If you don't deploy WAFs, you ain't gonna be SOC2 compliant. So, pick your poison.

I actually wrote this post in preparation for a fight about WAFs with a SOC2 auditor, wish me luck! :)

The specific control says "Boundary protection systems (for example, firewalls, DMZs, IDS/IPS, and EDR systems) are configured, implemented, and monitored to protect external access points", which seems to leave room for doing stuff other than WAFs.

I dont think it is a great idea to mark WAF out of scope. Most of the compliance automation platforms force you to enable it.

Even if you mark it out of scope, this pops up in most of the RFPs. Customers are generally not very keep to see security implementations that are out of the box. It should be kind of industry standard.

Having said that, WAFs are falling out of fashion lately.

What is the alternative to something like CF WAF to stop DDOS?

DDoS prevention is outside my area of expertise, so I'm not sure. I should clarify that this blog isn't referring to that use-case :)