Is your WAF actually
blocking attacks?
Enter a domain you control. Test My WAF verifies ownership via DNS, replays categorized attack payloads at it from a real browser, and shows you exactly what got through — with a downloadable PDF report.
Tests every major WAF & CDN — vendor-agnostic
The blind spot
A WAF you never test is a WAF you can't trust.
Rulesets drift, vendors update signatures, and a single misconfigured rule can silently wave an attack through. Most teams don't find out until a payload reaches the origin. Test My WAF replays the real thing so you know today, not after an incident.
Median block rate
Sites with a bypass
Payloads per scan
Avg scan time
How it works
From domain to verdict in four steps
Domain
Enter a domain you control as the target for the scan.
Verify
Confirm ownership with a one-time DNS TXT record.
Scan
A real browser fires 1,284 categorized payloads at your firewall.
Results
See what was blocked, simulated, or bypassed — and export the PDF.
Sample efficacy report
Every scan ends in a verdict you can act on.
Per-category results, the exact payloads fired, and the requests that reached your origin — ranked by severity and exportable as a shareable PDF.
Block rate
Payloads fired
Bypasses
Suites run
Scan #d0fe1455 · www.acme.com
WAF efficacy — 6 suites
! FINDING — A crafted command-injection payload reached the origin on GET /report. Your WAF ruleset did not block this request.
Find your bypasses before an attacker does.
No agent. No signup. Run your first scan in under three minutes.
Start free scan →FAQ
Questions, answered
No. Test My WAF runs entirely from your browser — no agent, no signup, nothing to deploy. Verify a domain you control and run.
A one-time DNS TXT record. We only fire payloads at targets you have proven you control, so you can never scan a domain that isn't yours.
Payloads are crafted, rate-limited attack simulations designed to be detected, not to cause damage. Most teams run against staging first; production is supported when you run it deliberately.
SQL injection, reflected and stored XSS, path traversal, command injection, SSRF, XXE and more — 1,284 categorized payloads across the OWASP top risks in every scan.
A crafted payload reached your origin — your WAF ruleset did not block the request. Each bypass is a concrete finding, ranked by severity, that you can hand straight to remediation.
Yes. Every scan produces a downloadable PDF efficacy report with per-category results, the exact payloads fired, and remediation notes.