Sold by: Barracuda Networks
Application Protection Advanced is a cloud native WAF that secures apps and APIs against the OWASP Top 10, DDoS, Zero day attacks, and more, with 1 touch deployment for complete protection control.
4.3
Overview
Barracuda Application Protection Advanced is a cloud-native WAF that enables anyone to protect their web applications and JSON APIs against the OWASP Top 10, DDoS, zero-day attacks, and more in just minutes. Barracuda's enterprise proven security can be configured with zero expertise via a simple 3 step configuration wizard. More advanced users can maintain complete control over fine tuning specific policies with an intuitive component-based structure and vast library of specific components including cookie tampering, response clocking, clickjacking protection, and more, that can be added or removed in just a single click. Fully featured REST API and automated vulnerability remediation built in enables near endless automation options for DevOps and SecOps teams alike.
AWS customers, or even organizations who are considering AWS, can take advantage of AWS Private Offers https://www.barracuda.com/solutions/aws/private-offer to receive a specialized price quotation from Barracuda, allowing you to negotiate terms, conditions, even discounts, either directly or through your trusted partner.
Highlights
- Barracuda Vulnerability Remediation Service is built in and provides automatic vulnerability detection and remediation which can be scheduled, ensuring ongoing protection without any administrative overhead.
- Cloud-native, and runs in over 60 PoPs worldwide, enabling you to establish protection where your applications and APIs live, allowing you to gain comprehensive protection without introducing any application latency.
- Includes unmetered DDoS protection to defend against the full spectrum of L3-L7 DDoS attacks ensuring the availability of your web apps.
Details
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Buyer guide
Gain valuable insights from real users who purchased this product, powered by PeerSpot.
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on the duration and terms of your contract with the vendor, and additional usage. You pay upfront or in installments according to your contract terms with the vendor. This entitles you to a specified quantity of use for the contract duration. Usage-based pricing is in effect for overages or additional usage not covered in the contract. These charges are applied on top of the contract price. If you choose not to renew or replace your contract before the contract end date, access to your entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/month |
|---|---|---|
AppProtectAdvanced | Application Protection, Advanced, First Application | $620.00 |
Dimension | Cost/unit |
|---|---|
Each Additional Application - Advanced (per hour) | $0.17 |
Vendor refund policy
Please see Barracuda's website.
Custom pricing options
Request a private offer to receive a custom quote.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Support
Vendor support
Barracuda's award-winning technical support is available 24x7 worldwide.
Support Phone Numbers: North America - 408 342 5300 Europe - +44 (0) 1256 300 102 Australia - +612 8019 7254 China - +86 400 720 8200 Japan - +81 3 5436 6236 India - +91 804 904 8600 Germany, Austria, Switzerland - +43 (0) 508 100 800 Support Website:https://www.barracuda.com/support Support Email: support@barracuda.com
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products
Barracuda CloudGen Firewall for AWS provides SD-WAN to AWS and security to your public cloud deployments. Connect remote VPCs, datacentres, offices and mobile workers while providing user and app-aware segmentation with strong access controls and full visibility of your network traffic.
The Barracuda CloudGen WAF provides proven application security and data loss prevention for your applications on AWS
Application Protection Premium is a cloud native WAF that secures apps and APIs against the OWASP Top 10, DDoS, Zero day attacks, along with ML based API protection and Bot protection.
The Barracuda CloudGen WAF provides proven application security and data loss prevention for your applications on AWS. The Barracuda CloudGen WAF has achieved AWS Security competency certification and is available via metered usage-based billing.
Customer reviews
LokeshKumar4
Unified security has strengthened traffic control and has reduced attacks across all layers
Reviewed on Apr 23, 2026
Review provided by PeerSpot
What is our primary use case?
My main use case for Barracuda Application Protection involves using seven-layer protections such as application protections, URL filtering, web filtering, traffic filtering, DDoS, and rate limit authentications, along with SSL certificate authentications. For web-based applications, we enabled only the URL filtering.
We recently set up high availability with Barracuda Application Protection by integrating two Barracuda products, a physical box, in an active-passive setup, integrating dual ISP internet connections, and enabling applications along with URL filtering and security policies. That is the main use case.
I provide examples of how we enable URL filtering based on customer requirements, where they want to block some specific sites and open some specific sites that we have enabled, so blocking and enabling applications with it.
How has it helped my organization?
Barracuda Application Protection has positively impacted my organization by managing traffic well. It enhances access security, operational efficiency, and user experience, leading to customer satisfaction. Operational satisfaction and operational efficiency are also improved from a security perspective. It is the one box where we can implement malware protection and block malware, which is a main concern these days.
What is most valuable?
What I understand about Barracuda Application Protection is that it is a single product and single device where we can get all layers of protections, including seven layers, Layer 3, Layer 4, and Layer 7 as well. With one single box, we can get all features, which is excellent. Based on the license, we have enabled DDoS as well. All of the features are very good, and it is good to go.
Among all those features, I found Layer 3 and Layer 4 DDoS and network flooding to be especially helpful as we enabled protections to monitor and manage network bandwidth by preventing attack types such as SYN flood, UDP flood, and ICMP floods. We also enable protections with SYN cookies and real-time protections that are good with this product.
What needs improvement?
Additionally, I can say that deeper API security features such as automation, API discovery, scheme validations, and improved protections for modern environments are needed. The integration flexibility with SIEM products and automation tools could enhance analytic and monitoring incident response workflows.
I believe automation should be incorporated within the product as it is essential in this AI era. There should be capabilities that allow for providing topologies, protocols, interface IPs, and details in a simple diagram to gather and integrate information as per requirements without any physical or personnel intervention. Zero-touch provisioning and improved AI capability should be enhanced so someone unfamiliar with Barracuda Application Protection can still configure with ease.
For how long have I used the solution?
I have used this product very rarely, but definitely one or twice lead project we implemented with Barracuda
What do I think about the stability of the solution?
Barracuda Application Protection is stable, and we are using it without any impacts for seven months.
What do I think about the scalability of the solution?
Barracuda Application Protection has good scalability, and the environment easily adapts to it.
How are customer service and support?
I have interacted with customer support once, and they immediately responded to my email and provided remote assistance to us in a very quick time, resolving the issues efficiently.
Which solution did I use previously and why did I switch?
I implemented Barracuda Application Protection according to our project requirement, switching from high-cost solutions such as Palo Alto and Cisco ASA , which have similar capabilities but are more expensive compared to Barracuda Application Protection.
How was the initial setup?
I do not have specific return on investment metrics to share at this time as I am a technical person and focus on the technical aspects of Barracuda Application Protection, which I can recommend as a good product for future use.
What about the implementation team?
Our company has a partner relationship with this vendor.
What was our ROI?
I do not have specific return on investment metrics to share at this time as I am a technical person and focus on the technical aspects of Barracuda Application Protection, which I can recommend as a good product for future use.
What's my experience with pricing, setup cost, and licensing?
Cost saving is one of the major points observed since this product is less costly compared to others. We observed several measurement improvements after implementing Barracuda Application Protection, where traffic reduced security alerts by approximately 40 to 43 percent. The availability and response times also improved, making it cost-effective and user-friendly.
My experience with pricing, setup cost, and licensing of Barracuda Application Protection is good, although my team does not manage costing. A different procurement team handles that, but overall my experience with licensing and pricing is good.
Which other solutions did I evaluate?
We evaluated other options such as FortiGate and Palo Alto, but based on specific requirements from the client side, we decided to go with Barracuda Application Protection.
What other advice do I have?
I would consider my overall experience to be limited, but I am happy to work with this product. Barracuda Application Protection is a new product for me, and I always try to learn the good opportunities it offers. The product is a strong silent shield in front while preventing bad traffic from being created, keeping applications strong with user flow and trust. I give this review a rating of ten out of ten.
Bhavesh Vora
Reliable incremental backups have simplified daily protection and rapid ransomware recovery
Reviewed on Apr 16, 2026
Review provided by PeerSpot
What is our primary use case?
Barracuda Application Protection is used primarily for end-to-end backup. The incremental backup is a day-to-day process, and it is easy to use for all the servers and the client machine. Barracuda Application Protection is used exclusively for backup purposes, which involves incremental backup in day-to-day operations and easy restoration using Barracuda backup solutions.
What is most valuable?
The best features Barracuda Application Protection offers include easy installation, incremental backup, and daily email reports.
Regarding the easy installation and daily email reports, it is easy to install, and the quick backup allows for a quick restoration for the machine and the servers, making it a fast process.
Barracuda Application Protection protects against ransomware, achieving a 67% protection rate because it is based on a Linux system, reducing the chances of encryption and providing strong ransomware protection.
Barracuda Application Protection has positively impacted my organization as it is used for multiple clients, and I am also backing up the Exchange servers, which frequently experience attacks in customer environments, allowing for quick restoration, even from yesterday or the day before yesterday.
What needs improvement?
There is nothing in Barracuda Application Protection that needs any updates, but improving ransomware protection from 67% to 100% would be beneficial.
Improving the operating system structure, firmware, and overall performance would enhance loading times for devices.
For how long have I used the solution?
Barracuda Application Protection has been used for the last three years.
What do I think about the stability of the solution?
Barracuda Application Protection is stable.
What do I think about the scalability of the solution?
The scalability of Barracuda Application Protection is good, with normal CPU, memory, and overall system utilization.
How are customer service and support?
Customer support for Barracuda Application Protection is good.
Which solution did I use previously and why did I switch?
Before Barracuda Application Protection, I had multiple solutions, and as a system integrator, I provided various options, preferring Barracuda Application Protection as it is easy to use and easy to restore, unlike some other solutions such as Synology.
What was our ROI?
A return on investment has been seen as it is not necessary to take a backup and check customer environments day-to-day. It is easy to use for simply taking a backup without needing more engineers or employees, and it is a one-time setup.
What's my experience with pricing, setup cost, and licensing?
The pricing, setup cost, and licensing for Barracuda Application Protection are not excessive. The licensing and cost are normal for the Barracuda backup appliance.
Which other solutions did I evaluate?
Other options were not evaluated before choosing Barracuda Application Protection.
What other advice do I have?
Quick restoration with Barracuda Application Protection has allowed restoration of backups multiple times, not just once. As a system integrator, I manage multiple customers' requirements for backups.
For others looking into using Barracuda Application Protection, it is easy to use. I rate Barracuda Application Protection an eight out of ten.
Which deployment model are you using for this solution?
On-premises
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Vibin Thomas
Centralized protection has improved visibility and security for web applications and APIs
Reviewed on Apr 16, 2026
Review from a verified AWS customer
What is our primary use case?
My main use case of Barracuda Application Protection has been around securing internet-facing web applications and APIs, especially from common web attacks, bot traffic, and API-based threats. In my role, I mainly worked on evaluating it from a solution perspective rather than full-scale deployment. We looked at how it can protect applications against the OWASP Top 10 vulnerabilities, handle bot mitigation, and provide visibility into API traffic, which is becoming a major attack surface now. During the evaluation, we focused on how it fits into a typical enterprise environment, for example, protecting customer-facing applications such as login portals, payment gateways, and APIs. We also checked how easy it is to deploy in different models like SaaS or virtual appliance and how it integrates with existing security tools. Another key area we looked at was policy tuning and false positive handling, because in real environments, business traffic should not be impacted. So we analyzed the logging, reporting, and how effectively it identifies malicious versus legitimate traffic. Overall, the use case was to understand how Barracuda Application Protection can act as a centralized web application and API protection layer, especially for organizations looking for a combined WAF plus API security plus bot protection solution.
How has it helped my organization?
During our evaluation, Barracuda Application Protection had a positive impact mainly in terms of improved visibility and better handling of automated attack traffic. One of the key improvements we noticed was identifying and controlling bot-driven traffic, especially on sensitive endpoints like login pages. It helped reduce repeated suspicious requests and gave better control over credential stuffing scenarios through rate-limiting and bot detection. Another positive impact was around centralized visibility. Barracuda Application Protection provided clear insights into incoming traffic, attack patterns, and policy actions, which made it easier to understand what kind of threats applications are exposed to. This is very useful for both security monitoring and decision-making.
We also saw improvement in application-layer security coverage, as it was able to effectively detect and block common OWASP attacks during testing, which increases the overall confidence in protecting public-facing applications. From an operational perspective, Barracuda Application Protection simplified management by combining WAF , API protection, and bot mitigation in one place, reducing the need to handle multiple tools separately. Overall, the main outcomes were better threat visibility, improved protection against automated attacks, and a more streamlined security approach for web applications and APIs.
What is most valuable?
One of the best features of Barracuda Application Protection is its comprehensive security coverage across web applications and APIs in a single platform. Instead of just acting as a traditional WAF, it combines multiple layers of protection, which is very useful in modern environments. First, its WAF capabilities for OWASP Top 10 protection are very strong. It can effectively detect and block common attacks such as SQL injection, cross-site scripting, and other application-layer threats, which are critical for protecting public-facing applications. Another key feature is API security, which is becoming increasingly important. Barracuda Application Protection provides visibility into API traffic, helps identify abnormal behavior, shadow APIs, and misuse, which traditional WAFs struggle with.
Both the bot protection and rate-limiting capabilities are also very valuable, especially for protecting login portals and preventing automated attacks such as credential stuffing and scraping. It helps differentiate between legitimate users and malicious bots based on behavior analysis. Additionally, DDoS protection at the application layer is well-integrated, which helps in handling traffic spikes and ensuring application availability. From an operational perspective, logging, reporting, and visibility are strong points. Barracuda Application Protection provides clear insights into traffic patterns, attack types, and policy actions, which makes troubleshooting and tuning much easier. Lastly, the flexible deployment options such as SaaS, container-based, and virtual appliance make it adaptable to different enterprise environments, whether on-premises or cloud.
What needs improvement?
One area where Barracuda Application Protection can improve is in policy tuning and ease of configuration, especially for complex application and API-heavy environments. During evaluation, the initial setup was straightforward, but fine-tuning policies to avoid false positives required a deeper understanding and manual effort. Another area is advanced analytics and reporting. While Barracuda Application Protection provides good visibility, having a more intuitive dashboard, deeper insights, and easier correlation of events would help security teams in faster decision-making and threat analysis. There is also some scope for improvement in API security visibility, especially around detailed discovery and classification of APIs, as this is becoming a critical area for modern applications. Additionally, documentation and guided workflows could be enhanced to help new users quickly understand best practices for deployment and tuning, particularly for teams that are not very experienced with WAF solutions. Overall, Barracuda Application Protection is strong from a security standpoint, but improvement in usability, analytics, and API-level visibility would make it even more effective and easier to operate.
One additional area for improvement would be around integration with other security tools. While Barracuda Application Protection does support integrations, having more seamless and out-of-the-box integration with SIEM or SOAR platforms would make it easier for organizations to automate workflows and correlate security events across multiple tools. Also from a support and onboarding perspective, enhancing guided support, best practice recommendations, and faster troubleshooting assistance would further improve the overall user experience, especially for teams during the initial deployment and tuning phase. These improvements would make the solution not only strong from a security standpoint but also more effective to operate in complex enterprise environments.
For how long have I used the solution?
I have had a few months of exposure to Barracuda Application Protection, mainly during evaluation and comparison exercises as part of customer discussion and solution assessment.
How was the initial setup?
An important aspect we observed during the evaluation was around integration and tuning challenges, which are quite common with any WAF solution. From an integration perspective, connecting Barracuda Application Protection into an existing environment was relatively straightforward, especially when placing it in front of the application as a reverse proxy. However, the real effort came during the tuning phase. Since login portals and APIs are very sensitive, even small false positives can impact real users. For example, during initial testing, some legitimate login requests were flagged due to strict security policies, especially when there are unusual parameters or headers. So we had to carefully analyze the logs and fine-tune the rules to ensure balance between security and user experience. Another challenge was handling dynamic or API-based traffic where request patterns change frequently. In such cases, proper understanding of application behavior was required before enabling stricter protection.
On the positive side, Barracuda Application Protection provided good visibility through logs and reporting, which helped in identifying why traffic was blocked and made the tuning process easier. Overall, while security capabilities were strong, a key learning was that proper tuning and understanding of application traffic is critical to get the best results without impacting business operations.
What other advice do I have?
In our case, we evaluated Barracuda Application Protection primarily in a public cloud-oriented setup, as most of the applications we were assessing were internet-facing and hosted in cloud environments. However, one of the advantages we noticed is that Barracuda Application Protection supports flexible deployment models, including SaaS, virtual appliance, and container-based options. This makes it suitable not only for cloud but also for hybrid or on-premises environments, depending on the organization's architecture. From an evaluation perspective, the cloud-based deployment felt more straightforward and easier to integrate, especially for quick testing and scalability. At the same time, it is clear that the solution can adapt well to hybrid setups where some applications are still hosted on-premises.
For our evaluation, we used AWS as the cloud provider. Most of the applications we assessed were hosted in AWS , so it made sense to evaluate Barracuda Application Protection in that environment to see how well it integrates and performs in a typical cloud setup. For our evaluation, we primarily used a trial evaluation setup, so it was not a full purchase through the AWS Marketplace . The focus was more on testing the capabilities and integration within our AWS environment.
One additional improvement I noticed during the trial is around the initial onboarding and learning curve. While Barracuda Application Protection is feature-rich, new users may take some time to fully understand policy structure and best practices. More guided onboarding, templates, or pre-configured policies based on common use cases would help accelerate adoption. Another area is real-time alerting and notification. While Barracuda Application Protection provides good visibility through logs and dashboards, having more customizable and proactive alerting mechanisms would help security teams respond faster to critical events without constantly monitoring the dashboard. These are relatively small enhancements, but they would improve overall usability to make the solution more efficient for day-to-day operations.
My advice would be to clearly understand your application architecture and traffic patterns before implementing Barracuda Application Protection. This helps in getting the most value from the solution, especially when it comes to policy tuning and avoiding false positives. I would also recommend starting with a phased approach, initially deploying in monitoring mode, analyzing the traffic, and then gradually moving to blocking policies. This ensures that security is enforced without impacting legitimate users. Another important point is to focus on bot protection and API security as these are key risk areas today, especially for login portals and public-facing applications. Lastly, make sure to plan for integration with your existing security ecosystem such as SIEM or monitoring tools so that you get better visibility and centralized management. Overall, Barracuda Application Protection is a strong solution, but getting the best results depends on proper planning, tuning, and understanding your environment. I would rate this solution an overall eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
reviewer2808624
Improved SOC visibility has blocked web attacks and supports faster investigations
Reviewed on Apr 06, 2026
Review provided by PeerSpot
What is our primary use case?
I work with Barracuda Application Protection as part of SOC monitoring and web application security, which helped me to detect and block web-based attacks such as SQL injection, suspicious requests, and abnormal traffic patterns from a SOC perspective. It also provides good visibility to the web attacks and helps with faster investigation. The pattern is stable and scalable, but I think the UI and fine-tuning policies can be improved overall.
In my current company, for one of the clients which we are using, Barracuda Application Protection was mainly used to protect the web applications and monitor incoming traffic from external sources. From our SOC perspective, I work on analyzing alerts related to suspicious HTTP requests, possible SQL injection, abnormal traffic spikes, and blocking malicious IPs. Whenever the alerts were triggered, we validated whether it was a real attack or a false positive and took appropriate action accordingly.
In one scenario, we observed multiple requests from a single IP that was targeting the login for our client endpoints with unusual parameters. We suspected and started an investigation. Then we saw that Barracuda Application Protection had detected this suspicious behavior and blocked the IP already. On the SOC side, what we did was verify the logs and confirmed it. We even assumed that it might be a brute-force or injection attempt. After that, what we suspected became true, and that helped me in preventing unauthorized access attempts and reducing investigation.
What is most valuable?
The best features of Barracuda Application Protection are that it has good visibility. Log usability is very good, and the support for investigation is also good. These are the main features. One of the best key features I have seen is that it mainly detects and blocks web-based attacks. As I previously mentioned, SQL injection, cross-site scripting, and suspicious HTTP requests are detected in real-time.
The log visibility in Barracuda Application Protection is very useful from the SOC perspective. It provides detailed information such as the source IP address, the request type, what kind of request type was detected, the targeted URL, and the attack type. During investigations, these logs help to understand the pattern of the attack and the intention of the attack, and whether the activity is really malicious or normal activity. It also helps in identifying repeated attacks from the same IP and analyzing the traffic behavior. Overall, the logs make it easier to investigate web-based threats and correlate them with other security alerts in a SIEM solution. It gives detailed logs such as source IP, request details, and attack type, which help in quick investigation and identifying patterns.
Barracuda Application Protection is helping our current organization in a meaningful way by reducing web-based security incidents through blocking malicious traffic before it reaches the application and end-user machines. It improved visibility into the web attacks and made investigation easier for the SOC employees, especially since we could quickly identify suspicious IPs and attack patterns. It also reduces the manual effort since many attacks were automatically detected and blocked, allowing our SOC team to focus more on analysis rather than basic filtering.
What needs improvement?
I have one thing to share about the features. I did not observe any major stability issues. The platform works reliably during monitoring. If I want to tell what needs improvement, policy tuning requires effort. Policy fine-tuning because it requires a lot of effort and time from the employees, such as the senior SOC analyst. For us, it requires a lot of manual effort. Also, sometimes it gives a lot of false positives that also require manual effort. These two main things need improvement.
Another area for improvement is the visualization of the attack data. Barracuda Application Protection has better visualization of attack data, but it can make it even better. It should be very accessible because nowadays, employees from the data engineer team, the network team, or other departments should be able to easily understand it. I personally feel that is how the user interface should be for all applications. The current trending applications should be built with better UI and UX design for better visualization of the attack data. That would be very helpful for SOC analysts as well as other department employees and colleagues.
For how long have I used the solution?
I have been using Barracuda Application Protection for the past one point two years.
What do I think about the stability of the solution?
I did not observe any stability issues with Barracuda Application Protection in the past.
What do I think about the scalability of the solution?
Barracuda Application Protection is scalable and can even handle the traffic for multiple applications. It is a very good solution in the current market.
Which other solutions did I evaluate?
Cloudflare WAF is another tool I have seen. Cloudflare is also more user-friendly and has a strong CDN and DDoS capabilities, and it is easier to use. However, I would still go with Barracuda Application Protection.
What other advice do I have?
Barracuda Application Protection is a very fantastic tool and a very good solution, especially when talking about web application attacks, particularly from external attacks. Currently in the market, there are very few solutions, and few solution providers are there, but comparatively, they are the best. That is why I rate Barracuda Application Protection eight out of ten.
For example, in day-to-day work, I have observed a repeated request pattern from a particular IP that was targeting the login endpoints with unusual parameters that I noticed. Barracuda Application Protection already detected that suspicious activity and gave notifications on our SIEM solution as well. It even blocked that IP automatically on a temporary basis. We have set up and fine-tuned our SIEM solution so that if any such IPs are detected, they need to be blocked for one to two days because we are not sure about the IP's reputation. With fine-tuning, we have it set to block for two days. That is how we did it. That helped us quickly validate the alert, and we confirmed the potential attack and avoided further impact. It also reduces the manual effort, as many such threats have been handled automatically.
Barracuda Application Protection is a good solution for protecting the web application from external attacks. From my SOC perspective, it provides good visibility to the SOC analyst, and the logs it generates are very comprehensive. That helps us with the investigation and correlating all such logs to the SIEM solution and other things. In our organization, we have a public-facing application, so that is where I can tell this will provide the best benefit from this solution. Compared to other perspectives, Barracuda Application Protection is a very good one, and from my experience, I am really impressed with it. I would rate Barracuda Application Protection eight out of ten.
Mahesh Konda
Advanced threat protection has reduced zero-day risks but usability and response time still need work
Reviewed on Apr 05, 2026
Review from a verified AWS customer
What is our primary use case?
My main use case for Barracuda Application Protection encompasses most of their capabilities. I have used it for APIs, protecting applications, and securing applications for these types of instances.
What is most valuable?
Barracuda Application Protection 's best features are protecting APIs and defending against zero-day vulnerabilities.
Barracuda Application Protection has been effective at handling zero-day vulnerabilities for me, and it has caught specific threats. There were several times when Barracuda Application Protection triggered alerts, and I ensured that those threats were addressed before any vulnerability occurred.
Barracuda Application Protection has positively impacted my organization by reducing security impact and threat impact. It has helped me as an architect understand what the threat is, what the analysis shows, and it resolves immediately. That is a best use case scenario, and I would recommend this for everyone.
What needs improvement?
I believe Barracuda Application Protection could be significantly improved with better usability and integration with other tools.
Barracuda Application Protection's WAF serves as a primary defense, but I believe it can be improved. The response time is slow, and the WAF is something that adds more value to that aspect. I would also recommend improving API integration with the API layers and CDN networks, along with the response time of the application, as these need considerable improvement.
For how long have I used the solution?
I have been using Barracuda Application Protection for more than a year and a half.
What do I think about the stability of the solution?
Barracuda Application Protection is stable in my organization.
What do I think about the scalability of the solution?
I was not implementing a complete solution and was only deploying it on a few services. Because of that limited implementation, I did not implement a fully scalable application, which is why it was performing stable.
Which solution did I use previously and why did I switch?
I previously tested between Qualys, Qualys scan, Aqua scan, and Barracuda. Each has its own pros and cons, but I feel that Qualys, Aqua Securities, and Barracuda are at the same level, and I think Barracuda is the winner.
Before choosing Barracuda Application Protection, I evaluated between Aqua scan and Barracuda, and Barracuda proved to be the winner.
What was our ROI?
I have not noticed a return on investment. I was testing this out, and I am not sure how much this constituted a return on investment.
What's my experience with pricing, setup cost, and licensing?
My experience with pricing, setup cost, and licensing is that I feel it is a bit costlier, but the features that it provides are good. However, I am not the one making decisions on costing and limiting, as that is at the organizational level. I am satisfied, and even management shares the same concerns. We have other applications or open-source tools that are not as good as Barracuda, but we could manage with those, so I feel the pricing is too high.
What other advice do I have?
I can share a specific outcome where Barracuda Application Protection was helpful. There was a use case where an e-commerce platform was under a credential attack where attackers were hammering endpoints with millions of requests using leaked credentials. Barracuda Application Protection triggered an alert for abnormal activity using machine learning and implemented rate-limiting and IP blocking based on reputation. It also prevented account takeovers by rate-limiting the number of user requests. That was an instance where I could see how helpful Barracuda Application Protection was.
The main advice I would give to others considering Barracuda Application Protection is that it stands out with its zero-day vulnerability protection, which is excellent. It performs very well with threat detection and finding anomalies, and it is effective at preventing DDoS attacks, which are common in the data centers of any organization. My only concerns are that it is not very user-friendly and the response time is slow. I would rate this product a seven out of ten.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)