WAF cost spikes during attacks: how to budget request surges

WAF cost spikes are usually not caused by \"more rules\" - they're caused by more evaluated requests. During attacks, blocked traffic can explode request volume and create an additional surprise: security log cost can grow with it.

Step 1: separate steady traffic from surge traffic

  • Steady: your typical 30-day traffic.
  • Surge: bot spikes, credential stuffing, scraping, or DDoS-like bursts.
  • Include blocked traffic: for billing, it's often evaluated even when blocked.

Step 2: convert surge RPS into added monthly requests

Simple approximation: extra requests = surge RPS x surge seconds. Then add to your steady requests/month.

  • Keep two scenarios: baseline (typical month) and attack (surge traffic for a few hours/days).
  • Include blocked and allowed requests together (evaluated requests).
Estimate WAF requests RPS to monthly requests

Worked surge example (copy/paste)

  • Baseline: 500 RPS sustained -> convert to monthly requests.
  • Attack: +5,000 RPS for 6 hours/day for 3 days -> extra requests = 5,000 * (6 * 3600) * 3.
  • Total: baseline monthly + extra attack requests.

The purpose is not perfect math; it is to avoid budgeting only the steady state and getting surprised by the peak.

Step 3: reduce evaluated requests (high leverage)

  • Cache aggressively for cacheable routes (especially for abusive hot paths).
  • Rate-limit early for known abusive endpoints (login, search, auth token endpoints).
  • Block obvious bot paths and bad user agents with targeted rules.
  • Move traffic up the stack: stop bad traffic at the CDN edge when possible.
  • Use a narrow allowlist for truly public endpoints during incidents (reduce evaluation surface).
  • Keep one high-confidence emergency policy ready (temporary controls tend to become permanent if you do not review them).

Step 4: don't let security logging become the bigger bill

  • Sample or filter logs for high-volume endpoints where full fidelity isn't required.
  • Set retention intentionally for noisy logs.
  • Optimize queries and dashboards to avoid repeated large scans.

If you need detailed investigation, prefer targeted logging for specific rules or short windows instead of always-on full-fidelity logs.

How to validate after an attack

  • Reconcile evaluated requests (allowed + blocked) against the WAF bill for the same window.
  • Compare baseline days vs attack days and keep the peak scenario for future budgets.
  • Check whether logging and dashboards caused repeated scans of large windows during incident response.

Related tools

WAF cost calculator WAF pricing WAF cost optimization

Validation checklist

  • Validate the primary driver with measured usage from a representative window.
  • Confirm units and pricing units (per 10k vs per 1M, GB vs GiB) before trusting the estimate.
  • Re-check incident windows: retries/timeouts often multiply cost drivers.

Related reading

Cost estimation checklist Network transfer costs Request-based pricing

Sources

Related guides

Estimate WAF request volume (CDN/LB to monthly requests)
How to estimate WAF request volume for cost models: from CDN/LB metrics, from logs, and what to do about bot spikes.
AWS WAF vs Cloudflare WAF cost: a practical comparison checklist
Compare AWS WAF vs Cloudflare WAF cost using a practical checklist: request-based charges, rule/policy baselines, logging/analytics costs, and what to model for your traffic shape.
WAF cost optimization (reduce requests + rule sprawl)
A practical playbook to reduce WAF spend: cut evaluated requests, keep rule count tight, and avoid downstream logging waste.
API Gateway vs ALB vs CloudFront cost: what to compare (requests, transfer, add-ons)
A practical cost comparison of API Gateway, Application Load Balancer (ALB), and CloudFront. Compare request pricing, data transfer, caching impact, WAF, logs, and the hidden line items that change the answer.
AWS WAF pricing: what to model (ACLs, rules, requests)
A practical AWS WAF pricing checklist: Web ACL fees, rule fees, request charges, and the downstream costs security teams forget.
KMS cost optimization (reduce request volume safely)
A practical AWS KMS cost optimization checklist focused on the real driver: request volume. Learn where KMS calls come from, how to reduce them safely with caching and batching, and how to validate savings.

Related calculators

Log Cost Calculator
Estimate total log costs: ingestion, storage, and scan/search.
Log Ingestion Cost Calculator
Estimate monthly log ingestion cost from GB/day or from event rate and $/GB pricing.
Log Retention Storage Cost Calculator
Estimate retained log storage cost from GB/day, retention days, and $/GB-month pricing.
Log Search Scan Cost Calculator
Estimate monthly scan charges from GB scanned per day and $/GB pricing.
RPS to Monthly Requests Calculator
Estimate monthly request volume from RPS, hours/day, and utilization.
API Request Cost Calculator
Estimate request-based charges from monthly requests and $ per million.

FAQ

Why do WAF bills spike during incidents?
Because WAF pricing often includes request-based charges. Attack traffic (even if blocked) is still evaluated and can multiply request volume and downstream logging cost.
Should I budget blocked requests?
Yes. For cost models, use evaluated requests (allowed + blocked). During bot spikes, blocked traffic can dominate request counts.
What's the fastest way to estimate surge cost?
Estimate your steady monthly requests, then model a surge scenario (for example, 10x RPS for 6 hours/day for 3 days) and convert it into additional monthly requests.
Last updated: 2026-01-27