When "No Sector Is Exempt" Becomes the Headline
The UK National Cyber Security Centre’s Annual Review 2025 opens with an unusual choice: a letter from the CEO of a major high street retailer describing what it was like to be hit by a serious cyberattack. The retailer is not named in the review’s framing, but the description lines up with the DragonForce ransomware attack that disrupted Marks & Spencer’s operations earlier in the year, an incident widely reported to have cost the retailer around £300 million, and the related breach at Co-op, where the personal data of all 6.5 million Co-op members was stolen.
Those incidents sit inside a much larger pattern. Over the twelve months to September 2025, the NCSC handled 204 “nationally significant” cyber incidents, up from 89 the year before, a 130% increase. Incidents categorised as “highly significant” rose 50% for the third consecutive year. The NCSC’s own conclusion is blunt: threat actors target vulnerabilities, not sectors, meaning any organisation with a public-facing application or API is a potential target regardless of industry.
The United Kingdom Cyber Threat Landscape in 2026
The UK’s digital economy continues to expand through cloud services, API-driven applications, e-commerce, and Open Banking. While these innovations enable faster digital experiences, they have also significantly increased the application attack surface.
According to the NCSC Annual Review 2025, the agency managed 429 cyber incidents during the year, including 204 nationally significant incidents, more than double the previous year’s total and an increase for the third consecutive year. Retail, financial services, healthcare, manufacturing, engineering, and academia were among the sectors most frequently targeted by ransomware and disruptive cyberattacks.
Some of these high-profile incidents further illustrate the growing risks facing United Kingdom’s organizations:
| Incidents | Security Takeaway |
|---|---|
| Marks & Spencer cyberattack | Customer-facing digital services can become operationally disruptive attack targets. |
| Co-op cyberattack | Credential theft and identity-based attacks remain a growing concern. |
| Multiple UK retail attacks | Modern attacks increasingly target web applications, APIs, and third-party ecosystems. |
|
References :-
•
https://www.reuters.com/business/retail-consumer/uks-ms-says-customer-information-was-taken-cyber-attack-2025-05-13/
•
https://www.reuters.com/business/retail-consumer/uks-ms-says-customer-information-was-taken-cyber-attack-2025-05-13
•
https://www.ncsc.gov.uk/news/retailers-incident
|
|
Although not every incident involved API exploitation directly, they all demonstrate how internet-facing applications have become primary attack surfaces.
As Open Banking, cloud adoption, and digital public services continue to expand, organizations need security controls that extend beyond traditional perimeter defenses.
| Metric | 2025 |
|---|---|
| Cyber incidents managed | 429 |
| Nationally significant incidents | 204 – 48% of all Incidents |
| Highly significant incidents | 18 – 4% of them were categorised as highly significant in nature |
| Most targeted sectors | Retail, Finance, Healthcare, Manufacturing, Academia |
| References :-
•
https://www.ncsc.gov.uk/files/ncsc-annual-review-2025.pdf
|
|
Why Modern Businesses Need Advanced & Cloud-Native WAAP Service, Not Legacy WAFs
Much of the UK’s digital economy now runs on regulated APIs. Open banking alone had grown to 13.3 million active users and was processing around 31 million monthly open banking payments by March 2025, all relying on FCA-authorised, OAuth- and FAPI-secured API connections between banks and third-party providers. As API adoption has grown so has regulatory scrutiny. The FCA continues to prioritise financial crime controls while fraud , particularly Authorised Push Payment (APP) fraud on real-time payment rails remains a major focus across the country’s payments ecosystem.
Traditional web application firewalls were designed primarily to protect websites from conventional web attacks. They were not built to understand the dynamic nature of modern APIs, including machine-to-machine communication, OAuth authentication, token-based access, and continuously changing API endpoints. At the same time, UK organisations must navigate a growing mix of security and compliance requirements, including GDPR, the Network and Information Systems (NIS) Regulations 2018, the Telecommunications (Security) Act 2021 for telecoms providers, and the OWASP API Security Top 10 as the industry’s leading API security benchmark. Meeting these expectations increasingly requires security controls that provide deep API visibility, behavioural analysis, and continuous protection beyond what a traditional WAF was designed to deliver.
What Modern Application Security Should Actually Deliver
United Kingdom organisations aren’t struggling because they lack security controls. They’re struggling because applications, APIs, and AI services change faster than traditional security policies can keep up.
A modern WAAP platform should enable organisations to:
- Maintain continuous visibility across applications, APIs, and cloud services as environments evolve.
- Understand normal application behaviour so abnormal activity can be identified before damage occurs.
- Protect against automated abuse, business logic attacks, and sophisticated API threats , not just known exploits.
- Apply security consistently across applications, APIs, bots, AI services, and cloud workloads.
- Respond automatically to changing threats without constant manual tuning.
- Reduce operational effort while fitting naturally into modern DevOps and cloud environments.
Checklists of Choosing a WAAP Platform Provider
Instead of comparing feature checklists, security leaders should ask whether a platform can continue protecting applications as both infrastructure and attack techniques evolve.
Key evaluation criteria include:
- Can it continuously reveal new assets and changing attack surfaces?
- Does it understand application behaviour rather than relying only on signatures?
- Can protection adapt automatically as traffic patterns and threats change?
- Will it secure modern cloud-native environments without adding operational friction?
- Can security teams reduce alert fatigue while maintaining confidence in detections?
- Does it provide one operational view across web applications, APIs, bots, and AI-driven services?
- Can teams monitor application, API, bot, and threat activity through a unified security dashboard?
Top 7 WAAP Solutions for United Kingdom Enterprises (2026)
1. Prophaze
AI-native WAAP that adapts to your applications—not the other way around.
Unlike traditional WAAP (web application and API protection) platforms that depend on static rules and constant policy tuning, Prophaze continuously learns application behaviour, discovers unknown APIs at runtime, and stops sophisticated attacks before they impact the business. Built cloud-native and Kubernetes-first, it secures applications, APIs, AI workloads, bots, and Layer 7 DDoS from a single unified platform.
With Prophaze, United Kingdom organisations can:
- Continuously discover shadow, zombie, orphaned, and undocumented APIs without manual inventories.
- Detects zero-days, business logic abuse, and sophisticated threats using AI-powered behavioural analysis.
- Inspect every request through deep payload inspection without relying solely on static signatures.
- Protect applications, APIs, AI applications, bots, and Layer 7 DDoS from one unified security platform.
- Deploy in minutes with an agentless reverse-proxy architecture requiring no SDKs, code changes, or infrastructure redesign.
- Reduce alert fatigue through continuous learning that improves detection accuracy over time.
- Deliver protection with sub-millisecond decision latency without slowing applications.
- Choose between self-managed deployment or fully managed protection backed by Prophaze security experts.
Prophaze combines runtime API discovery, behavioural AI, continuous learning, unified protection, and flexible deployment in a single platform helping UK organisations improve security posture, reduce operational overhead, and stay ahead of evolving threats without the constant tuning required by legacy WAAP solutions. Twice recognised as a Representative Vendor in Gartner’s Cloud WAAP Market Guide, Prophaze is built for how modern attacks actually work.
2. Radware
Radware’s Cloud Application Protection Service combines WAF, bot management, API protection, and DDoS defence, with a heritage in availability protection that makes it a frequent shortlist option for organisations with a high DDoS risk profile.
- Consideration: Organisations should confirm the depth of API-specific discovery and runtime protection against their needs, since Radware's core strength has historically centred on DDoS and traffic-layer defence.
3. Wallarm
Wallarm offers a unified platform combining WAF, dedicated API protection, and bot mitigation, purpose-built for cloud-native and microservice-based environments, with machine learning used to adapt to evolving attack patterns.
- Consideration: Organisations should evaluate onboarding effort and how well Wallarm's API-first approach integrates with existing web application protection already in place.
4. Barracuda
Barracuda’s WAF-as-a-Service provides cloud-delivered application protection with integrated API security capabilities, centralized policy management, and support for hybrid deployments, making it suitable for organizations operating across on-premises and cloud environments.
- Consideration: Organizations with highly complex application environments should evaluate whether Barracuda's advanced API protection capabilities align with their specific runtime security and visibility requirements.
5. Fortinet FortiWeb
FortiWeb is tightly integrated with the broader Fortinet Security Fabric, making it an efficient choice for organisations already running FortiGate firewalls, with deployment options spanning physical appliances, virtual machines, and cloud.
- Consideration: Organisations without an existing Fortinet estate should weigh the benefits of ecosystem integration against a best-of-breed, vendor-agnostic WAAP platform.
6. Akamai App & API Protector
Akamai App & API Protector delivers enterprise-grade web application, API, bot, and Layer 7 DDoS protection through its globally distributed edge platform. It is widely adopted by UK financial institutions, retailers, and public sector organisations that require high availability, strong performance, and large-scale attack mitigation.
- Consideration: Akamai offers a mature enterprise platform, but organisations should evaluate deployment complexity, operational overhead, and licensing requirements against more AI-native, cloud-native WAAP platforms.
7. Cloud Gateway
Cloud Gateway is a United Kingdom , based managed service provider offering managed WAF alongside broader connectivity and network security services, giving organisations a single, locally accountable contact for both networking and application security.
- Consideration: As with any bundled MSP offering, organisations with specific API security requirements should confirm how much dedicated API discovery and runtime protection sits within the service versus a specialist platform.
Why Prophaze Matters in New Application Security Reality
UK organisations are operating in an environment where APIs evolve constantly, attacks are automated, and traditional rule-based security can no longer keep up.Most WAAP (web application and API protection) platforms were built to filter traffic. Prophaze is built to understand behaviour in real time and respond before impact occurs.Unlike legacy tools, Prophaze continuously analyses live application, API, and bot behaviour using an AI-native engine that adapts as threats evolve.
With a single platform, organisations gain:
- Real-time discovery of hidden, shadow, and forgotten APIs as they appear in production traffic
- Behaviour-based detection of API abuse, bot attacks, and business logic manipulation
- Automated protection against zero-day attacks without signatures or manual rule updates
- A unified view of application, API, bot, and cloud workload risk in one control plane
- Consistent enforcement across cloud, hybrid, and Kubernetes environments without redeployment effort
What makes this fundamentally different is not just detection, it is continuous adaptation in production environments without human tuning cycles.This removes one of the biggest operational burdens in security today: the gap between “known threats” and “live attacker behaviour”.
The outcome is simple:
Security teams stop chasing alerts and start operating with visibility, control, and confidence.
- The Next High-Profile Cyberattack Doesn't Have to Be Yours
As NCSC CEO Richard Horne noted, cybersecurity has become “a matter of business survival and national resilience.” For organizations building digital-first services, investing in modern application security today can help prevent tomorrow’s breach. Prophaze was built for exactly this threat landscape, AI-driven, cloud-native, and designed to protect without slowing you down.
Frequently Asked Questions (FAQ)
1. What is WAAP and why does it matter for UK enterprises?
WAAP (Web Application and API Protection) secures applications, APIs, and user interactions in a single platform. It matters because open banking, real-time payments, and public sector digital services all depend on APIs that the NCSC and FCA are increasingly scrutinising.
2. How does WAAP differ from a traditional WAF?
A WAF inspects web traffic against known attack patterns. WAAP extends that coverage to API-specific threats, bot abuse, and Layer 7 DDoS, reflecting how modern applications actually communicate.
3. Why is API security a growing priority for UK financial services?
UK open banking now processes roughly 31 million payments a month through FCA-regulated APIs, and fraud, particularly Authorised Push Payment fraud, has become a core regulatory focus, increasing pressure on firms to secure the APIs behind these transactions.
4. How does Prophaze support UK compliance requirements?
Prophaze provides continuous API discovery, AI-based risk scoring, and centralized visibility into API traffic, helping security teams demonstrate the kind of monitoring and audit trail that NCSC and FCA expectations increasingly require.