CASE 134 · GLYPH · 2025
WAF in front of the application, instead of in front of the firewall.
A government services provider had Imperva Cloud WAF on a separate edge-stack contract with a five-figure monthly bill. AWS WAF on CloudFront, with managed rule groups, did most of what Imperva did at a quarter of the cost. We migrated the WAF and added Shield Advanced for the DDoS protection.
Government services
MIGRATION
2025
RESULTS
What changed, by the numbers.
WAF + DDoS BILL
−74%
RULE PARITY
100%
DDoS RESPONSE
AWS DRT INCLUDED
EDGE PATH SIMPLIFIED
3 → 2
HOW IT WENT
The edge stack had been: Imperva → CloudFront → Origin. The Imperva contract had been negotiated when the team had less AWS expertise. AWS WAF had matured to the point where managed rule groups covered most of what Imperva’s baseline did.
We translated each Imperva rule into AWS WAF terms — managed groups for the OWASP coverage, custom rules for the application-specific patterns, Lambda@Edge for the few rules that needed dynamic logic. Shield Advanced replaced the DDoS protection plus gained the AWS DDoS Response Team as an included resource.
Net bill dropped 74% even after adding Shield Advanced. Rule parity confirmed at 100%. The edge path simplified to two hops (CloudFront → Origin). The DRT engagement during the migration’s soak period was a bonus capability the team hadn’t expected to lean on.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.