On-prem or cloud WAF?

Both. On-prem hardware leasing for full traffic visibility; cloud WAF (F5 Distributed Cloud, Cloudflare) bundled where appropriate.

How does this satisfy PCI DSS Req 6.6?

Req 6.6 requires either annual code review OR a WAF deployed in front of public-facing applications. Our managed WAF satisfies the latter with the attestation pack.

Will it block legitimate traffic?

We start in monitor-only mode for 1-2 weeks. False positives are tuned out before any blocking is enabled.

Can you write custom rules for our app?

Yes. Monthly custom rule tuning is included. Major rule projects (>4 hours) are quoted separately.

What about API-specific protection?

F5 Advanced WAF and Imperva include API positive-security models. We import your OpenAPI spec to build the schema.

Included at all tiers. Premium bot-management (advanced bots, JavaScript challenges) on Mid-Market and Enterprise.

L7 application DDoS is included. L3/L4 volumetric DDoS requires upstream provider — we partner with Cloudflare or local ISPs to bundle.

Can we self-manage rules?

Yes, co-managed access is standard. nCrypt retains review of any policy that would weaken WAF protection.

Hardware-as-a-Service · 36-month bundle

Hardware web application firewall, fully tuned. From RM2,500/month.

F5, Imperva, or Barracuda WAF appliance — PCI DSS Req 6.6 compliance, OWASP Top 10 protection, and continuous rule tuning by nCrypt analysts.

Calculate your bundle Talk to sales

What's included in the bundle

WAF appliance (physical or virtual)

Initial rule baseline + OWASP Top 10 coverage

Monthly custom rule tuning

Bot management and DDoS L7 protection

PCI DSS Req 6.6 attestation pack

Hardware refresh at month 30

Who this is for

✓E-commerce processing credit cards (PCI DSS Req 6.6)
✓Fintech APIs exposed to the public internet
✓Healthcare patient portals
✓Government citizen-facing portals

Deployment timeline

Week 1

Application discovery, traffic shadowing in monitor-only mode

Week 2-3

Rule baseline, custom policy, gradual blocking enablement

Ongoing

Monthly rule tuning, weekly bot-pattern updates, quarterly reviews

Sample bundles by company size

SMB

RM 2,500 – 4,000 / month

Single virtual WAF, 1-2 web apps, e-commerce SME

MidMarket

RM 4,000 – 9,000 / month

HA pair, 5-10 apps, fintech API gateway

Enterprise

RM 9,000 – 25,000+ / month

Multi-DC, 20+ apps, custom rules, bot management premium

Aligned to your regulatory obligations

PCI DSS Req 6.6ISO 27001BNM RMiT

Frequently asked questions

Need a one-off engagement instead of a leased bundle?

See our consulting service →

Ready to size WAF for your environment?

Three minutes in the calculator. A precise quote emailed within 24 hours.

Calculate my bundle Talk to sales

Financing available via our partner financial institutions. Indicative monthly figures based on standard 36-month terms; final pricing subject to credit assessment and signed master service agreement.

Ready to size WAF for your environment?

Three minutes in the calculator. A precise quote emailed within 24 hours.