Test My WAF
Free WAF-efficacy testing · no signup

Is your WAF actually
blocking attacks?

Enter a domain you control. Test My WAF verifies ownership via DNS, replays categorized attack payloads at it from a real browser, and shows you exactly what got through — with a downloadable PDF report.

$
DNS-verified targets only Real browser, real payloads 1,284 attack payloads
97.6% block rate

Tests every major WAF & CDN — vendor-agnostic

Layerd AILayerd AI CloudflareCloudflare AWS WAFAWS WAF AkamaiAkamai FastlyFastly ImpervaImperva F5F5 Azure WAFAzure WAF Google Cloud ArmorGoogle Cloud Armor ModSecurityModSecurity SucuriSucuri BarracudaBarracuda FortinetFortinet RadwareRadware WallarmWallarm Signal SciencesSignal Sciences NGINXNGINX CitrixCitrix Palo Alto NetworksPalo Alto Networks Check PointCheck Point StackPathStackPath

The blind spot

A WAF you never test is a WAF you can't trust.

Rulesets drift, vendors update signatures, and a single misconfigured rule can silently wave an attack through. Most teams don't find out until a payload reaches the origin. Test My WAF replays the real thing so you know today, not after an incident.

91.4%

Median block rate

38%

Sites with a bypass

1,284

Payloads per scan

2.4min

Avg scan time

How it works

From domain to verdict in four steps

01

Domain

Enter a domain you control as the target for the scan.

02

Verify

Confirm ownership with a one-time DNS TXT record.

03

Scan

A real browser fires 1,284 categorized payloads at your firewall.

04

Results

See what was blocked, simulated, or bypassed — and export the PDF.

Sample efficacy report

Every scan ends in a verdict you can act on.

Per-category results, the exact payloads fired, and the requests that reached your origin — ranked by severity and exportable as a shareable PDF.

97.6%+2.1%

Block rate

1,284

Payloads fired

3−2

Bypasses

6

Suites run

Download sample PDF report

Scan #d0fe1455 · www.acme.com

WAF efficacy — 6 suites

97.6%blocked
CategoryMethodEndpointResult
SQL InjectionPOST/loginBlocked
XSS (reflected)GET/searchBlocked
Path TraversalGET/api/v2/filesSimulating
Command InjectionGET/reportBypassed
SSRFPOST/webhookBlocked
XXEPOST/importBlocked

! FINDING — A crafted command-injection payload reached the origin on GET /report. Your WAF ruleset did not block this request.

Find your bypasses before an attacker does.

No agent. No signup. Run your first scan in under three minutes.

Start free scan →

FAQ

Questions, answered

No. Test My WAF runs entirely from your browser — no agent, no signup, nothing to deploy. Verify a domain you control and run.

A one-time DNS TXT record. We only fire payloads at targets you have proven you control, so you can never scan a domain that isn't yours.

Payloads are crafted, rate-limited attack simulations designed to be detected, not to cause damage. Most teams run against staging first; production is supported when you run it deliberately.

SQL injection, reflected and stored XSS, path traversal, command injection, SSRF, XXE and more — 1,284 categorized payloads across the OWASP top risks in every scan.

A crafted payload reached your origin — your WAF ruleset did not block the request. Each bypass is a concrete finding, ranked by severity, that you can hand straight to remediation.

Yes. Every scan produces a downloadable PDF efficacy report with per-category results, the exact payloads fired, and remediation notes.