Verify ownership
Add one DNS TXT record. We re-check it at scan time, so attack-shaped traffic only ever reaches a domain you control.
Test My WAF points a real browser at your site and fires fresh, un-gameable attack payloads and evasion chains across 12 categories. It measures exactly what your firewall stops, what bypasses it, and hands you a graded report with copy-paste fixes.
No credentials, no agent, no scheduling call. Ownership is verified before a single request goes out — so only you can test your domain.
Add one DNS TXT record. We re-check it at scan time, so attack-shaped traffic only ever reaches a domain you control.
A headless browser drives categorized payloads, composable evasion chains, and freshly generated metamorphic variants — then watches what your WAF does with each.
A graded, self-contained report: every bypass, a false-positive check, and copy-paste remediation tuned to your detected WAF vendor.
The textbook corpus and a fresh metamorphic set, each fired plain and through layered evasion — so a signature match isn't mistaken for real understanding.
Evasion is built in, not bolted on. Every payload is re-expressed through composable encoding chains — URL, double-URL, mixed-case, SQL comments, whitespace, HTML entities, null byte — to find the exact transform that walks past your rules.
Most testers replay a fixed list a firewall can be tuned to recognize. This one changes every run — and drives a real browser, so it sees what a scripted client never will.
Playwright navigation executes JavaScript challenges and clears bot detection that a plain HTTP client is stopped by — reaching code paths other scanners never touch.
Every scan generates fresh, metamorphic payloads. That measures whether your WAF understands an attack or is just matching known strings it's been trained on.
We check for false positives too — flagging benign traffic your WAF wrongly blocks — so a firewall that blocks everything can't earn a fake A. The grade reflects real efficacy.
Each gap comes with concrete, vendor-aware remediation — the rule to add or tune — in a self-contained report you can hand straight to the WAF team.
Weighted by category, evasion resistance, and false-positive rate — the same measure every time, so you can watch it move as you tune.
Verify your domain, run a scan, and get a graded efficacy report — free. No install, no credentials, no sales call.
Test your WAF now