Web application firewalls have been around for roughly 30 years. In that time, web traffic has fundamentally changed—from humans browsing pages to APIs, bots, and now AI agents executing transactions at scale. The WAF hasn’t kept pace. And in a lot of organizations, the response has been to stop touching it entirely. WAFs sit at the perimeter of web-facing applications and are supposed to distinguish legitimate traffic from malicious traffic. When security teams are too afraid of the consequences to adjust the rules, the result is either blocking real customers or leaving the door open to attacks. Both outcomes carry real costs.
I had an opportunity to chat with Itai Gafni, co-founder and CEO of Huskeys, a startup working in this space. He put the organizational reality plainly: security teams aren’t failing because they don’t understand the problem. They’ve just calculated that the risk of intervening is higher than the risk of leaving things alone. “In almost every call, we hear the same thing: ‘I don’t want to touch it,’” Gafni told me. “You either block legitimate customers and lose revenue or leave the doors open to modern attacks.”
The Control Plane Problem
The WAF enforcement layer—the actual firewall itself—isn’t really the issue. What’s broken is the management layer on top of it: how rules are written, maintained, and adjusted over time as applications change and threats evolve. Most organizations can’t do that work internally at any meaningful scale. So they pay vendors for managed services or professional services to handle configuration, which adds cost and creates dependency without actually solving the underlying problem.
Gafni described a pattern that’s common across enterprises: a company using Cloudflare for WAF ends up paying Cloudflare an additional fee on top of the contract to have someone else configure it correctly. The same dynamic plays out with other providers. The tool exists; the organizational capacity to use it effectively doesn’t.
WAF rule management requires deep knowledge of application behavior, traffic patterns, and threat signatures—and those things change constantly. As applications ship new features and threat actors adapt tactics, static rule sets become a liability.
Agentic AI Enters the Picture—With Caveats
The obvious answer is AI. To be fair, that seems like it’s the answer to every challenge right now. But you can automate the management layer. Apply machine learning to traffic analysis, use generative AI to tune rules, and let agentic systems handle orchestration.
It’s worth noting, however, that not all AI is created, nor should it necessarily be used, equally. It is helpful to break the problem into distinct phases—posture management, application-specific rule generation, and automated orchestration of remediation—and acknowledge that not every phase requires the same kind of AI. Some is pattern matching. Some is generative. Some is genuinely agentic. Applying the wrong approach to the wrong phase doesn’t strengthen the control plane. It just makes the marketing deck look better.
Privacy and compliance add another layer of complexity. WAFs handle actual traffic—real transactions, real user data, real IP addresses. Routing that data through third-party AI models raises data residency and regulatory questions that regulated industries won’t ignore.
Startups Are Taking a Different Angle
The traditional response has been to sell a better tool and push organizations to replace what they have. That approach has a track record of failure in the WAF space. Enterprises have existing deployments from AWS, Cloudflare, Akamai, and others. They’ve built processes around them, even broken ones, and they’re not going to rip them out for a startup with a better architecture diagram.
Some newer entrants are approaching it differently. Huskeys, which emerged from stealth this week with $8 million in seed funding, is one example. Rather than positioning as a WAF replacement, the company is building what it calls an Edge Security Management platform—a control plane that sits on top of existing WAF infrastructure and handles the management layer that organizations can’t staff or scale internally. Organizations already have enforcement infrastructure they’ve paid for. What they need is something to actually run it.
“We said, what if we take their existing layers and put our control plane on top?” Gafni explained. “Then every organization can have the WAF they always wished for.”
The company counts TikTok, Merlin Entertainments, and Hugging Face among its early customers. The investor base includes more than 30 CISOs—practitioners investing personal capital is a different signal than VC money alone. The round also includes athlete investors Larry Fitzgerald, Mario Götze, and Kelvin Beachum, reflecting a broader shift in how high-profile individuals with significant digital brand exposure are thinking about infrastructure risk.
The Broader Shift
What’s happening in the edge security space is less about any single vendor and more about a recognition that the assumptions baked into 30-year-old technology don’t hold. WAFs were designed for a world of predictable HTTP traffic from human users. Den Jones, founder and CEO of 909Cyber, put it plainly: “We spent years training security teams to think about web traffic in terms of human behavior—what a real user looks like, how they move through an application. That model is increasingly useless when a significant portion of your traffic is bots, APIs, or AI agents that don’t behave like humans at all.”
Today’s mix includes APIs, automated agents, AI-generated requests, and attackers using stolen credentials that look completely legitimate to a rule-based system. Distinguishing good traffic from bad has always been hard. It’s getting harder, and layering more static rules on a static enforcement model hasn’t scaled.
The organizations doing this well treat WAF management as an ongoing operational discipline, not a one-time deployment decision. Whether they’re using a third-party platform, a different vendor, or internal tooling, the principle holds: static rules in a dynamic threat environment are a problem that compounds over time.
I have a passion for technology and gadgets and a desire to help others understand how technology can affect or improve their lives. I also love spending time with my wife, 7 kids, 3 dogs, 5 cats, a pot-bellied pig, and sulcata tortoise, and I like to think I enjoy reading and golf even though I never find time for either. You can contact me directly at tony@xpective.net. For more from me, you can follow me on Threads, Facebook, Instagram and LinkedIn.
