WAFtester
Test your WAF like an attacker would.
$ waf-tester scan -u https://app.example.com --smart
[INFO] Target: https://app.example.com
[INFO] WAF Detected: Cloudflare (98% confidence)
[INFO] Auto-selecting tampers: charunicodeencode, randomcase
[INFO] Testing 2,847 payloads across 12 attack categories...
████████████████████████████████ 100% | 2847/2847
[RESULTS]
Bypasses found: 119/2847 (4.2%)
Detection rate: 95.8%
False positives: 2 (0.3%)
F1 Score: 0.969
- 33
- Commands
- 197
- WAF Signatures
- 2,800+
- Payloads
- 70+
- Tampers
- 50+
- Attack Categories
- 16
- Output Formats
Why WAFtester?
Not a generic scanner with WAF checks bolted on. Purpose-built from the ground up.
WAF-Aware
Purpose-built for WAF testing. Detects 197 WAF vendors, auto-selects bypass techniques per vendor.
Quantitative
Real metrics: Detection Rate, False Positive Rate, F1 Score, MCC. Data-driven decisions, not guesswork.
Fast & Concurrent
Go-compiled binary. Concurrent scanner with sub-second startup. No runtime dependencies.
CI/CD Native
SARIF, SonarQube, GitLab SAST output. GitHub Action included. Streaming results for real-time feedback.
See It in Action
Five modes. One binary. Each designed for a specific WAF testing workflow.
$ waf-tester scan -u https://target.com --smart
[INFO] WAF Detected: Cloudflare (98%)
[INFO] Testing 2,847 payloads...
████████████████████ 100%
→ 119 bypasses found (4.2%)
→ F1 Score: 0.969
$ waf-tester vendor -u https://target.com
[VENDOR] Primary: Cloudflare (98% confidence)
[VENDOR] CDN: Fastly detected
[VENDOR] Recommendations:
→ tampers: charunicodeencode, randomcase
→ categories: xss, sqli, ssti
$ waf-tester bypass -u https://target.com --tamper-auto
[BYPASS] Testing 70 tamper x 49 mutator combos...
[FOUND] charunicodeencode + xss/event-handler
[FOUND] randomcase + sqli/union-based
→ 23 unique bypass chains discovered
→ Results saved to bypass-report.json
$ waf-tester benchmark -u https://target.com
[BENCH] Running detection accuracy benchmark...
True Positives: 2728 | False Negatives: 119
True Negatives: 845 | False Positives: 2
→ Detection Rate: 95.8% | FPR: 0.24%
→ F1: 0.969 | MCC: 0.941
$ waf-tester scan -u https://target.com -o sarif,html,json
[INFO] Scan complete. Generating reports...
→ results.sarif (GitHub Code Scanning)
→ results.html (Interactive report)
→ results.json (Machine-readable)
+ 13 more formats: sonarqube, gitlab, csv...
Who Is This For?
Built for security professionals who need more than "blocked/not blocked."
Pentesters
Discover WAF bypasses during engagements. Automated tamper selection means less manual work.
- Auto tamper selection
- Bypass chains
- Evasion matrix
Security Engineers
Benchmark WAF rule quality with real metrics. Know your detection rate before attackers do.
- F1/MCC scoring
- False positive tracking
- Regression testing
DevSecOps Teams
Integrate WAF testing into CI/CD. SARIF output feeds directly into GitHub Code Scanning.
- SARIF output
- GitHub Action
- Pipeline-native
SOC / Blue Teams
Validate WAF rules against real attack patterns. Generate evidence for compliance reporting.
- Detection benchmarks
- Compliance reports
- Evidence export
How It Compares
WAFtester is the only tool purpose-built for WAF security testing with quantitative scoring.
| Feature | WAFtester | Nuclei | SQLMap | Nikto | OWASP ZAP |
|---|---|---|---|---|---|
| WAF Detection | ✓ | — | — | — | ✓ |
| WAF Bypass Automation | ✓ | — | ✓ | — | — |
| Quantitative Scoring (F1/MCC) | ✓ | — | — | — | — |
| Multiple Output Formats (16+) | ✓ | ✓ | — | — | ✓ |
| CI/CD Integration | ✓ | ✓ | — | — | ✓ |
| Tamper/Evasion Library (70+) | ✓ | — | ✓ | — | — |
| AI/MCP Integration | ✓ | — | — | — | — |
| Single Binary (No Dependencies) | ✓ | ✓ | — | — | — |
Works with Your Stack
16 output formats. 5 CI/CD platforms. Native AI integration. Every protocol you need.
Output Formats
CI/CD Platforms
AI / MCP Platforms
Protocols
Install in Seconds
One command. No configuration. No runtime dependencies.
$ npx -y @waftester/cli version
$ go install github.com/waftester/waftester/cmd/cli@latest
$ brew tap waftester/tap && brew install waftester
$ docker run --rm ghcr.io/waftester/waftester scan -u https://target.com
$ curl -sSL https://github.com/waftester/waftester/releases/latest/download/waf-tester-$(uname -s)-$(uname -m).tar.gz | tar xz
AI-Native Security Testing
The first WAF testing tool with a built-in MCP server. Connect to Claude, Copilot, or any MCP-compatible platform.
Configuration
{
"mcpServers": {
"waf-tester": {
"command": "npx",
"args": ["-y", "@waftester/cli", "mcp"]
}
}
}In Action
"Scan example.com for SQL injection bypasses and give me a report"
AI Response
I'll run a targeted scan focusing on SQL injection categories with automatic tamper selection based on the detected WAF...
Works with
Built by Security Engineers
WAFtester is open source and community-driven. Join hundreds of security professionals who trust it for WAF validation.
Frequently Asked Questions
Is WAFtester free?
The core CLI is available under BSL 1.1. Community payloads are MIT-licensed. Pro and Enterprise tiers unlock additional features.
Installation optionsIs it safe to run against production?
WAFtester sends HTTP requests with known payloads. It does NOT exploit vulnerabilities — it tests whether your WAF blocks them. Use rate limiting (--rate) and run against staging first.
See rate limiting & advanced optionsWhich WAFs does it detect?
197 WAF signatures including Cloudflare, AWS WAF, Akamai, Imperva, F5, Azure Front Door, Fastly, Sucuri, and many more. Run `waf-tester vendor -u <target>` to check.
Core commands referenceHow is it different from sqlmap/nuclei/Burp?
WAFtester is purpose-built for WAF testing. sqlmap is an exploitation tool, nuclei is a vulnerability scanner, Burp is a general web proxy. WAFtester uniquely combines WAF detection, bypass discovery, and statistical measurement in one tool.
Quick start guideCan I use it in CI/CD?
Yes. Native GitHub Action, SARIF output for GitHub Advanced Security, SonarQube and GitLab SAST formats. Streaming output for real-time results in pipelines.
CI/CD integration guideDoes it support custom payloads?
Yes. Drop JSON/YAML payload files in the payloads directory or use the --payloads flag. Community payloads repo accepts contributions under MIT license.
Full examples guideReady to Test Your WAF?
One command to install. One command to scan. Real results in seconds.