challenged with an advertisement of CloudFlare at the same time. Not cool.
Signatures
All vendors offer both vendor signatures and user signatures. In vendor signatures, CloudFlare has the advantage because it lets you see and even tune them (while Incapsula and F5 signatures perform as a black-box). In user signatures, Incapsula has the upper hand due to the simplicity of signature creation, discussed in the next section.
Rate Limit
CloudFlare does not offer any Rate Limit-based mitigation, which is a significant security gap. Typically, it is not recommended to stop attacks with Rate Limit technologies because it can also “rate limit” legitimate users. However, in some scenarios it is still an important tool. One prominent example is to protect mobile API: Challenges are not efficient, as they often cannot be used with RESTful APIs. In these cases, Rate Limit can be your only savior.
BGP-Based Protection
UX and Reporting
Good User Experience (UX) is more than a nice-to-have feature. It determines how much of the existing functionality you will utilize, how quickly you will understand a security event, and how quickly you can respond while under attack.
All vendors provide a decent UX, but undoubtedly Incapsula has a clear lead over the others. Incapsula offers an excellent user interface, navigation, and look and feel. CloudFlare also has a good look and feel, but it still seems a bit outdated compared to today’s slick SaaS application designs. F5, on the other hand, is still in the appliance age in terms of UI/UX. Apart from the real-time monitoring part, its interface is outdated and resembles the configuration of an appliance rather than an intuitive cloud application. To summarize: both CloudFlare and Incapsula are easy to navigate. F5 is a little behind.
Deploying servers
Deploying a new web server is easy with CloudFlare and Incapsula, and also with F5 Silverline despite its outdated user interface. Deployment of a new network, in contrast, is easiest with Silverline where you self-service wise insert your network, and submit it for their NOC for review and final confirmation. With Incapsula it is a full service only – you can add new network by requesting it from their support.
Configuring security options
Blocking an IP is easy and simple with all vendors. However, when you want to block a URL, CloudFlare requires that you request it from their support, which seems a hassle for such a simple action. Same for creating a signature. Incapsula is leading here with its simple yet expressive IncapsRules. F5 offers its famous iRules, which are the most expressive but more technical. In Customer Signatures CloudFlare has the upper hand as its rules are visible and configurable. With Incapsula you get the rules as black-box.
Real-time Monitoring (RTM)
F5 and Incapsula monitoring is excellent – granular, shows well normal traffic versus attack traffic. With Incapsula it took only 15 seconds for traffic to be displayed, which is very good for distributed cloud service.
![]() | ![]() | ![]() | |||
---|---|---|---|---|---|
Look and FeelThe overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more) | Excellent | Good | Basic |
Incapsula's look and feel is excellent, making the user experience both enjoyable and productive. | |
Ease of Navigation | Excellent | Excellent | Basic | ||
Deployment | |||||
New website (DNS) | Excellent | Excellent | Basic | ||
New network (BGP) | Full Service | Unknown | Excellent | ||
Security | |||||
Block IP | Excellent | Excellent | Excellent | ||
Block URL | Excellent | Full Service | Good |
Oddly, blocking a URL in CloudFlare can be done only with a request to its support. | |
Web challengeA set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more) | Excellent | Excellent | Basic | ||
Signatures (vendor)Vendor signatures come in large number and are based on the vendor research. | Blackbox | Excellent | Basic |
CloudFlare is the only one to provide visibility and control of its own signatures. | |
Signatures (customer)Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it. | Excellent | Full Service | Good |
Incapsula user signatures ‘IncapRules’ are both powerful and intuitive to use. F5 ‘iRules’ are powerful but less intuitive. CloudFlare signatures are made only by its support. | |
Real-Time Reporting | |||||
Real traffic | Excellent | Unknown | Excellent | ||
Blocked traffic | Excellent | Unknown | Excellent | ||
Response time | Excellent | Unknown | Unknown | ||
Events |
CloudFlare event methods are partial. | ||||
Web logs | Excellent | Excellent | Excellent | ||
Call | |||||
Syslog | |||||
REST | |||||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity. ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement |
F5 is the only vendor to provide decent forensics by providing capture files (real-time and per event).
| ||||
Detailed alert | Excellent | Excellent | Excellent | ||
Event capture file | Good | ||||
RT capture file | Full | ||||
Score | 77% | 69% | 65% |
![]() | ![]() | ![]() | |||
---|---|---|---|---|---|
Look and FeelThe overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more) | Excellent | Good | Basic |
Incapsula's look and feel is excellent, making the user experience both enjoyable and productive. | |
Ease of Navigation | Excellent | Excellent | Basic | ||
Deployment | |||||
New website (DNS) | Excellent | Excellent | Basic | ||
New network (BGP) | Full Service | Unknown | Excellent | ||
Security | |||||
Block IP | Excellent | Excellent | Excellent | ||
Block URL | Excellent | Full Service | Good |
Oddly, blocking a URL in CloudFlare can be done only with a request to its support. | |
Web challengeA set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more) | Excellent | Excellent | Basic | ||
Signatures (vendor)Vendor signatures come in large number and are based on the vendor research. | Blackbox | Excellent | Basic |
CloudFlare is the only one to provide visibility and control of its own signatures. | |
Signatures (customer)Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it. | Excellent | Full Service | Good |
Incapsula user signatures ‘IncapRules’ are both powerful and intuitive to use. F5 ‘iRules’ are powerful but less intuitive. CloudFlare signatures are made only by its support. | |
Real-Time Reporting | |||||
Real traffic | Excellent | Unknown | Excellent | ||
Blocked traffic | Excellent | Unknown | Excellent | ||
Response time | Excellent | Unknown | Unknown | ||
Events |
CloudFlare event methods are partial. | ||||
Web logs | Excellent | Excellent | Excellent | ||
Call | |||||
Syslog | |||||
REST | |||||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity. ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement |
F5 is the only vendor to provide decent forensics by providing capture files (real-time and per event).
| ||||
Detailed alert | Excellent | Excellent | Excellent | ||
Event capture file | Good | ||||
RT capture file | Full | ||||
Score | 77% | 69% | 65% |
All-in-All: UX and Reporting
Pricing
CloudFlare, Incapsula and F5 do not provide official pricing for their Enterprise service, so you’ll have to request a quote.
F5 pricing model is a fully Customer Oriented Pricing Model. The factors that determine the price are (a) clean traffic rate, (b) number of web sites and data centers and (c) on-demand versus always-on plan. Always-on customers do not pay extra for inclusive managed service, nor need to worry about attack data volumes.
Incapsula has a similar pricing model. The only difference is that it also differentiates prices based on traffic volume. This is a disadvantage as it puts customer in a difficult spot in make an educated decision about something that cannot be really estimated (see more under Customer Oriented Pricing Model).
CloudFlare pricing model was unavailable.
SMB Pricing | SMB Pricing is covered in the SMBs – CloudFlare Business vs Incapsula Business section. |
Additional Relevant Chapters:
- Vendor comparisons based on needs
- Individual vendor reviews: Incapsula, F5, CloudFlare
- Next steps - Completing your evaluation
Additional Relevant Chapters:
- Vendor comparisons based on needs
- Individual vendor reviews: Incapsula, F5, CloudFlare
- Next steps - Completing your evaluation