DDoS Protection: Cloudflare, Shield Advanced, or Imperva?
AWS Shield Advanced costs $3,000/month before any traffic. Cloudflare's free tier stops most attacks. Here's when each option is actually justified.
By Andrii Votiakov on
DDoS protection is a category where fear does a lot of the selling. Most companies buying Shield Advanced or Imperva at $3,000-20,000/month are doing so because of a single incident, a compliance checkbox, or a sales conversation — not because their threat model actually requires that tier of protection. I've reviewed DDoS spend across dozens of companies and the over-buying rate is high.
Quick answer
Cloudflare's free plan stops the vast majority of volumetric DDoS attacks. AWS Shield Standard (free, always-on) handles infrastructure-layer attacks on AWS resources. Shield Advanced makes sense only if you need the $3,000/month DRT (DDoS Response Team) retainer, cost protection, or real-time attack monitoring for regulated or high-SLA environments. Most SaaS companies spending $3k+/month on DDoS protection don't need to be.
What you're actually buying at each tier
Cloudflare Free and Pro
Cloudflare's free tier includes:
- Unmetered DDoS mitigation (L3/L4 and most L7)
- WAF (basic rules)
- CDN and caching
- Bot protection (basic)
- SSL/TLS termination
This handles the overwhelming majority of DDoS attacks in the wild. The 2016 Dyn attack-style volumetric floods, UDP/ICMP amplification, SYN floods — all handled at the free tier.
Cloudflare Pro is $20/month per domain. It adds more WAF rules, image optimisation, and better bot analytics. For most consumer-facing applications, Pro is the right call.
Cloudflare Business is $200/month and adds custom WAF rules, PCI compliance, and a priority support SLA. For e-commerce handling card data, this tier often makes sense.
AWS Shield Standard
Free. Always-on. Automatically applied to all AWS resources. Protects against common infrastructure-layer attacks — SYN/UDP floods, reflection attacks. It's not nothing. Most AWS customers are already protected at this layer without knowing it.
Shield Standard doesn't protect against sophisticated application-layer attacks (L7), doesn't give you the DRT, and has no cost protection clause.
AWS Shield Advanced
$3,000/month per organisation (not per resource — one fee covers all protected resources in the account). Plus data transfer fees for protected resources under attack. The subscription is a 1-year commitment.
What you get for $3,000/month:
- 24/7 DDoS Response Team (DRT) access — you can call AWS engineers during an active attack
- Advanced attack diagnostics and visibility
- Application-layer (L7) DDoS protection (requires WAF in front)
- Cost protection: AWS credits back the extra data transfer and EC2 costs incurred during a DDoS event
- Integration with CloudFront, Route 53, Global Accelerator, ALB, ELB, Elastic IP
The cost protection clause is actually the most financially interesting part. If you have a workload that could rack up $10,000+ in extra data transfer during a sustained attack, Shield Advanced's cost protection can pay for itself in a single incident.
Imperva / Fastly / Akamai
Enterprise-tier options starting at $5,000-20,000+/month. Imperva's CDN + DDoS bundle, Akamai Prolexic, Fastly's security offering.
These are appropriate for: major financial institutions, gaming companies absorbing targeted volumetric attacks in the 1+ Tbps range, critical infrastructure under nation-state-level threat models.
For most companies, this tier is overkill by a wide margin.
The common over-buying patterns I see
Cloudflare paid tier "just to be safe"
A startup paying $200/month for Cloudflare Business when the free tier would handle their traffic perfectly. The only feature they're using from Business is the custom certificate — which is a $10 add-on on the free plan. That's $190/month in dead cost.
Shield Advanced on every account
A company with 8 AWS accounts that has Shield Advanced on all 8. Total: $24,000/month. In practice, 6 of those accounts are dev/staging environments with no customer traffic. Shield Advanced on non-production accounts is pure waste. One $3,000/month subscription on the production account is typically sufficient.
Shield Advanced without WAF configured
Shield Advanced's L7 protection requires AWS WAF to be active in front of your resources. I regularly find companies paying for Shield Advanced with no WAF rules configured. They have the invoice, not the protection. Shield Standard + WAF rules often provides comparable protection at a fraction of the cost.
Imperva on a landing page
A company paying $6,000/month for Imperva on a marketing site that gets 20,000 sessions/month and has never been attacked. Cloudflare Pro at $20/month would be more than adequate.
When Shield Advanced is genuinely justified
Three concrete situations:
You're in financial services, gaming, or e-commerce with documented attack history. If you've absorbed a $15,000 unexpected AWS bill from a DDoS event, the $3,000/month cost protection clause is real insurance.
You need the DRT. If your team doesn't have DDoS response expertise and your SLA requires < 15-minute response, having AWS DRT on call is worth the retainer. You're not just buying infrastructure — you're buying humans.
Your compliance framework explicitly requires it. Some PCI DSS Level 1 assessors, SOC 2 Type II auditors with specific security requirements, and government contracts specify DDoS protection tiers. In that case, the cost is driven by the requirement, not the threat model.
Cloudflare vs AWS Shield: not an either/or
These tools protect different layers and are often complementary. The typical pattern I recommend:
- Cloudflare free/Pro in front of everything for L3/L4/L7 volumetric protection, CDN, and WAF
- AWS Shield Standard (free, always on) for the origin
- Shield Advanced only if you need DRT access and cost protection for your specific production accounts
This costs $20-200/month per domain instead of $3,000/month per organisation, and provides comprehensive protection for all but the most targeted attacks.
For detailed guidance on the broader AWS networking cost picture, see /blog/aws-data-transfer-charges and /blog/aws-nat-gateway-cost — DDoS mitigation architecture choices affect data transfer costs too.
What to do if you're already on Shield Advanced
First, check whether it's actually configured correctly. Verify WAF is active, health checks are set up, and the protected resource list is current. Dead Shield Advanced subscriptions (paying but not protecting) are surprisingly common.
Second, review which accounts need it. Production only, in most cases. Remove it from dev, staging, and tooling accounts.
Third, model the cost protection clause. If your biggest risk event would cost less than $36,000 in extra AWS data transfer (one year of Shield Advanced cost), the cost protection clause breaks even. Above that, it makes financial sense.
Realistic numbers
A recent client paying $9,000/month for DDoS protection (3 accounts with Shield Advanced, Imperva on 2 domains):
- Kept Shield Advanced on production account only: -$6,000/month
- Replaced Imperva on both domains with Cloudflare Business: -$11,800/month (was paying $6,100/month Imperva, now $400/month for 2 Cloudflare Business domains)
- Verified WAF rules were properly configured on the remaining Shield Advanced setup
Running cost: $3,400/month vs $9,000/month before. Saving $5,600/month. Protection level for actual threat model: equivalent.
If your security tooling bill has grown and you want to check whether the spend matches your actual threat model, book a call. These reviews usually take under an hour.