Ergon Informatik
Airlock WAF test
Web Application Firewall · Category 6. Network Security · Tier 2
CL Listed — Visible
Methodology v3.5 · OLIR Schema
Avril 2026
Evaluation Tier:
Visible (Listed)
→
Verified (CAE)
→
Enterprise (EEE)
Layer 1-2 only · Documentary assessment · All capabilities vendor-claimed
⚡ Executive Summary 30 seconds
What it is
Enterprise web application firewall and API gateway combining reverse proxy architecture with deep traffic inspection. Airlock WAF protects web applications and APIs against OWASP Top 10 attacks, zero-day exploits, and bot traffic while providing centralized identity and access management integration.
Best for
OWASP Top 10 runtime protection (PCI DSS Req. 6.4), PCI DSS Req. 1.3/6.6 (network segmentation & WAF), DORA Art. 9 (ICT systems protection). Ideal for enterprises with customer-facing web applications and APIs requiring inline traffic protection and regulatory compliance.
What it does NOT do
No source code analysis (SAST/DAST), no endpoint detection, no email security, no SIEM functionality, no vulnerability scanning, no data masking. Not an application security testing tool — provides runtime protection, not vulnerability discovery.
CL Recommendation
Airlock WAF is a Swiss-engineered enterprise WAF with strong reverse proxy architecture and integrated API gateway. Critical for PCI DSS 6.6, DORA Art. 9, and NIS2 Art. 21 compliance. Combine with SAST/DAST (Cat. 9), SIEM (Cat. 12), and DDoS protection for complete web application defense. Trusted by European banks and government institutions.
⚖ Regulatory Fit Per regulation verdict
PCI DSS v4.0
~20% of requirements
✔ Strong — Req. 1.3, 6.4, 6.6 (WAF & network segmentation)
DORA
~17% of obligations
✔ Strong — Art. 9 protection of ICT systems, Art. 10 detection
NIS2
~15% of Art. 21
● Moderate — Art. 21(2)(b) incident handling, (c) business continuity
GDPR
~9% of articles
● Moderate — Art. 32 (security of processing), Art. 25 (DPbD)
HIPAA
~5% of provisions
△ Supporting only — §164.312(e) transmission security
CCPA/CPRA
~8% of provisions
● Moderate — Sec. 1798.150 reasonable security measures
PCI DSS v4.0 (PROPRIETARY)
| Focal | Obligation | OLIR Rel. | Hub Ref | Rationale |
|---|
| Req. 6.4.1 | Public-facing web app attack protection | Equivalent | SC-7 / PR.DS-01 | Syntactic |
| Req. 6.4.2 | Automated WAF for public web apps | Equivalent | SC-7 / PR.DS-01 | Syntactic |
| Req. 1.3.1 | Inbound traffic restriction to DMZ | Direct | SC-7 / PR.AC-05 | Functional |
| Req. 11.6.1 | Detect unauthorized changes to HTTP headers | Contributing | SI-7 / DE.CM-09 | Semantic |
DORA (OPEN_GOV)
| Focal | Obligation | OLIR Rel. | Hub Ref | Rationale |
|---|
| Art. 9(1) | Protection of ICT systems and tools | Direct | SC-7 / PR.DS-01 | Functional |
| Art. 9(2) | Network security management | Direct | SC-7 / PR.AC-05 | Functional |
| Art. 10(1) | Detection of anomalous activities | Contributing | SI-4 / DE.CM-01 | Semantic |
| Art. 11(1) | ICT incident response and recovery | Contributing | IR-4 / RS.RP-01 | Semantic |
NIS2 (OPEN_GOV)
| Focal | Obligation | OLIR Rel. | Hub Ref | Rationale |
|---|
| Art. 21(2)(b) | Incident handling | Contributing | IR-4 / RS.RP-01 | Semantic |
| Art. 21(2)(c) | Business continuity and crisis management | Contributing | CP-2 / PR.IP-09 | Semantic |
| Art. 21(2)(a) | Risk analysis and information system security | Direct | SC-7 / PR.AC-05 | Functional |
Articles without contribution omitted. Full OLIR mapping available in Audit Pack export.
🎯 Buyer Guidance Decision support
✔ Consider When
- + PCI DSS Req. 6.4/6.6 web application firewall compliance required
- + Customer-facing web applications and APIs need runtime protection
- + European regulatory requirements (DORA, NIS2, GDPR) are primary drivers
- + Centralized reverse proxy architecture needed for web traffic management
- + Need combined WAF and API gateway in a single solution
- + Swiss data residency or European sovereignty requirements apply
❌ Avoid When
- − Need application security testing (SAST/DAST) — Airlock is runtime protection only
- − Cloud-native microservices with service mesh already in place
- − Looking for CDN-integrated WAF (Cloudflare, AWS CloudFront model)
- − Small-scale deployment with fewer than 5 web applications
- − Need built-in DDoS protection at network layer (L3/L4)
- − Budget-constrained — enterprise appliance pricing model
⚙ Capabilities 20 claimed · 4 groups · DR-2 Quality Tiers + Config Modifiers
WAF Core Protection 5✓ 0● 0✗▼
✓OWASP Top 10 protection
SQL injection, XSS, CSRF, SSRF, and all OWASP Top 10 attack categories
Specific Obl.Out-of-Box
✓Bot detection and mitigation
Automated bot traffic identification and blocking
Control FamilyConfig Change
✓Virtual patching
Temporary protection for known CVEs without application changes
Specific Obl.Config Change
✓SSL/TLS termination and inspection
Full HTTPS decryption, inspection, and re-encryption
Control FamilyOut-of-Box
✓Custom WAF rules
User-defined rule sets for application-specific protection
Control FamilyConfig Change
API Gateway 4✓ 1● 0✗▼
✓API traffic management
Rate limiting, throttling, and quota enforcement for APIs
Specific Obl.Config Change
✓OpenAPI/Swagger validation
Schema-based request validation against API specification
Specific Obl.Config Change
✓JSON/XML payload inspection
Deep content inspection for injection and oversized payloads
Specific Obl.Out-of-Box
●GraphQL protection
Query depth limiting and introspection control
Control FamilyConfig Change
✓API versioning and routing
Centralized API lifecycle management and traffic routing
Generic ControlConfig Change
Identity & Access 5✓ 0● 0✗▼
✓SSO integration (SAML, OIDC)
Centralized authentication via SAML 2.0 and OpenID Connect
Control FamilyConfig Change
✓Multi-factor authentication enforcement
MFA step-up enforcement at the WAF layer
Control FamilyConfig Change
✓Session management
Centralized session handling, timeout, and cookie protection
Specific Obl.Out-of-Box
✓OAuth 2.0 token validation
Token introspection and JWT validation at gateway level
Control FamilyConfig Change
✓IP reputation and geo-blocking
Block traffic from known malicious IPs and restricted geographies
Generic ControlConfig Change
Monitoring & Compliance 4✓ 1● 0✗▼
✓Real-time attack dashboard
Live visualization of blocked attacks and threat trends
Generic ControlOut-of-Box
✓SIEM integration (syslog, CEF)
Forward security events to Splunk, QRadar, Elastic
Control FamilyConfig Change
✓PCI DSS compliance reporting
Pre-built WAF compliance evidence for Req. 6.4/6.6
Specific Obl.Out-of-Box
✓Audit logging
Full request/response logging for forensic analysis
Specific Obl.Out-of-Box
●Automated threat intelligence feeds
Integration with external threat intelligence for rule updates
Control FamilyConfig Change
🛡 MITRE ATT&CK Mapping Layer 4 — Derived via SP 800-53
M1050
Exploit Protection
Full (claimed)
M1031
Network Intrusion Prevention
Full (claimed)
M1037
Filter Network Traffic
Full (claimed)
M1035
Limit Access to Resource Over Network
Full (claimed)
M1016
Vulnerability Scanning
Partial (claimed)
Score: 4.0 / 5.0 (80%) — All vendor-claimed. Techniques addressed: T1190, T1189, T1071, T1595, T1499 (web exploitation & network family).
▼ Show ATT&CK techniques detail| Technique | Name | How Addressed | Provenance |
|---|
| T1190 | Exploit Public-Facing Application | WAF rules block known exploit patterns and zero-day attack signatures in real time | DERIVED via M1050 |
| T1189 | Drive-by Compromise | Content inspection and script injection prevention via response filtering | DERIVED via M1031 |
| T1071 | Application Layer Protocol | Deep HTTP/HTTPS inspection blocks malicious application-layer traffic | DERIVED via M1037 |
| T1499 | Endpoint Denial of Service | Rate limiting and bot mitigation prevent application-layer DoS attacks | DERIVED via M1035 |
📄 Evidence Pack DR-2 §5.1 — Proof of value
✔WAF block/allow logs
Detailed request logs with rule match information. Exportable via syslog/CEF.
✔PCI DSS 6.4/6.6 compliance report
Pre-built WAF compliance evidence for PCI auditors.
✔Attack trend dashboards
Real-time and historical attack visualization. Screenshot/PDF export.
✔SSL/TLS configuration report
Cipher suite and certificate management evidence.
⚠Third-party penetration test
Independent validation of WAF effectiveness against OWASP Top 10.
⚠Threat intelligence integration evidence
Feed subscription and rule update documentation.
Evidence level: Documentary review only (CL Listed). For verified evidence, upgrade to CAE (Examine + Interview) or EEE (+ Test).
⏱ Operational Metrics & Anti-Hype DR-2 §5.1 + §9.2
| Metric | Airlock Gateway (Single App) | Airlock Enterprise (Multi-App) | Airlock Suite (WAF + IAM + API) |
|---|
| Implementation | 1-2 weeks | 4-8 weeks | 8-16 weeks |
| FTE Required | 0.25 FTE | 0.5-1 FTE | 1-2 FTE |
| Time to first value | Day 1-3 (first web application protected behind WAF reverse proxy) |
| Time to production | Month 1-3 (all applications onboarded, WAF rules tuned, false positives minimized) |
Anti-Hype: Marketing vs. Reality
Swiss-engineered security
Accurate. Developed and operated from Switzerland (Zurich). Relevant for European data sovereignty requirements.
Verified
Zero-day protection out of the box
Positive security model provides some zero-day coverage, but advanced evasion techniques may bypass default rules. Requires ongoing tuning.
Partial
Complete API security platform
Strong API gateway with rate limiting and schema validation, but lacks API discovery and API-specific vulnerability testing (not a DAST tool).
Partial
No performance impact on applications
Inline WAF adds 1-5ms latency in optimal conditions. Complex rule sets and deep content inspection can add more. Requires performance tuning.
Misleading
Integrated identity and access management
Airlock IAM is a separate product that integrates well with WAF. Not built-in to WAF license — requires additional licensing.
Partial
⚖ Strengths & Cautions
✔ Strengths
- + Swiss-engineered with European data sovereignty compliance
- + Combined WAF and API gateway in unified reverse proxy architecture
- + Strong PCI DSS Req. 6.4/6.6 compliance coverage
- + Deep OWASP Top 10 protection with positive security model
- + Integrated SSO/OIDC/SAML authentication enforcement at WAF layer
- + Mature enterprise platform trusted by European banks and government
- + Virtual patching for rapid CVE mitigation without application changes
⚠ Cautions
- ! European/Swiss market focus — less North American presence and support
- ! Enterprise appliance pricing — no consumption-based or cloud-native model
- ! No built-in DDoS protection at network layer (L3/L4)
- ! Limited cloud-native deployment options (primarily on-prem/VM)
- ! API discovery capabilities require third-party tooling
- ! Initial WAF rule tuning requires security expertise to minimize false positives
- ! All capabilities VENDOR-CLAIMED (no CL independent testing)
📈 Competitive Positioning Category 6 — Network Security
| Capability | Airlock WAF test | F5 BIG-IP | Cloudflare WAF | AWS WAF |
|---|
| WAF Protection | ✔ | ✔ | ✔ | ✔ |
| API Gateway | ✔ | ✔ | ● | ● |
| Reverse Proxy | ✔ | ✔ | ✔ | ✗ |
| Bot Management | ✔ | ✔ | ✔ | ✔ |
| On-prem Deployment | ✔ | ✔ | ✗ | ✗ |
| Cloud-native | ● | ✔ | ✔ | ✔ |
| Pricing Model | Enterprise license | Enterprise license | Pay-per-use | Pay-per-use |
Competitive data based on public information. CL has not evaluated these alternatives — for detailed assessment, see individual CL Listings.
📑 Framework Views Hub: CSF 2.0 + 800-53r5 + ISO 27001
▼ Show NIST SP 800-53, CSF 2.0, ISO 27001 mapping tablesNIST SP 800-53 Rev 5
| Control | Name | Contribution | Provenance |
|---|
| SC-7 | Boundary Protection | direct | DERIVED via PCI DSS 6.4 |
| SI-4 | System Monitoring | direct | DERIVED via DORA Art. 10 |
| AC-4 | Information Flow Enforcement | direct | DERIVED via PCI DSS 1.3 |
| IR-4 | Incident Handling | contributing | CL-ORIGINAL |
| SC-8 | Transmission Confidentiality & Integrity | direct | DERIVED via PCI DSS 4.1 |
| AU-3 | Content of Audit Records | contributing | CL-ORIGINAL |
NIST CSF 2.0
| Control | Name | Contribution | Provenance |
|---|
| PROTECT | PR.DS-01 Data-at-rest and data-in-transit protection | direct | DERIVED via SC-7 |
| PROTECT | PR.AC-05 Network integrity protection | direct | DERIVED via SC-7 |
| DETECT | DE.CM-01 Network monitoring | direct | DERIVED via SI-4 |
| RESPOND | RS.RP-01 Incident response execution | contributing | CL-ORIGINAL |
ISO 27001:2022 Annex A
| Control | Name | Contribution | Provenance |
|---|
| A.8.20 | Network security | direct | DERIVED via NIS2-ISO |
| A.8.21 | Security of network services | direct | DERIVED via DORA-ISO |
| A.8.22 | Segregation of networks | contributing | DERIVED via PCI-ISO |
| A.8.16 | Monitoring activities | contributing | CL-ORIGINAL |
| A.8.24 | Use of cryptography | direct | DERIVED via PCI-ISO |
| SSDF ID | Practice | Status |
|---|
| PW.1 | Risk-based secure design | Claimed |
| RV.2 | Timely vulnerability remediation | Claimed |
| PO.5 | Secure development environment | Claimed |
| PS.3 | SBOM available | Not stated |
| RV.1 | Vulnerability disclosure program | Claimed |
| PS.2 | Code signing | Claimed |
Compliance Labs · Software Listing v3.5 · OLIR Schema
Hub: CSF 2.0 ↔ 800-53r5 ↔ ISO 27001 · Avril 2026
