Plans and Pricing

WAF scanning – Plans & Pricing

Company Size Base (Current) IRR 1(CAV Base) IRR 2(CAV Verified) IRR 3(SAP Start) IRR 4(SAP Verified)
S (Small)
M (Medium)
L (Large)
XL (Enterprise)
IRR Level Starting Price
Base $1,200
IRR 1 $2,000
IRR 2 $3,000
IRR 3 $4,000
IRR 4 $5,000+
Add-On Price
Deep Analysis +$2,000
Branding (White-Label) +$1,200
Visibility
$0Per Scan
  • 1 project
  • 1 user
  • 200 tasks
  • No support
Sign up
Security Core
$24per month
  • 10 projects
  • 10 users
  • Unlimited tasks
  • Premium support
Sign up
Assurance
$2200stratinf from per scan
  • Unlimited projects
  • Unlimited users
  • Unlimited tasks
  • Premium support
Sign up
Plan  / Application Attack Web Exploits Brute Force /DDoS ATT 
Visibility 700$ 2200$ 3800$
Core 1500$ 4000$ 6500$
Assurance 2500$ 6000$ 8600$
Scan only Scan & Report Scan Report & Analysis
Scan V V V
Scheduled scan V V V
Report V V
Policy scoring V V
Policy Analysis V
Additional statics V
WW and TI statics
Feature/Test Type Essential Core IRR Extended IRR Enterprise+
Web Exploits (Signatures)
Normalization Evasion
Meta Character Handling
Brute Force Simulation
DoS / Slow Attacks
RFC Violation Testing
Crash Testing (Stability)
Executive RMS Reporting
Feature / Coverage Area Basic Scan Advanced Scan Complete Scan
Signature Families SQL Injection, XSS + LFI, RFI, Command Exec + XXE, SSTI, Open Redirect, others
Signature Volume ~10 per family ~25 per family ~50+ per family + evasions
Coverage Level (Entities) E1 only: header, GET param name E1 + E2: header, GET/POST names/values E1 + E2 + E3: all fields, actions
Content Types GET and POST (form-data only) + JSON + XML, multipart, mixed
Normalization Checks Basic encoding + double encoding, space tricks + mixed encodings, rare formats
RFC Violations Not included Basic RFC violations Full RFC violation set (boundary, verb, control chars)
Attack Permutations Fixed template only + basic variations + advanced mutations and order flips
Test Method Automated only Automated with verification Manual + automated hybrid
Ideal For Quick health check Deeper policy coverage Full WAF evaluation with exposure mapping

Plan Names + Descriptions

  1. Basic Scan
    Covers core attacks like SQL Injection and XSS. Limited to GET requests and basic signature triggers.

  2. Advanced Scan
    Adds more exploit types (LFI, RFI, Command Execution), POST method support, and basic normalization/RFC checks.

  3. Complete Scan
    Full signature coverage, including evasions, content-type diversity (JSON/XML), deep normalization testing, and extensive RFC violation checks.

  4. Signature Essentials (Alt Name)
    A focused scan with core attack vectors only – great for quick validation.

  5. Normalized Exposure Scan
    Adds bypass techniques and encoding mutation testing to reveal WAF weaknesses.

  6. Entity Coverage Scan
    Deep analysis of detection across headers, parameters, values, and various data formats.

  7. WAF Stress Scan (Internal Only)
    Fires high volume of payloads across formats to measure policy resilience and stability (for staging/testing environments).

Name:
Fill out this field
Company Email *
Please enter a valid email address.
Plan:
Select an option
Human Verification 20 - 4 = ?
Enter the equation result to proceed

* Terms and Conditions

Our services:

  • I am authorized to request this WAF scan within my organization.

  • I approve the scanning and understand it may trigger WAF protections, and accept any minimal risk involved.

  • I accept that WAFScan provides no warranty or liability for scan results or their use.

Pricing and Scanning Terms

  • Scanning is performed per policy (per FQDN).

  • 2025 pricing applies; prices may change without notice.

  • Payment is required in advance of the scan.

  • Advanced and premium services are available to existing customers.

  • Free scans are for evaluation (POC) purposes only.

Sales Model Bundle (IRR Level) Company Size Use Case Price
Direct Essential (IRR 0) Small One-time scan, quick validation $490
Medium Broader check, SMB POC $590
Large Compliance tick-box $690
Core IRR (IRR 1) Small Entry-level readiness $1,290
Medium Business-critical web apps $1,590
Large Production zone testing $1,990
Extended IRR (IRR 2) Small Deeper exposure assessment $2,490
Medium Risky systems, baseline audit $2,890
Large Pre/post-migration or audit $3,490
Sales Model Essential(Any size, One-time scan / IRR Level 0) Core IRR(Any size, IRR Level 1) Extended IRR(Any size, IRR Level 2)
Direct (MSRP) $490 🧩 Use case: Quick audit, low-risk validation $1,290 🧩 Use case: Basic IR readiness, normalization, brute-force testing $2,490 🧩 Use case: High exposure testing, DoS + stability + deeper payloads
Channel (30% off) $343 🧩 Use case: Partner POC / SMB entry $903 🧩 Use case: Service providers / mid-tier sales $1,743 🧩 Use case: Pre-migration, production-level validation
Affiliate (5%) $490 (payout: $24.50) 🧩 Use case: Developer tools, SME leads $1,290 (payout: $64.50) 🧩 Use case: Integrator referrals, self-service testing $2,490 (payout: $124.50) 🧩 Use case: CISO-driven scans, ops audits
MSP (custom) ~$390 🧩 Use case: Bulk scans, automation plans ~$1,050 🧩 Use case: Ongoing customer compliance ~$1,950 🧩 Use case: Managed SOC customers
Cloud Marketplace $590 🧩 Use case: Buy via credits, pay-as-you-go $1,490 🧩 Use case: Procurement-simplified onboarding $2,890 🧩 Use case: Public-sector or enterprise procurement portals
Company Size IRR 1(Base Policy) IRR 2(CAV Policy) IRR 3(Verified CAV) IRR 4(SAP – Site Access Policy) IRR 5(Verified SAP)
Small (S) One-time scan, basic sig coverage.Minimal evasions.Entry compliance. Adds normalization bypass checks + metachar level 1.Basic brute force test. Adds RMS logic & verified CAV block/allow logic.Entity awareness. Adds SAP logic testing (e.g., site behavior restriction by geo/IP/device). Full SAP enforcement and tuning validation.
Medium (M) Baseline audit.Multi-app inputs.Light evasion set. Normalization coverage + CAV block validation.Multiple evasions. Verified entity-aware CAV per app.Risk scoring. SAP test cases per asset/site.Geo block bypass tests. SAP + behavioral fingerprinting validated.Verified control flows.
Large (L) Readiness testing for critical zones.Policy coverage report. CAV policy regression across multi-app zones.Test ID mapping. Deep signature + context validation.Full payload space. SAP logic per site/app context.Multiple user types tested. All SAP logic + anomaly-based logic validated.RMS scoring by zone.
Enterprise (XL) WAF policy baseline audit with IR mapping.Signed off for exec dashboard. Full CAV coverage mapping per entity and attack class.Integration-ready. Entity fuzzing + optimization tests.Auto-RMS grading. SAP across infra + risk-based perimeters.Tests per data zone/role. Final production-grade IRR validation.Includes AI/machine-learned behavior SAP defenses.
Company Size IRR 1(Base Policy) IRR 2(CAV Policy) IRR 3(Verified CAV) IRR 4(SAP Policy) IRR 5(Verified SAP)
Small (S) $1,200 $1,200 $1,200 $1,200 $1,200
Medium (M) $2,300 $2,300 $2,300 $2,300 $2,300
Large (L) $3,500 $3,500 $3,500 $3,500 $3,500
Enterprise (XL) $50,000+ $50,000+ $50,000+ $50,000+ $50,000+

Optional Add-Ons

Add-On Feature Price Description
Deep Analysis Report +$2,000 Adds attack classification, mitigation suggestions, and RMS scoring details
White-Label Branding +$1,200 Add your logo, custom intro, and executive-ready branding to all reports

Add-ons apply per scan/report. Can be bundled or purchased standalone.

✅ Example Use Cases

  • S + IRR 2 + Deep Analysis = $1,200 + $2,000 = $3,200

  • M + IRR 4 + Branding = $2,300 + $1,200 = $3,500

  • L + IRR 3 + Both Add-ons = $3,500 + $2,000 + $1,200 = $6,700

  • XL + IRR 5 + Both Add-ons = starts at $53,200+

This website uses cookies to improve your experience. If you continue to use this site, you agree with it.