SecureIQLab has published three Asia-Pacific cloud WAAP cyber risk validation reports covering cloud web application and API protection products from regional vendors.
The testing examined how the products handled web application threats, API attacks, automated bot activity, Layer 7 denial-of-service scenarios, evasion attempts, and false positives. SecureIQLab said the work was non-commissioned and self-funded. Vendors provided access to their products but did not pay to participate or control publication of the findings.
WAAP, or web application and API protection, has become a more prominent area of cybersecurity spending as companies move customer-facing applications and interfaces into cloud environments. Security teams are under pressure to assess not only traditional web application firewall functions, but also API protection, bot management, and the ability to limit disruption from application-layer attacks without blocking legitimate traffic.
The reports were produced under SecureIQLab's Cloud WAAP CyberRisk Methodology v4.0, registered with the Anti-Malware Testing Standards Organisation under Test ID AMTSO-LS1-TP127. The validation was aligned with the OWASP Top 10 2021 and the OWASP API Security Top 10 2023.
Each vendor was tested against 1,334 malicious payloads and 1,269 benign payloads. The approach was intended to measure both attack detection and the handling of legitimate traffic, which can affect day-to-day operations if security tools generate too many false alarms or block normal user activity.
Regional baseline
The reports also highlight a broader issue in the Asia-Pacific cybersecurity market: the uneven availability of independent product testing across regions. Vendors in North America and Europe have had greater access to structured third-party validation, which buyers often use as one reference point when comparing products.
By contrast, suppliers in Asia-Pacific have often had fewer opportunities to present independently gathered comparative results. That can make product assessment harder for enterprise buyers, particularly when internal proof-of-concept testing is narrow in scope or marketing claims are difficult to verify against a common benchmark.
SecureIQLab said the initiative was designed to provide a more consistent evidence base for both sides of the market. It described the work as an effort to give buyers measurable technical data and regional vendors a common validation baseline.
"In Asia-Pacific, we work directly with regional vendors who have historically lacked access to consistent, independent validation. Bringing our AMTSO-aligned methodology to regional vendors gives APAC security teams the same evidentiary baseline that buyers in North America and Europe have relied on for years," said Bijay Limbu Senihang, Director of APAC Region, SecureIQLab.
Buyer pressure
The reports arrive as security leaders face a more complex application threat landscape. Modern enterprise software is increasingly built around application programming interfaces, while customer-facing online services are frequent targets for credential abuse, automated scraping, and denial-of-service activity aimed at the application layer rather than the network edge.
That shift has made WAAP products harder to evaluate. Buyers increasingly want data on how products respond to evasive attack techniques, how well they distinguish between malicious and benign behaviour, and whether they can manage bot traffic without disrupting legitimate customers or internal business processes.
For chief information security officers, application security teams, security operations centres, cloud security leaders, and managed security service providers, third-party testing can provide another layer of scrutiny before procurement decisions are made. SecureIQLab said the reports should be treated as verified performance metrics captured during a defined testing period under controlled conditions, rather than as endorsements of any one supplier.
SecureIQLab is based in Austin, Texas, and said its Asia-Pacific team supporting the initiative operates from Kathmandu, Nepal. That detail also reflects the growing role of South Asia in cybersecurity research, testing, and product validation as regional markets expand and enterprise buyers seek more locally relevant benchmarks.
SecureIQLab said enterprise buyers should be able to compare products on technical performance rather than relying only on brand recognition, supplier claims, or limited in-house trials. It added that vendors did not influence the validation process or prevent publication of the results.