Companies that use AWS WAF

Source: Analysis of job postings that mention AWS WAF (using the Bloomberry Jobs API)

My analysis shows that AWS WAF purchasing decisions are primarily driven by security leadership, with Directors of Security (12%), VPs of Security (8%), and other C-level security executives comprising about 20% of these roles. However, I noticed something distinctive: the technical practitioners who will implement and manage WAF often have significant input in the buying process, as evidenced by the high percentage of Security Engineer (22%) and Cloud Security Architect (15%) positions mentioning AWS WAF expertise as a requirement. These organizations are prioritizing candidates who can balance strategic security governance with hands-on technical execution.

Day-to-day AWS WAF users are predominantly Security Engineers and DevOps practitioners who perform hands-on tasks like configuring and tuning WAF policies, managing rule sets, analyzing web traffic patterns, and integrating WAF into CI/CD pipelines. I found these roles frequently involve responding to OWASP Top 10 threats, mitigating bot attacks and DDoS attempts, conducting threat modeling, and collaborating with application development teams to implement protective controls without disrupting legitimate traffic.

The pain points revealed across these postings center on achieving security at scale while maintaining agility. Companies repeatedly emphasize needs like "proactive threat detection," "24/7 protection for global enterprise," and "balancing operational risk and security posture." One posting specifically mentioned the challenge of moving from "people-driven security" to "automated, scalable protection," while another highlighted the need to "reduce false positives" and "mature protection policies." These organizations are clearly seeking to embed security into fast-moving development cycles without becoming bottlenecks.

Source: Analysis of Linkedin bios of 908 companies that use AWS WAF

I noticed AWS WAF attracts an incredibly diverse set of companies, but several patterns emerge. There's a strong concentration of consumer-facing businesses that handle direct transactions and personal data: holiday cottage agencies managing bookings across the UK, real estate platforms like Compass connecting buyers and sellers, meal delivery services like Calo, and e-commerce companies like Souq.com. Media and publishing companies also feature prominently, from JMIR Publications to Trustpilot to Animation Magazine. What ties them together is that they're all operating digital platforms where customers interact directly with their services online.

The maturity levels vary widely. I see established enterprises with 70+ years of history like Grupo Q and Royal Garden Hotel alongside Series B startups like Calo and HeyJobs. Many fall into a middle category: profitable, growing businesses with 50-500 employees that have moved past startup chaos but aren't massive corporations. The holiday cottage agencies, regional insurance companies, and boutique hotels represent this sweet spot of established-but-growing businesses.

Source: Analysis of tech stacks from 908 companies that use AWS WAF

I noticed that AWS WAF users are primarily e-commerce and digital commerce companies with significant fraud and security concerns. The presence of Forter, a fraud prevention platform that appears 328 times more often, combined with Criteo for ad retargeting, tells me these are companies handling high-volume online transactions where both security and customer acquisition are critical business priorities.

The pairing of AWS WAF with Forter makes perfect sense because companies worried enough about application security to deploy AWS WAF are exactly the ones experiencing fraud attempts at scale. They need both perimeter defense and transaction-level fraud detection. The strong correlation with Criteo suggests these companies are spending heavily on performance marketing and retargeting, which means they're likely in competitive markets where customer acquisition costs matter. Amazon SES appearing 24 times more frequently indicates they're sending transactional emails at volume, think order confirmations, shipping notifications, and account security alerts. This reinforces the e-commerce profile.

The full stack reveals these are product-led or product-and-marketing hybrid companies at growth stage or mature scale. They've moved beyond basic infrastructure and are investing in specialized tools for fraud prevention, feature flagging with Harness, and sophisticated marketing attribution. The Atlassian Cloud correlation suggests distributed engineering teams that need collaboration tools, pointing to companies with 50 plus employees who've professionalized their operations. These aren't early startups on shoestring budgets.