top of page

Comparing AWS GuardDuty, AWS WAF and open-appsec WAF

Various security solutions are available to protect your web applications, data, and resources on the internet. Two popular offerings from Amazon are AWS WAF and AWS GuardDuty, while the open-appsec WAF is another option to consider.

In this article, we will compare these three solutions, exploring their features, capabilities, and differences to help you choose the best solution that is suited to your organization’s needs.

Whether you are looking for advanced protection against malicious bots and threats or need a way to monitor your network for security issues, read on to find the best solution between AWS WAF, AWS GuardDuty, and open-appsec WAF.

Comparing AWS GuardDuty, AWS WAF, and open-appsec WAF


AWS GuardDuty


open-appsec WAF

Machine-learning app security approach

Uses machine learning to monitor your network and fish out malicious activities

Not Available

Uses machine learning models to ensure the security of your web application and Web API against known and unknown vulnerabilities

WAF community and customer service

Has a large community and readily available resources

Has a large community of users

Has a medium-sized community, so you won't have to wait long for an expert to reply to your inquiry and provide help for any challenges you may experience while using the platform

Zero-day detection

Doesn’t have an effective feature to protect your web application against zero-day attacks

Doesn't effectively detect zero-day attacks

Uses machine learning models and threat prevention techniques to identify zero-day attacks

False positives

Few false positives

Sometimes detects false positives

Sparsely spaced cases of false positives

Web latency

Doesn’t increase web latency

Few cases of increased web latency

No instances of increased web latency

Malicious bot prevention

Detects malicious bot attacks and offers suggestions on how to mitigate them

Offers a rule group filled with single and combined malicious bot attributes to help protect your web app against malicious bot attacks

Uses machine learning models to identify malicious bots by comparing incoming requests against characteristics of known malicious bots and normal user behavior

Free version

Offers a free 30-day trial

Offers a 14-30 days free trial depending on the specific offer and region in which you sign up

Offers a free version and also has a paid premium version


Pricing is based on the volume of the analyzed service log and the data it scans, and you have to pay separately if you want to use its Bot Control feature

Cost is determined by the volume of web requests and the number of rules applied

Free to use, and you only need to pay for its premium edition depending on the volume of HTTP(S) requests it scans


Not open-source

Not open-source

It is open-source, and a third party has independently verified its source code

Maintenance complexity

No complex system maintenance due to the absence of rules

Has a complex system maintenance procedure because of its rules and exceptions

Offers a simplified system maintenance procedure as it does not rely on threat signatures, rules, and exceptions to secure your web application

Type of system configuration used

Not Available

Not Available

Declarative configuration and WebUI (SaaS)

Intrusion prevention system used

Not Available

Not Available

Snort 3.0 engine

Similarities Between AWS GuardDuty, AWS WAF, and open-appsec WAF

Here are four similarities between AWS WAF, AWS GuardDuty, and open-appsec WAF.

  1. All three platforms can be deployed in the cloud.

  2. All three platforms are designed to protect against cyber threats, including web-based attacks, malware, and other malicious traffic.

  3. All three platforms provide real-time protection, helping to ensure that your applications are protected against threats as soon as they arise.

  4. All three platforms integrate with other security tools to provide a comprehensive security solution for your web applications.

AWS GuardDuty Review

AWS GuardDuty is a threat detection service that, when subscribed to, monitors all the activities in your AWS accounts, alerts you if it notices suspicious behavior, and terminates all potential threats. It uses machine learning, anomaly detection, and malicious file discovery to monitor your network and fish out malicious activities. AWS GuardDuty works for all Amazon Web Services, including the Amazon Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3), Amazon Aurora databases (Preview), container applications, etc.

Here’s how AWS GuardDuty works:

  • Step 1: It monitors the activities in your AWS accounts and identifies suspicious activity.

  • Step 2: It analyzes the security risk of suspicious activity.

  • Step 3: It gives you the context in which the said activity was invoked.

  • Step 4: It waits for signals from a responder (this could be set to deploy automatically, or you can attend to it manually) to know if it should continue with its investigation.

  • Step 5: If it's given permission to investigate the activity further and is connected with Amazon Detective, it performs a deeper forensic on the activity's origin, cause, and intent.

  • Step 6: It triggers integration with all other AWS services and leading third-party application protection services to terminate the identified suspicious activity.

Features of AWS GuardDuty

Listed below are some of the features offered by AWS GuardDuty.

  1. Account Level and Cloud-Optimized Threat Detection

  2. Classifies Threat Severity Levels

  3. Easy Deployments on Single and Multiple Accounts

  4. Threat Response and Mediation Automation

Pros and Cons of AWS GuardDuty



It effectively and continuously monitors all activities in your AWS account.

Although it provides holistic network and application security, it is not a standalone solution. It must be integrated with other AWS to perform at its peak.

It can monitor multiple AWS accounts simultaneously.

It relies on other AWS services to provide its best performance.

It doesn’t affect your system’s performance or workload.

Since it is rule-based, it doesn’t protect an application from new attacks that don’t violate the set rules or come with unknown patterns.

It provides detailed and actionable security to help you mitigate attacks.

AWS WAF Review

The Amazon WAF is a security service that monitors all incoming and outgoing traffic and compares them against a set of rules and web ACLs to detect and block malicious attacks. It is a cloud-based WAF that effectively protects all AWS-hosted applications and services against common web attacks.

It offers managed rules that are predefined to detect suspicious activity traits before they compromise your web application. It also offers a set of customized rules that offers advanced protection against attacks that frequently attempt to access your web app. With the AWS WAF, you can protect other Amazon Web Services like the following:

  • Amazon CloudFront Distribution

  • Amazon API Gateway


  • Application Load Balancer

  • AWS AppSync GraphQL API

  • Amazon Cognito User Pool

  • AWS App Runner service

  • AWS Verified Access instance

Features of AWS WAF

  • Real-Time Visibility While monitoring incoming and outgoing requests, the AWS WAF provides detailed insights into the characteristics of these requests. It provides data on a request's IP address, user agents, country of origin, etc. These insights give you an idea of the activities going on in your web app and help you curate proper traffic patterns and user behavior for your application.

  • Malicious Bot Control and Prevention Due to the tricky nature of new malicious bots, the AWS WAF offers a rule group filled with single and combined malicious bot attributes. This rule group also includes managed rules and customized rules, which, when enabled and configured, protect your web application against the evasion of malicious bots. It is important to note that this Bot Control feature is paid for separately.

Other features of the AWS WAF include:

  • Rules and Web ACLs

  • Account Takeover Prevention

  • Fraud Control

  • Full-Feature API Protection

  • Bot Control

Pros and Cons of the AWS WAF



It easily integrates with other Amazon Web Services.

It takes time for newly created rules to become active.

It offers flexible and tailored web application security due to the presence of managed and custom rules.

Its Bot Control feature is not available for free and has to be paid for separately.

It is easy to deploy.

It doesn't increase web latency.

open-appsec WAF Review

Are you looking for a way to block attacks on your web application before they happen? So look no further, as open-appsec uses machine learning to continuously detect and preemptively block threats before they can do any damage. Its code has also been published on GitHub, and the effectiveness of its WAF has been successfully proven in numerous tests by third parties.

open-appsec WAF uses two machine learning models to protect web applications against known and unknown web attacks. These models analyze web traffic and identify malicious behavior in real-time, providing a highly effective defense against attacks.

The first model is a supervised offline machine-learning model, which uses data from millions of legitimate and malicious requests to identify known web attacks. This model is trained on a large dataset of web traffic and attack data, allowing it to accurately identify known attacks and block them before they can cause harm.

The second model, an unsupervised machine learning model, uses statistical analysis and anomaly detection techniques to identify unknown web attacks. This model is trained to reduce the chances of false positives to the barest minimum. It does this by comparing suspicious requests against your app's user behavior and structure, allowing it to identify any deviation from normal behavior as potentially malicious.

Together, these two models provide a comprehensive defense against web attacks. Additionally, the models are designed to work together, sharing information and learning from each other over time to improve their prediction accuracy continually.

In addition to the machine learning models, the open-appsec WAF also includes several other security features, such as rate limiting, IP blocking, and intrusion prevention, to provide additional protection against web attacks.

Features of open-appsec WAF

  1. Machine Learning-Based Attack Detection As mentioned earlier, open-appsec WAF uses two machine learning models to detect and prevent web attacks in real-time. This provides a highly effective defense against both known and unknown threats.

  2. Real-Time Protection open-appsec WAF analyzes web traffic in real-time, providing a continuous and proactive defense against web attacks. This helps to prevent data loss and minimize the risk of downtime caused by malicious activity.

  3. IP Blocking and Rate Limiting open-appsec WAF includes IP blocking and rate-limiting features to provide an additional layer of security against web attacks. IP blocking allows administrators to block traffic from specific IP addresses, while rate limiting helps to prevent DDoS attacks by limiting the rate of incoming traffic.

Pros and Cons of open-appsec WAF



It uses machine-learning models to provide advanced web app protection against known and unknown threats.

As a fairly new solution, it still has a rather small community of users.

It monitors web traffic in real-time.

It doesn’t increase web latency.

It is open-source.

It is easy to set up and configure.

In Conclusion

The choice between these technologies depends on your web app’s specific security needs and requirements. For instance, where AWS WAF protects web apps against a wide range of web attacks using rule-based policies and signatures, the open-appsec WAF and AWS GuardDuty both use machine learning to provide security services.

Despite this common security approach, AWS GuardDuty provides a more generic security solution to all AWS resources. On the other hand, the open-appsec WAF provides security services specifically to web applications.

Try open-appsec in the Playground today.

Frequently Asked Questions

What is the difference between Amazon Detective and GuardDuty?

Amazon GuardDuty is designed to detect and prevent malicious activity in real-time, while Amazon Detective is focused on helping you investigate security incidents and understand the root cause of security issues.

What is the difference between CloudTrail and GuardDuty?

Amazon CloudTrail helps you monitor and understand the activity in your AWS environment, track changes to your AWS resources, and ensure compliance with security and operational best practices. On the other hand, AWS GuardDuty is a threat detection service that monitors all the activities in your AWS accounts, alerts you if it notices suspicious behavior, and terminates all potential threats.

Is AWS GuardDuty an antivirus?

No, AWS GuardDuty is not an antivirus. Instead, it is a threat detection service that uses machine learning and other technologies to identify potential security threats to your AWS infrastructure and workloads.

What is the difference between WAF and a load balancer?

A WAF (Web Application Firewall) is a security solution that protects web applications from various security threats. It operates at the application layer, analyzing incoming web traffic and blocking any traffic that matches known security threats or violates defined security policies.

On the other hand, a load balancer is a network service that distributes incoming traffic across multiple servers. It ensures that no single server becomes overwhelmed with traffic, improving the overall reliability and performance of a web application. Load balancers can operate at different network stack layers, including the application layer, transport layer, and network layer.


Experiment with open-appsec for Linux, Kubernetes or Kong using a free virtual lab

bottom of page