A new report from CyCognito, a cybersecurity exposure platform, has uncovered a significant blind spot in enterprise web security: more than half of internet-facing enterprise assets are not protected by Web Application Firewalls (WAFs) — including many that collect sensitive user data.
The research analyzed over 500,000 external-facing assets from Fortune 2000 and Fortune 500 companies and found widespread gaps in WAF deployment, raising concerns about the security of cloud infrastructure and customer-facing web services.
Some of the key findings show the lacking of WAF protections for:
- Over 52% of cloud-hosted assets
- Over 65% of off-cloud assets
- Over 39% of cloud-based assets collecting PII
- Over 60% of off-cloud PII-collecting assets
The research also highlighted a common pattern. Large organizations often operate dozens of different WAF products, with fragmented ownership across teams and regions. On average, enterprises were ran around 12 different WAF technologies, with some managing more.
WAFs serve as a foundational security layer for web applications, often blocking common attack vectors like injection, credential stuffing, and brute force attacks. In many organizations, WAFs also act as temporary safeguards while vulnerabilities are addressed, so their absence significantly increases exposure.
This complexity contributes to inconsistent protection — especially for assets outside the core application stack or those that fall outside centralized visibility. These “unknown unknowns” can include legacy sites, forgotten subdomains, or third-party-managed assets that are still publicly exposed.
The fact that many PII-handling pages (e.g., login forms, registration portals, password resets) are left unprotected makes these findings particularly serious. These are often the first targets during reconnaissance and among the most lucrative for attackers.
The research went deep with manual review of high-traffic assets across a sample of global enterprises. Even among major brands across industries like finance, retail, and media, some widely used applications were found operating without any WAF protection.
And in many cases, these unprotected systems were sitting next to fully protected flagship apps, underscoring that the problem isn’t technology, but rather execution and visibility at scale.
As attack surfaces continue to expand, particularly in hybrid and cloud environments, maintaining consistent WAF coverage is becoming harder, but also more important. This research highlights how even fundamental controls can fall through the cracks at scale. And it’s a reminder for security teams to take stock of what’s actually being protected and what might not be.
For a deeper look into the research, including methodology and recommendations for improving coverage, check out the full post from CyCognito here.
Leave a Reply