Gartner defined Web Application and API Protection (WAAP) as the evolution of the web application firewall market (WAF), expanding WAF capabilities to four core features: WAF, DDoS protection, bot management and API protection. WAAP development started with cloud-delivered WAF services that were easier to deploy, and from the start bundled WAF with DDoS protection. Slowly, the WAF market evolved to offer more than basic capabilities for bot management and API protection. 2019 marked a tipping point with four vendors acquiring specialized bot mitigation providers. During 2020, Gartner observed improvements related to API security features availability, but also more stringent enterprises’ requirements related to the four core WAAP features.