# Frequently Asked Questions

## Why aren't Web Application Firewalls good enough?

Web Application Firewalls (WAFs) do not work for API traffic. Requests that are sent over APIs often contain complex application-specific data which are hard to codify with rules - especially if you are using a legacy solution or ruleset. Furthermore, as the pace of development and continuous releases have become the industry standard, the cost of maintaining WAFs has sky-rocketed.

If you are aiming to protect complex web applications or APIsour solution is the best fit for you.

## What is the detection accuracy?&#x20;

Spherical has a false positive rate of as low as **0%** in structured APIs, to as high as **0.5%** in highly irregular API traffic (including requests with natural language components - like a chat app).&#x20;

In the **CSIC2010** WAF Benchmark, Spherical performs extremely favourably against off the shelf Web Application Firewall Solutions, including ModSecurity (core ruleset) - as seen below.&#x20;

| Solution          | False Negatives | False Positives |
| ----------------- | --------------- | --------------- |
| ModSecurity CRS   | 23.93%          | 65.68%          |
| Spherical Defence | 3.15%           | 0.5%            |

## How much does it cost?

For a limited time, Spherical costs **$1 per hour** for a smaller instance, and **$2 per hour** for a larger instance.&#x20;

## How can I get up and running?

If you are using Amazon Web Services, you can get up and running within **1 minute.** If you also already have a data stream ready, you can get a trained security model within **4 hours**. To do this, follow these instructions:

{% content-ref url="guide/quickstart" %}
[quickstart](https://guide.sphericaldefence.com/guide/quickstart)
{% endcontent-ref %}

## Do you support Azure or Google Cloud?

Unfortunately not at the moment, although these deployment options are under active development.

## What are the limitations of the Spherical security system?

Spherical works best on APIs that have a **regular internal structure**. The less structure there is in a request, the less effective Spherical will be at detecting attacks in it. For example, the following request will be hard to learn from, because there is minimal internal structure:

```javascript
{
    "encoded" : "TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcy="
}
```

Additionally, Spherical Defense is also less effective in the case of API traffic with highly imbalanced endpoints. If one endpoint is hit a million times less frequently than another, it will be less effectively protected.

An example of an API request that Spherical Defense will learn well from is as follows:

```javascript
{
  "method": "POST",
  "url": "/api/payment",
  "body": {
    "expiry": "11/2020",
    "number": "3112893758824764",
    "cvv": "718"
  },
  "headers": {
    "Content-Length": "311",
    "Accept-Language": "en-US,en;q=0.8",
    "Content-Type": "application/json,*/*;q=0.1",
    "Accept": "application/json",
    "Accept-Encoding": "deflate",
    "X-Forwarded-Port": "9490",
    "Cookies": [
      {
        "vk": "O226kQr8-WC5P-gVll-bkRc-1aGv3bLW"
      }
    ]
  }
}
```