WAAP – A Comprehensive Solution for Web Application and API Protection
VinaHost’s Web Application and API Protection (WAAP) is a cloud-based protection service that integrates security layers such as DDoS protection, WAF, API security, and bot management to minimize attacks during operation. This platform runs on Cloud Security 2.0 with a unified protection mechanism, leveraging AI Central Engine and synchronized defense capabilities for web applications and APIs.
Integrated intelligent CDN speeds up access reduces origin server load, and ensures system stability.
Multiple layers of protection in one solution:DDoS, WAF, API security, and bot management.
- Clean data transfer, minimum 1TB/month
- Subscription features.
Core features of WAAP
Costs are calculated as follows
- Clean data transfer, minimum 1TB/month
- Subscription features.
CDN & DDoS Protection
DNSSEC
Strengthen authentication in DNS using digital signatures based on public key cryptography.
Smart Routing
Choose the optimal path to the origin so that content is delivered to end users using the fastest and most reliable route.
SSL/TLS
Support SSL/TLS protocols to ensure that data exchanged between two parties are secure and cannot be intercepted by attackers.
Load Balancer
Detect and redirect traffic to different origin servers based on various conditions, such as origin domain, origin IP address, and user IP address to keep application and service remains available to users.
Anti-Hotlinking
Maintain hotlinking protection by applying rules to accept or block requests.
Rate Limiting
Limit the number and frequency of HTTP requests to reduce risks of brute-force and other automated attacks.
Access Control
Configure blacklist or whitelist based on IP address, HTTP header, and other parameters to avoid web application attacks.
L3/L4 DDoS Mitigation
Protect against L3/L4 DDoS attack, such as SYN flood, ACK flood, and UDP flood.
L7 DDoS Mitigation
Protect against HTTP and HTTPS floods, low and slow attacks, and other Layer 7-based DDoS attacks.
Preset Protection Policies
Provide three preset protection modes so customers can choose the onebest suited for addressing DDoS attacks.
WAF & API Security
IP Repeated Violations
Block IP addresses to prevent repeated WAF violations.
HTTP Protocol Validation
Block requests that do not comply with the formatting standards specified in the RFC for HTTP.
Built-In WAF Rules
Offer more than 1,000 built-In WAF rules to protect web applications against the security risks.
OWASP Core Rulesets
Help organization address the Top 10 vulnerabilities identified by the Open Web Application Security Project (OWASP).
Zero-day Protection
Deploy a “virtual patch” to prevent Zero-day attacks when such vulnerabilities are discovered
Flexible Response Actions
Offer custom protection actions, such as block, log, off, and bypass
WAF Intelligent Analysis Service
Automaticly generate recommended exceptions for WAF rules to reduce the false positive intelligently.
Custom WAF Rules
Allow customers to create custom WAF rules base on their business needs.
Threat Intelligence
Identify and protect mainstream IDC intelligence and open source intelligence.
API Inventory
Define API resources, control API lifecycles online and offline, monitor privacy status, and more.
Consumer Management
Identify the source of requests based on a unique consumer ID to manage API assets.
API Discovery
Discover unknown API resources using advanced log analysis technology
API Authentication
Verify the credibility of API requests by detecting dynamic authentication tokens in the requests.
Compliance Detection
Refine and verify the body or parameters of requests to identify and intercept illegal request effectively.
Bot & Risk Management
Bot Intelligence
Define the action to take for known bot types, such as bypass SEO bots or block bots.
Bot Detction (Bot Feature Verification)
Detect and identify normal users and bots by cookie, JavaScript, other browser features and user behavior.
Fingerprint Analysis
Generate browser fingerprints for analysis and correlation with IP addresses.
Captcha Verification
Respond to the captcha verification page to verify the legitimacy of client requests.
Flexible Response Actions
Customize actions of protection, such as block, flag, log, captcha, Slow/Delay etc.
Customized Bot
Support adding, deleting, enabling of custom bots known to be “good.”
Bot Management for Mobile App
Offer enhanced App. protection for native mobile apps by integrating the bot management SDK into IOS and Android applications.
Workflow Analysis
Identify and analyze the workflow of access requests from websites and APIs to detect and block abnormal access behaviors.
AI Analysis
Detect known and unknown bot behavior accurately and work with other strategies to proactively combat ever-changing bot attacks before they have a chance to strike.
Account Takeover
Identify and block attacks designed to hijack account through credential stuffing and brute force.
Fraud Protection
Prevent and detect fraudulent activities to minimize the risk of financial loss and damaged reputations damage caused by fraudulent activities.
Data Analysis
SIEM Support
Help organization push attack logs such as Syslog and Splunk to the SIEM platform in real-time to improve security operation efficiencies.
Dashboard
Display attack information (such as attack trending data, attack details, attack type and source of attack) in real-time.
Reporting & Analytics
Allow organizations to export security service report on console, which inlcudes securiy overview, attack incident analysis via the console.
Basic Log & Incident investigation tools
Display incident logs in detail, including the attacker IP address, attacked domain name, and trigger policy.
Professional Log & Incident Investigation tools
Support Kusto Query Language (KQL) statements to retrieve logs according to actual log query requirements; provide a quick analysis of log fields to filter the fields for further analysis.
L4 & L7 DDoS Dashboard and Log Service
Provide real-time visibility into all network and application layer attacks trend and attack type.
Incident Log Download
Support incident log downloads on console.
Security Services
Onboarding Assistance
Provide a guided onboarding experience along with an expert tuning workshop and guidance on security and performance configurations.
Professional Reporting Service
VProvide security analysis reports for an organization’s website and propose ways to optimize security policies.
Vulnerability Scanning Service
Provide a vulnerability scanning service to discover cyber security weaknesses in host systems and web applications to safeguard against attacks and avoid costly data breaches.
Penetration Testing Report
Conduct a penetration testing exercise and generate a detailed report with information about vulnerabilities and weaknesses that were identified during testing, along with recommendations for remediating and mitigating the vulnerabilities found.
Platform Capabilities
Deploy History
Allow organizations to query the configuration history and related record changes.
Custom Block Page
Allow organizations to customize the page displayed to clients when an event is blocked.
Attack Alert
Notify customers by instant message or email when an attack triggers a customer-defined alarm rule.
API Access
Allow customers to configure security rules, query incident logs and search security dashboard data via APIs.
Open API Support
Provide API quick searching, API online calling, troubleshooting, and documentation to enhance the customer’s programming experience
Compliance Certifications
Comply with industry-standard security compliance certifications and regulations, including ISO/IEC 27001, SOC 2 Type II, PCI DSS 3.2, K-ISMS
Account IAM Control
Provide role-based account control, read-only user access, and multi-user administrative access for Identity and Access Management control.
Control Groups of Domains
Allow customers to create control groups in different domains to simplify administration of subaccounts.
WAAP provides an integrated protection model, bringing together multiple layers of security such as WAF, API security, and Bot management within a single platform. This centralized approach makes it easier for businesses to monitor and deploy protection measures for web applications and APIs.
Enhanced Application Performance and User Experience
WAAP solutions are designed to handle legitimate traffic while mitigating the impact of threats. This allows applications to maintain more stable responsiveness for end users.
Cost Savings for IT Infrastructure and Maintenance
Using WAAP on a cloud platform reduces the need for businesses to invest in separate hardware and security systems. Operation and maintenance processes are simplified, optimizing costs by eliminating the need to manage multiple separate solutions.
Enhancing Cybersecurity Management Efficiency
WAAP enables security management through a unified interface, supporting threat monitoring, configuration, and response. This reduces manual workload for IT teams and increases consistency in security management.
Ensuring Business Continuity
By minimizing risks from attacks on web applications and APIs, WAAP contributes to limiting service disruptions. This helps businesses maintain stable operations in the digital environment.
Protecting Brand Reputation
Minimizing security incidents and service disruptions can help businesses avoid negative impacts on their brand image. WAAP is considered an additional layer of protection to reduce the risk of losing trust from customers and partners.
Why choose VinaHost WAAP solution?
Unified Platform for Web Application and API Protection
Instead of the old approach of using multiple separate, overlapping products, VinaHost’s Cloud Security 2.0 platform combines AI technology with a shared threat intelligence library. This platform reorganizes security capabilities into 5 General Modules and 4 Scenario-Based Protection Modules.
This solution leverages the power of VinaHost’s global network of over 200 PoPs and 17 years of security experience, providing comprehensive protection for Web Applications and APIs.
Adaptive Protection Based on Big Data & ML
VinaHost applies big data analytics, machine learning, and threat intelligence to automatically build, recommend, and deploy security policies. This solution increases protection accuracy, reduces false positives, and optimizes operating costs.
Key Features:
Adaptive DDoS Protection: AI automatically creates DDoS protection rules when it detects attack traffic affecting the origin server.
Intelligent Analysis & Recommendation: Automatically analyzes logs, optimizes WAF policies, reduces false alarms, and supports whitelists tailored to each service model (website, API, etc.).
Advanced Bot Identification: AI behavioral models help score and effectively block sophisticated and persistent bots.
Automated API Discovery: AI detects traffic and automatically identifies active APIs.
Robust Threat Intelligence Processing & Analysis
VinaHost’s intelligence data primarily comes from its own platform, alongside third-party libraries. This data is more accurate and up-to-date than third-party libraries. By leveraging an AI engine, we continuously transform this expertise into feature engineering, association analysis, and risk classification to optimize our intelligence scoring mechanism. This is achieved by labeling and managing the risk scores of attacking IPs and applying them directly to protection, improving the accuracy and effectiveness of our website protection products.
Scenario-Based Protection
DDoS Protection: VinaHost’s WAAP protects origin against large-scale DDoS attacks (SYN, UDP, HTTP Flood…) and sophisticated attacks like Slowloris thanks to its adaptive protection mechanism.
Cloud WAF: Utilizing a Dual WAF Engine (AI + Rule), it continuously updates zero-day rules, reducing false positives and improving security accuracy.
Bot Management: Applying ML and Big Data to block malicious bots, allowing legitimate bots and providing effective defense against advanced bots.
API Protection: Automatically discovers APIs throughout their lifecycle and detects attacks in real time, preventing risks before they reach origin.
Unified Visibility
The Cloud Security 2.0 platform is a comprehensive suite of solutions that provides a holistic view of your website’s security. It offers detailed insights into the security measures being applied to your domains while keeping you updated on the latest product developments. Through a range of dashboards, it provides real-time data on DDoS attacks, blocked IPs, and website request trends, helping organizations better manage potential threats.
Professional Support Services
VinaHost is committed to providing 24/7 support with a fast response time of within 15 minutes via Livechat, Ticket, Email, and Hotline. Furthermore, the system is capable of integrating SIEM logging and supporting APIs, making infrastructure management secure and efficient.
VinaHost's Security Implementation Experience
VinaHost possesses over 17 years of experience in implementing security solutions for businesses in Vietnam and internationally, ensuring system security, service stability, and compliance with global security standards.
3,336,701,369
Average daily number of
cyberattack mitigation
90%
More than 90% of WAF domains
are in block mode
34.7M RPS
L7 DDoS Mitigation Peaked Record
2.09Tbps
L3/4 DDoS Mitigation Peak Volume Record
According to Cloudflare’s 2025 Q4 DDoS Threat Report, the scale of global DDoS attacks reached a new record high of 31.4 Tbps in November 2025. The number of DDoS attacks increased by 121% compared to 2024, totaling over 47.1 million attacks (more than double).
1 Billion+
Threat Intelligence Data Scale
100+ Security Experts
Ensure business stability and security
VinaHost's WAAP solution certifications have been achieved.
ISO/IEC 27001:2013
VinaHost’s WAAP meets international standards for information security management systems, ensuring it fulfills stringent requirements for security, risk management, and data protection.
PCI DSS (Payment Card Industry Data Security Standard)
Security certification for payment card processing environments helps businesses protect card data and meet security requirements for electronic transactions.
ISMS (Information Security Management System)
We affirm that our information security management system is built, operated, and controlled according to strict procedures, ensuring the continuity and security of the system.
SOC 2
Certification assesses the reliability of a system based on criteria such as security, availability, processing integrity, and customer data protection.
What do customers say about VinaHost's WAAP solution?
VinaHost’s WAAP – Web Application and API Protection solution helped us upgrade our cloud security 2.0 with DDoS attack protection and a stable Web Application Firewall (WAF). The system detects and blocks attacks early and effectively without affecting the user experience.
Nguyen Minh TuanChief IT Officer (CTO)
VinaHost’s Cloud WAAP provides a multi-layered security solution for web application security and API security. Intelligent WAF features and real-time anomaly detection significantly reduce the risk of vulnerability exploitation.
Tran Hoang NamHead of Information Security
We chose VinaHost’s WAAP for our web application and API protection solution because of its automation and flexible scalability on the cloud. The WAF combined with DDoS protection ensures the system is always ready for large-scale attacks.
Le Thu HaIT Manager
WAAP effectively meets the API Security needs in our microservices environment. The Web Application and API Protection mechanisms, along with behavioral analysis, help detect bots and sophisticated attacks more accurately.
Pham Quang HuyHead of Engineering
After deploying Cloud WAAP, system stability has significantly improved thanks to the multi-layered security solution. The web application firewall (WAF) and DDoS attack protection are working effectively, significantly reducing downtime.
Do Ngoc AnhCEO
VinaHost’s WAAP is a comprehensive web application security platform for modern businesses. The combination of WAF, API security, and cloud security 2.0 helps us proactively defend against new threats.
WAAP is a comprehensive security solution that protects web applications and APIs against modern threats such as DDoS attacks, exploits, malicious bots, and API risks, based on Cloud Security 2.0.
WAF focuses on protecting web applications, while WAAP is more extensive with API security, bot management, multi-layered DDoS protection, and intelligent behavioral analysis, suitable for cloud and microservices systems.
WAAP costs are calculated based on traffic volume, number of applications/APIs, level of protection, and deployed features (WAF, API Security, DDoS, Bot Management, etc.).
Businesses should choose reputable providers like VinaHost, which has a strong cloud infrastructure, a team of security experts, and deployment experience in Vietnam and internationally.
You can try VinaHost’s WAAP solution. However, the trial depends on the target audience and the legal requirements of the business (not applicable to individuals). Please contact us for detailed advice.
Yes. The Bot Management feature allows for the identification and blocking of malicious bots while still allowing legitimate bots, such as search engines, to function normally.
Tiếng Việt
English
简体中文
