Frequently Asked Questions

Here you can read the answers to some commonly asked questions.

Why aren't Web Application Firewalls good enough?

Web Application Firewalls (WAFs) do not work for API traffic. Requests that are sent over APIs often contain complex application-specific data which are hard to codify with rules - especially if you are using a legacy solution or ruleset. Furthermore, as the pace of development and continuous releases have become the industry standard, the cost of maintaining WAFs has sky-rocketed.

If you are aiming to protect complex web applications or APIsour solution is the best fit for you.

What is the detection accuracy?

Spherical has a false positive rate of as low as 0% in structured APIs, to as high as 0.5% in highly irregular API traffic (including requests with natural language components - like a chat app).

In the CSIC2010 WAF Benchmark, Spherical performs extremely favourably against off the shelf Web Application Firewall Solutions, including ModSecurity (core ruleset) - as seen below.


False Negatives

False Positives

ModSecurity CRS



Spherical Defence



How much does it cost?

For a limited time, Spherical costs $1 per hour for a smaller instance, and $2 per hour for a larger instance.

How can I get up and running?

If you are using Amazon Web Services, you can get up and running within 1 minute. If you also already have a data stream ready, you can get a trained security model within 4 hours. To do this, follow these instructions:


Do you support Azure or Google Cloud?

Unfortunately not at the moment, although these deployment options are under active development.

What are the limitations of the Spherical security system?

Spherical works best on APIs that have a regular internal structure. The less structure there is in a request, the less effective Spherical will be at detecting attacks in it. For example, the following request will be hard to learn from, because there is minimal internal structure:

    "encoded" : "TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcy="

Additionally, Spherical Defense is also less effective in the case of API traffic with highly imbalanced endpoints. If one endpoint is hit a million times less frequently than another, it will be less effectively protected.

An example of an API request that Spherical Defense will learn well from is as follows:

  "method": "POST",
  "url": "/api/payment",
  "body": {
    "expiry": "11/2020",
    "number": "3112893758824764",
    "cvv": "718"
  "headers": {
    "Content-Length": "311",
    "Accept-Language": "en-US,en;q=0.8",
    "Content-Type": "application/json,*/*;q=0.1",
    "Accept": "application/json",
    "Accept-Encoding": "deflate",
    "X-Forwarded-Port": "9490",
    "Cookies": [
        "vk": "O226kQr8-WC5P-gVll-bkRc-1aGv3bLW"

Last updated