Finding Web Assets That Are Underprotected: How to Detect WAFs Running in Monitor-Only Mode

Your WAF dashboard shows green. Your CMDB says “WAF deployed.” Your compliance checklist has a check mark next to web application protection. An attacker sends an SQL injection payload to your checkout page, and the WAF logs the attempt. It does not block it. The payload reaches your application server.

A WAF in monitor-only mode creates a specific and dangerous gap: it looks deployed in every inventory and executive report, but it stops zero attacks. Security teams assume coverage exists. Attackers exploit the gap. IONIX detects this discrepancy by testing whether each WAF actively blocks attack traffic, not whether a WAF product exists on the asset.

The Three WAF Protection States

Every web asset in your environment falls into one of three categories. Treating them as a binary “WAF/no WAF” question misses the most dangerous state.

Protected. The WAF is deployed and running in blocking mode. Attack traffic triggers active rules that reject or drop malicious requests. Response patterns include WAF block pages, 403 status codes, and vendor-specific denial headers. The asset receives real protection.

Underprotected. The WAF is deployed but running in monitor-only mode (also called detection mode, logging mode, or passive mode). The WAF inspects traffic, logs suspicious requests, and generates alerts. It does not block anything. An attacker hitting this asset faces the same resistance as an asset with no WAF at all. According to Vaadata’s analysis of WAF configuration modes, a WAF in passive/logging mode “does not modify or interrupt the web traffic,” meaning “an attacker can potentially perform an attack successfully without being caught.”

Unprotected. No WAF exists on the asset. HTTP responses show no WAF headers, no challenge pages, and no vendor fingerprints. The application handles all traffic directly.

The underprotected state is the most dangerous of the three. Unprotected assets at least show up when you scan for WAF presence. Underprotected assets pass that same scan and report “WAF detected,” hiding the fact that the WAF does nothing to stop attacks.

How Monitor-Only Mode Persists

Two patterns account for most underprotected assets.

The tuning phase that never ended. WAF deployments start in monitor-only mode. Security teams observe logged traffic, tune rules to reduce false positives, and plan a cutover to blocking mode. That cutover often stalls. Rule tuning takes longer than expected. A false positive on a revenue-generating page makes the team hesitant. Someone says “let’s wait until next sprint.” Months pass. The tuning phase becomes the permanent state. Vaadata notes that “such a testing period in a logging mode can be endless” when teams fail to transition to blocking.

Configuration drift. An engineer switches the WAF to monitor-only mode during a deployment window to avoid breaking a new feature. The change doesn’t get reverted. A vendor update resets a configuration parameter. A different team modifies the WAF policy for troubleshooting and forgets to restore it. IBM describes configuration drift as a pattern that “can significantly increase an organization’s attack surface by creating exceptions to security policies that remain unknown to administrators.” WAF mode changes fit this pattern: a small configuration tweak creates a security gap that persists because no one monitors the WAF’s enforcement state continuously.

Both patterns share the same characteristic: the WAF continues to appear in every asset inventory and dashboard as “deployed.” The protection gap stays invisible to teams that check for WAF presence but not WAF effectiveness.

How IONIX Detects WAF Protection Status

IONIX treats WAF coverage as an exposure validation problem. The platform doesn’t ask “does this asset have a WAF?” It asks “does this asset’s WAF actively block attack traffic?”

Response pattern analysis. IONIX sends crafted requests that trigger standard WAF rules (SQL injection patterns, XSS payloads, OWASP Top 10 attack signatures) and analyzes the response. A WAF in blocking mode returns a block page, a 403 status code, or a vendor-specific denial response. A WAF in monitor-only mode passes the request through to the application, which returns its normal response. The difference is unambiguous.

WAF metadata and HTTP header inspection. IONIX fingerprints the WAF vendor and version from HTTP response headers, server headers, and cookie patterns. A Cloudflare WAF, an Akamai Kona rule set, and an AWS WAF each leave distinct signatures. IONIX identifies which vendor is present and then tests whether that vendor’s blocking rules are active.

Vendor API integration. For organizations that grant API access to their WAF or CDN provider, IONIX queries the vendor API directly to confirm rule configuration, enforcement mode, and last block event timestamp. This provides a second, independent signal alongside behavioral testing.

Active attack scenario testing. IONIX runs non-intrusive simulated attack scenarios against each asset, designed to distinguish between a WAF that logs and a WAF that blocks. These tests confirm real-world exploitability: the question isn’t whether the WAF can detect an attack, but whether it stops the attack from reaching the application.

Each asset receives a per-asset protection status with evidence. A typical finding reads: Cloudflare WAF detected, mode: monitor-only, last block event: none in 90 days. The evidence makes the finding actionable. Your team sees the vendor, the mode, and the gap duration.

From Detection to Remediation: The Operational Workflow

IONIX’s continuous audit produces a real-time WAF coverage report across your full external exposure, including subsidiaries and acquired entities that your central security team may not manage directly.

Continuous discovery and audit. IONIX scans all web assets continuously. New assets get assessed for WAF protection status as they appear. Assets that change WAF configuration mid-cycle trigger a re-evaluation.

Coverage dashboard. The dashboard shows a breakdown of your web asset portfolio by protection state. A sample report:

Protection State	Assets	Percentage
Protected (WAF blocking)	68	80%
Underprotected (WAF monitor-only)	12	14%
Unprotected (no WAF)	5	6%
Total	85	100%

That 14% underprotected slice represents assets where your team believes protection exists but where attackers face no resistance.

Prioritization by business impact. IONIX ranks underprotected assets by traffic volume, business criticality, and data sensitivity. A customer authentication portal running a monitor-only WAF ranks higher than a marketing blog with the same issue. Prioritization reflects organizational risk.

Automated remediation ticketing. IONIX creates Jira or ServiceNow tickets for each underprotected asset, assigned to the team that owns the WAF configuration. The ticket includes the specific finding (vendor, mode, evidence), the remediation action (switch the WAF to blocking mode), and a validation step (IONIX re-runs the attack scenarios to confirm blocking is active after the change). Automated remediation workflows reduce mean time to resolve. IONIX customers report a 90% reduction in mean time to resolve external exposures.

The Compliance Blind Spot

A WAF in monitor-only mode creates a specific compliance problem: it satisfies inventory-based checks (“Do you have a WAF?”) but fails control-effectiveness checks (“Does your WAF prevent attacks?”).

PCI DSS 4.0. Requirement 6.4.2 mandates that organizations “deploy an automated technical solution for public-facing web applications that continually detects and prevents web-based attacks.” The key word is “prevents.” A monitor-only WAF detects. It does not prevent. As of March 31, 2025, this requirement is mandatory for all PCI-scoped merchants. Organizations running WAFs in monitor-only mode on payment pages fail this requirement.

NIS2. The EU directive requires essential and important entities to implement “appropriate technical measures” for web application security. A WAF that logs attacks without stopping them demonstrates detection capability but not prevention, which does not satisfy the NIS2 standard for proportionate security controls.

Most compliance audits check for WAF deployment, not WAF enforcement mode. IONIX surfaces the enforcement state as a tracked, remediable finding, giving your compliance team the evidence they need before the auditor arrives.

Beyond WAF: The Broader External Exposure Picture

WAF coverage gaps represent one category of external exposure. The same logic applies to every security control in your perimeter: a CDN that can be bypassed through direct origin access, a DNS record pointing to decommissioned infrastructure, a TLS certificate that expired on a subsidiary domain. IONIX maps your full organizational entity structure, validates exploitability across the entire external exposure, and prioritizes remediation by evidence-backed business impact.

Organizations are aware of approximately 62% of their actual external exposure. The other 38% includes assets where controls like WAFs are absent, misconfigured, or running in monitor-only mode. IONIX finds them before attackers do.

See how IONIX detects underprotected web assets across your full external exposure.

FAQs