The technical evaluation of vendors is split into three categories:
Deployment options, mitigation capabilities, and user experience UX. The following table provides a top-level summary of all three categories; a detailed analysis can be found in each of the following sections.
The technical evaluation of vendors is split into three categories:
Deployment options, mitigation capabilities, and user experience UX. The following table provides a top-level summary of all three categories; a detailed analysis can be found in each of the following sections.
![]() |
![]() |
![]() |
|||
---|---|---|---|---|---|
Deployment & Service Options |
|||||
Cloud ProtectionNo posts could be found that matched the specified criteria. |
|||||
On-premises ProtectionOn-premises DDoS protection is a term used in DDoS mitigation architecture to describe technologies positioned at customer premises typically an appliance or a virtual appliance inside the customer data center. On-premises is in contrast to cloud based protection. (read more) |
|||||
Web Protection (DNS diversion)No posts could be found that matched the specified criteria. |
|||||
Infrastructure Protection (BGP diverstion)No posts could be found that matched the specified criteria. |
|||||
Fully Managed ServiceNo posts could be found that matched the specified criteria. |
F5 offers fully managed service. | ||||
Non-web protocols SupportNo posts could be found that matched the specified criteria. |
|||||
Number of Data CentersNo posts could be found that matched the specified criteria. |
30 | 86 | 4 | ||
SMB plansNo posts could be found that matched the specified criteria. |
On top of their Enterprise plan, CloudFlare and Incapsula offer lower-end plans for SMBs. see SMB Section | ||||
Overall Deployment Score |
72% | 69% | 65% | ||
Mitigation Completeness |
CloudFlare mitigation is solid, but Incapsula and F5 are much more mature. | ||||
Reverse Proxy & CachingNo posts could be found that matched the specified criteria. |
|||||
Web ChallengesNo posts could be found that matched the specified criteria. |
|||||
SignaturesNo posts could be found that matched the specified criteria. |
|||||
Blacklist/WhitelistNo posts could be found that matched the specified criteria. |
|||||
Rate limitNo posts could be found that matched the specified criteria. |
|||||
DNS ProtectionNo posts could be found that matched the specified criteria. |
|||||
Overall Mitigation Score |
96% | 73% | 100% | ||
UX and Reporting |
Incapsula User Experience (UX) is excellent, CloudFlare is also very good, F5 is basic. | ||||
Look and FeelNo posts could be found that matched the specified criteria. |
Excellent | Good | Basic | ||
Easy of Navigation |
Excellent | Excellent | Good | ||
Security Configuration |
Good | Basic | Basic | ||
Security Events |
Excellent | Good | Excellent | ||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity. ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement |
Basic | Basic | Excellent | F5 has excellent DDoS Forensics. | |
Overall UX and Reporting Score |
77% | 69% | 65% |
![]() |
![]() |
![]() |
|||
---|---|---|---|---|---|
Deployment & Service Options |
|||||
Cloud ProtectionNo posts could be found that matched the specified criteria. |
|||||
On-premises ProtectionOn-premises DDoS protection is a term used in DDoS mitigation architecture to describe technologies positioned at customer premises typically an appliance or a virtual appliance inside the customer data center. On-premises is in contrast to cloud based protection. (read more) |
|||||
Web Protection (DNS diversion)No posts could be found that matched the specified criteria. |
|||||
Infrastructure Protection (BGP diverstion)No posts could be found that matched the specified criteria. |
|||||
Fully Managed ServiceNo posts could be found that matched the specified criteria. |
F5 offers fully managed service. | ||||
Non-web protocols SupportNo posts could be found that matched the specified criteria. |
|||||
Number of Data CentersNo posts could be found that matched the specified criteria. |
30 | 86 | 4 | ||
SMB plansNo posts could be found that matched the specified criteria. |
On top of their Enterprise plan, CloudFlare and Incapsula offer lower-end plans for SMBs. see SMB Section | ||||
Overall Deployment Score |
72% | 69% | 65% | ||
Mitigation Completeness |
CloudFlare mitigation is solid, but Incapsula and F5 are much more mature. | ||||
Reverse Proxy & CachingNo posts could be found that matched the specified criteria. |
|||||
Web ChallengesNo posts could be found that matched the specified criteria. |
|||||
SignaturesNo posts could be found that matched the specified criteria. |
|||||
Blacklist/WhitelistNo posts could be found that matched the specified criteria. |
|||||
Rate limitNo posts could be found that matched the specified criteria. |
|||||
DNS ProtectionNo posts could be found that matched the specified criteria. |
|||||
Overall Mitigation Score |
96% | 73% | 100% | ||
UX and Reporting |
Incapsula User Experience (UX) is excellent, CloudFlare is also very good, F5 is basic. | ||||
Look and FeelNo posts could be found that matched the specified criteria. |
Excellent | Good | Basic | ||
Easy of Navigation |
Excellent | Excellent | Good | ||
Security Configuration |
Good | Basic | Basic | ||
Security Events |
Excellent | Good | Excellent | ||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity. ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement |
Basic | Basic | Excellent | F5 has excellent DDoS Forensics. | |
Overall UX and Reporting Score |
77% | 69% | 65% |
Pricing is obviously a major factor in selecting a vendor. Where possible we added the pricing of the portrayed services including pricing of SMBs plans and naked pricing factors for F5 and Incapsula. Unfortunately, vendor do not will to share their Enterprise prices and you will need to toil and get a quote from each one.
This section compares the cloud-based and appliance-based deployment options provided by vendors. This section, more than any other, contains items that are “deal breakers” for the customer and can scope out a vendor.
When using a cloud-based protection service, the first question you should ask is how will your traffic traverse your provider data centers (or scrubbing centers, in DDoS jargon)? The first method is DNS diversion, also referred to as web protection. Another method is BGP diversion, also called infrastructure protection. F5 and Incapsula fully support these diversion methods. CloudFlare also claims to support it, but we did not have sufficient data to validate its extent.
There is another more specific diversion method for non-web protocols that only Incapsula and F5 support.
Service level options are critical evaluation criteria for many organizations. When under attack (‘War Time’), all vendors will assume full responsibility and provide emergency response. In ‘Peace Time,’ CloudFlare and Incapsula mostly rely on self-service, whereas F5 provides fully managed service.
![]() |
![]() |
![]() |
|||
---|---|---|---|---|---|
Diversion Method: DNSNo posts could be found that matched the specified criteria. |
|||||
Always-onNo posts could be found that matched the specified criteria. |
|||||
On-demandNo posts could be found that matched the specified criteria. |
|||||
Non-web protocolsNo posts could be found that matched the specified criteria. |
(IP Protection) | Both vendors support non- web protocols. | |||
Diversion Method: BGPNo posts could be found that matched the specified criteria. |
|||||
Always-onNo posts could be found that matched the specified criteria. |
|||||
On-demandNo posts could be found that matched the specified criteria. |
|||||
Service Features |
|||||
SSL support – HSMNo posts could be found that matched the specified criteria. |
|||||
Emergency ResponseNo posts could be found that matched the specified criteria. |
|||||
Fully managed serviceNo posts could be found that matched the specified criteria. |
F5 offers fully managed service. | ||||
Number of Data CentersNo posts could be found that matched the specified criteria. |
30 see locations | 86 see locations | 4
see locationsNo posts could be found that matched the specified criteria. |
If you have acceleration needs, F5 is likely to be ruled out. | |
Entry Level |
|||||
SMB plansNo posts could be found that matched the specified criteria. |
F5 and Incapsula offer a plan for SMBs |
![]() |
![]() |
![]() |
|||
---|---|---|---|---|---|
Diversion Method: DNSNo posts could be found that matched the specified criteria. |
|||||
Always-onNo posts could be found that matched the specified criteria. |
|||||
On-demandNo posts could be found that matched the specified criteria. |
|||||
Non-web protocolsNo posts could be found that matched the specified criteria. |
(IP Protection) | Both vendors support non- web protocols. | |||
Diversion Method: BGPNo posts could be found that matched the specified criteria. |
|||||
Always-onNo posts could be found that matched the specified criteria. |
|||||
On-demandNo posts could be found that matched the specified criteria. |
|||||
Service Features |
|||||
SSL support – HSMNo posts could be found that matched the specified criteria. |
|||||
Emergency ResponseNo posts could be found that matched the specified criteria. |
|||||
Fully managed serviceNo posts could be found that matched the specified criteria. |
F5 offers fully managed service. | ||||
Number of Data CentersNo posts could be found that matched the specified criteria. |
30 see locations | 86 see locations | 4
see locationsNo posts could be found that matched the specified criteria. |
If you have acceleration needs, F5 is likely to be ruled out. | |
Entry Level |
|||||
SMB plansNo posts could be found that matched the specified criteria. |
F5 and Incapsula offer a plan for SMBs |
The number of data centers can be essential. If you want the service to give you acceleration, only CloudFlare and Incapsula offer a CDN with 86 and 30 POPs, respectively. Even if improving acceleration is not a goal, it is still an advantage because it ensures that you will not suffer any performance degradation. It can also be important for regulatory compliance, for example, in cases in which you cannot use a POP outside your own country.
Budget is always a critical factor. If you cannot spend more than 5,000 USD annually on DDoS mitigation, only the CloudFlare Business and Incapsula Business plans targeting SMBs are suitable. (See more under the SMBs section.)
Another way to implement DDoS mitigation is to use appliances: physical or virtual, DDoS dedicated or as a feature inside WAF or IPS. The report does not cover appliances, but it is important to know which vendor has them in case you go for a hybrid approach. F5 offers ASM (Application Security Module), while Imperva Incapsula offers Imperva SecureSphere. Both are WAF (Web Application Firewall) with DDoS capabilities.
![]() |
![]() |
|||
---|---|---|---|---|
Dedicated DDoS ApplianceNo posts could be found that matched the specified criteria. |
||||
Physical Appliance |
||||
Virtual Appliance |
||||
WAF Appliance with DDoSNo posts could be found that matched the specified criteria. |
Both F5 and Imperva/Incapsula offer DDoS mitigation features on top of their WAF appliances: F5 with ASM and Imperva with SecureSphere. | |||
Physical Appliance |
||||
Virtual Appliance |
![]() |
![]() |
|||
---|---|---|---|---|
Dedicated DDoS ApplianceNo posts could be found that matched the specified criteria. |
||||
Physical Appliance |
||||
Virtual Appliance |
||||
WAF Appliance with DDoSNo posts could be found that matched the specified criteria. |
Both F5 and Imperva/Incapsula offer DDoS mitigation features on top of their WAF appliances: F5 with ASM and Imperva with SecureSphere. | |||
Physical Appliance |
||||
Virtual Appliance |
![]() |
![]() |
|||
---|---|---|---|---|
Dedicated DDoS ApplianceNo posts could be found that matched the specified criteria. |
||||
Physical Appliance |
||||
Virtual Appliance |
||||
WAF Appliance with DDoSNo posts could be found that matched the specified criteria. |
Both F5 and Imperva/Incapsula offer DDoS mitigation features on top of their WAF appliances: F5 with ASM and Imperva with SecureSphere. | |||
Physical Appliance |
||||
Virtual Appliance |
DDoS mitigation capabilities are the core of your decision. All vendors can block the majority of DDoS attacks. Nevertheless, there are some differences that are covered below. CloudFlare has significant security gaps because it lacks Rate Limit and its web challenges type is partial.
DDoS mitigation capabilities are the core of your decision. All vendors can block the majority of DDoS attacks. Nevertheless, there are some differences that are covered below. CloudFlare has significant security gaps because it lacks Rate Limit and its web challenges type is partial.
All vendors offer web proxy with caching capabilities. This extremely basic technology is the most effective, and will block many attacks.
However, attackers are persistent today, and can find ways to pass this mitigation, foremost by attacking dynamic pages, leading us to the next most significant mitigation – web challenges.
Ideally, we want the vendor to address the entire spectrum of challenges. F5 fulfills this demand completely! Incapsula is almost there, with one challenge (NoCAPTCHA ReCAPTCHA) missing. CloudFlare, on the other hand, has more gaps. It does not have the Cookie Validation, which in most cases is all you need to stop an attack with minimal impact on legitimate traffic.
![]() |
![]() |
![]() |
|||
---|---|---|---|---|---|
Proxy / Caching |
|||||
Reverse ProxyNo posts could be found that matched the specified criteria. |
|||||
CachingIn DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more) |
|||||
Web ChallengesNo posts could be found that matched the specified criteria. |
CloudFlare Web Challenges coverage is partial. | ||||
Cookie ValidationNo posts could be found that matched the specified criteria. |
|||||
JavaScript ChallengeNo posts could be found that matched the specified criteria. |
|||||
Silent Bot DetectionNo posts could be found that matched the specified criteria. |
|||||
Modern CAPTCHANo posts could be found that matched the specified criteria. |
|||||
CAPTCHANo posts could be found that matched the specified criteria. |
|||||
SignaturesNo posts could be found that matched the specified criteria. |
|||||
VendorNo posts could be found that matched the specified criteria. |
|||||
CustomerNo posts could be found that matched the specified criteria. |
|||||
Blacklist/WhitelistNo posts could be found that matched the specified criteria. |
|||||
BL IP |
|||||
BL URL |
|||||
BL Geo-Protection |
|||||
Whitelist |
|||||
Rate limitNo posts could be found that matched the specified criteria. |
CloudFlare has a security gap in Rate Limit. | ||||
IP |
|||||
URL |
|||||
Geo-Protection |
|||||
DNS |
|||||
DNS ProtectionNo posts could be found that matched the specified criteria. |
|||||
SCORE |
96% | 73% | 100% | CloudFlare mitigation is good, but F5 and Incapsula mitigation stack is excellent. This allows them to block attacks more accurately. |
![]() |
![]() |
![]() |
|||
---|---|---|---|---|---|
Proxy / Caching |
|||||
Reverse ProxyNo posts could be found that matched the specified criteria. |
|||||
CachingIn DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more) |
|||||
Web ChallengesNo posts could be found that matched the specified criteria. |
CloudFlare Web Challenges coverage is partial. | ||||
Cookie ValidationNo posts could be found that matched the specified criteria. |
|||||
JavaScript ChallengeNo posts could be found that matched the specified criteria. |
|||||
Silent Bot DetectionNo posts could be found that matched the specified criteria. |
|||||
Modern CAPTCHANo posts could be found that matched the specified criteria. |
|||||
CAPTCHANo posts could be found that matched the specified criteria. |
|||||
SignaturesNo posts could be found that matched the specified criteria. |
|||||
VendorNo posts could be found that matched the specified criteria. |
|||||
CustomerNo posts could be found that matched the specified criteria. |
|||||
Blacklist/WhitelistNo posts could be found that matched the specified criteria. |
|||||
BL IP |
|||||
BL URL |
|||||
BL Geo-Protection |
|||||
Whitelist |
|||||
Rate limitNo posts could be found that matched the specified criteria. |
CloudFlare has a security gap in Rate Limit. | ||||
IP |
|||||
URL |
|||||
Geo-Protection |
|||||
DNS |
|||||
DNS ProtectionNo posts could be found that matched the specified criteria. |
|||||
SCORE |
96% | 73% | 100% | CloudFlare mitigation is good, but F5 and Incapsula mitigation stack is excellent. This allows them to block attacks more accurately. |
CloudFlare does not have Silent Human Investigation and, in case of a JS passing bot, you will be forced to escalate to intrusive NoCAPTCHA ReCAPTCHA. Another disturbing point is that the CloudFlare JS challenge is visible to the user. It informs the user that it is being challenged with an advertisement of CloudFlare at the same time. Not cool.
All vendors offer both vendor signatures and user signatures. In vendor signatures, CloudFlare has the advantage because it lets you see and even tune them (while Incapsula and F5 signatures perform as a black-box). In user signatures, Incapsula has the upper hand due to the simplicity of signature creation, discussed in the next section.
CloudFlare does not offer any Rate Limit-based mitigation, which is a significant security gap. Typically, it is not recommended to stop attacks with Rate Limit technologies because it can also “rate limit” legitimate users. However, in some scenarios it is still an important tool. One prominent example is to protect mobile API: Challenges are not efficient, as they often cannot be used with RESTful APIs. In these cases, Rate Limit can be your only savior.
In addition to Application Protection, also known as Web Protection, all vendors offer Network Protection (BGP-based). All vendors have a black-box approach without any visibility into the technologies being used or the ability to make any configurations.
Good User Experience (UX) is more than a nice-to-have feature. It determines how much of the existing functionality you will utilize, how quickly you will understand a security event, and how quickly you can respond while under attack.
All vendors provide a decent UX, but undoubtedly Incapsula has a clear lead over the others. Incapsula offers an excellent user interface, navigation, and look and feel. CloudFlare also has a good look and feel, but it still seems a bit outdated compared to today’s slick SaaS application designs. F5, on the other hand, is still in the appliance age in terms of UI/UX. Apart from the real-time monitoring part, its interface is outdated and resembles the configuration of an appliance rather than an intuitive cloud application. To summarize: both CloudFlare and Incapsula are easy to navigate. F5 is a little behind.
Deploying a new web server is easy with CloudFlare and Incapsula, and also with F5 Silverline despite its outdated user interface. Deployment of a new network, in contrast, is easiest with Silverline where you self-service wise insert your network, and submit it for their NOC for review and final confirmation. With Incapsula it is a full service only – you can add new network by requesting it from their support.
Blocking an IP is easy and simple with all vendors. However, when you want to block a URL, CloudFlare requires that you request it from their support, which seems a hassle for such a simple action. Same for creating a signature. Incapsula is leading here with its simple yet expressive IncapsRules. F5 offers its famous iRules, which are the most expressive but more technical. In Customer Signatures CloudFlare has the upper hand as its rules are visible and configurable. With Incapsula you get the rules as black-box.
F5 and Incapsula monitoring is excellent – granular, shows well normal traffic versus attack traffic. With Incapsula it took only 15 seconds for traffic to be displayed, which is very good for distributed cloud service.
![]() |
![]() |
![]() |
|||
---|---|---|---|---|---|
Look and FeelNo posts could be found that matched the specified criteria. |
Excellent | Good | Basic | Incapsula’s look and feel is excellent, making the user experience both enjoyable and productive. | |
Ease of Navigation |
Excellent | Excellent | Basic | ||
Deployment |
|||||
New website (DNS) |
Excellent | Excellent | Basic | ||
New network (BGP) |
Full Service | Unknown | Excellent | ||
Security |
|||||
Block IP |
Excellent | Excellent | Excellent | ||
Block URL |
Excellent | Full Service | Good | Oddly, blocking a URL in CloudFlare can be done only with a request to its support. | |
Web challengeNo posts could be found that matched the specified criteria. |
Excellent | Excellent | Basic | ||
Signatures (vendor)No posts could be found that matched the specified criteria. |
Blackbox | Excellent | Basic | CloudFlare is the only one to provide visibility and control of its own signatures. | |
Signatures (customer)No posts could be found that matched the specified criteria. |
Excellent | Full Service | Good | Incapsula user signatures ‘IncapRules’ are both powerful and intuitive to use. F5 ‘iRules’ are powerful but less intuitive. CloudFlare signatures are made only by its support. | |
Real-Time Reporting |
|||||
Real traffic |
Excellent | Unknown | Excellent | ||
Blocked traffic |
Excellent | Unknown | Excellent | ||
Response time |
Excellent | Unknown | Unknown | ||
Events |
CloudFlare event methods are partial. | ||||
Web logs |
Excellent | Excellent | Excellent | ||
|
|||||
Call |
|||||
Syslog |
|||||
REST |
|||||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity. ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement |
F5 is the only vendor to provide decent forensics by providing capture files (real-time and per event). | ||||
Detailed alert |
Excellent | Excellent | Excellent | ||
Event capture file |
Good | ||||
RT capture file |
Full | ||||
Score |
77% | 69% | 65% |
![]() |
![]() |
![]() |
|||
---|---|---|---|---|---|
Look and FeelNo posts could be found that matched the specified criteria. |
Excellent | Good | Basic | Incapsula’s look and feel is excellent, making the user experience both enjoyable and productive. | |
Ease of Navigation |
Excellent | Excellent | Basic | ||
Deployment |
|||||
New website (DNS) |
Excellent | Excellent | Basic | ||
New network (BGP) |
Full Service | Unknown | Excellent | ||
Security |
|||||
Block IP |
Excellent | Excellent | Excellent | ||
Block URL |
Excellent | Full Service | Good | Oddly, blocking a URL in CloudFlare can be done only with a request to its support. | |
Web challengeNo posts could be found that matched the specified criteria. |
Excellent | Excellent | Basic | ||
Signatures (vendor)No posts could be found that matched the specified criteria. |
Blackbox | Excellent | Basic | CloudFlare is the only one to provide visibility and control of its own signatures. | |
Signatures (customer)No posts could be found that matched the specified criteria. |
Excellent | Full Service | Good | Incapsula user signatures ‘IncapRules’ are both powerful and intuitive to use. F5 ‘iRules’ are powerful but less intuitive. CloudFlare signatures are made only by its support. | |
Real-Time Reporting |
|||||
Real traffic |
Excellent | Unknown | Excellent | ||
Blocked traffic |
Excellent | Unknown | Excellent | ||
Response time |
Excellent | Unknown | Unknown | ||
Events |
CloudFlare event methods are partial. | ||||
Web logs |
Excellent | Excellent | Excellent | ||
|
|||||
Call |
|||||
Syslog |
|||||
REST |
|||||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity. ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement |
F5 is the only vendor to provide decent forensics by providing capture files (real-time and per event). | ||||
Detailed alert |
Excellent | Excellent | Excellent | ||
Event capture file |
Good | ||||
RT capture file |
Full | ||||
Score |
77% | 69% | 65% |
With Forensics, F5 has the lead. While all vendors provide informative alerts, F5 allows you to extract the capture of an alert [self-service], and take real-time capture files [full service]. Furthermore, the customer can open a chat on an alert and discuss it with the SOC and peers.
CloudFlare, Incapsula and F5 do not provide official pricing for their Enterprise service, so you’ll have to request a quote.
F5 pricing model is a fully Customer Oriented Pricing Model. The factors that determine the price are (a) clean traffic rate, (b) number of web sites and data centers and (c) on-demand versus always-on plan. Always-on customers do not pay extra for inclusive managed service, nor need to worry about attack data volumes.
Incapsula has a similar pricing model. The only difference is that it also differentiates prices based on traffic volume. This is a disadvantage as it puts customer in a difficult spot in make an educated decision about something that cannot be really estimated (see more under Customer Oriented Pricing Model).
CloudFlare pricing model was unavailable.
SMB Pricing | SMB Pricing is covered in the SMBs – CloudFlare Business vs Incapsula Business section. |
Additional Relevant Chapters:
Additional Relevant Chapters:
Stay up to day with the latest DDoS news
Error: Contact form not found.