X
The initial access point for one-third of all breaches is the exploitation of a software vulnerability. This is the reality of the current threat landscape, where attackers have shifted their focus from the network perimeter to the application layer itself. The rise of generative AI is accelerating this trend, enabling adversaries to create sophisticated and novel attacks at an unprecedented scale.
This new reality requires a security strategy that extends beyond traditional perimeter defenses. While Web Application Firewalls (WAFs) remain a foundational component of security, a defense-in-depth approach that provides visibility from the network edge to the application's code is now essential.
A WAF is a critical component for any organization's security posture. It provides an essential first pass on all incoming traffic, acting as a frontline defense against a high volume of known threats. WAFs are effective at mitigating DDoS and other volumetric attacks, filtering out malicious bots and scanners, and blocking common attack patterns that match predefined signatures and rules. By handling this high-volume, low-complexity traffic at the network edge, WAFs provide a valuable layer of protection.
However, the operational model of a WAF is to analyze traffic from the outside-in. It makes decisions based on traffic patterns and signatures without having insight into how the application is actually processing a request. This architectural reality means that WAFs can be bypassed by sophisticated attacks that use novel or obfuscated techniques to appear as legitimate traffic. This creates a security gap between the perimeter and the application runtime.
Attackers are increasingly bypassing perimeter defenses, with our research indicating that over half of all successful application attacks utilize such evasion techniques. A significant portion of these, 31% of viable attacks,2 leverage insecure deserialization. These attacks are particularly challenging for Web Application Firewalls (WAFs) to detect, as the malicious payload is frequently concealed within data streams that appear legitimate.
This creates a significant challenge for security teams. They are often faced with a high volume of low-fidelity alerts from their WAFs, with less than 0.25%3 of these alerts correlating to actual exploits. This flood of false positives consumes valuable time and resources, while the real, sophisticated attacks slip past the perimeter undetected.
According to the 2025 Software Under Siege Report, these are the top 5 most prevalent and successful attack techniques targeting applications.1
To close this gap, security teams need to see what is happening inside the application. Contrast Application Detection and Response (ADR) provides this crucial runtime security. By using lightweight instrumentation that operates from within the application's runtime, ADR can observe the actual behavior of the code as it executes.
This approach provides two fundamental advantages:
Pairing a WAF with Contrast ADR creates a comprehensive, multi-layered defense that protects the entire application stack. In this model, the WAF continues to perform its critical function of filtering high-volume traffic and known threats at the perimeter. Contrast ADR then provides the critical security for modern attacks on applications.
This complementary approach provides security operations teams with:
1, 2 Contrast Security 2025 Software Under Siege Report
3 Research uncovers: EDR's blindness to application exploits, WAF's inability to cut through the noise, Contrast Labs, 2025
Schedule a demo and see how to eliminate your application-layer blind spots.
Book a demo
