It's been close to five years since we last looked at Incapsula, a security-focused CDN service known for its DDoS mitigation and web application security features.

As one would expect, during these five years the company has expanded and improved, introducing lots of new features and even several new products.

Most recently, Incapsula underwent an extensive network expansion that includes new PoPs in Asia including two new data centers in New Delhi and Mumbai.

This seems like an excellent opportunity to revisit the service and see how it has evolved.

Acquisition, Award and Growth

Before we jump into Incapsula's service upgrades, we want to mention the changes in the company itself briefly.

The most notable of those is Incapsula's 2014 acquisition by Imperva—an authority in web application security and a four-time Gartner Magic Quadrant leader for web application firewalls.

The acquisition boosted Incapsula's security capabilities, resulting in its own cloud-based WAF also being recognised by Gartner analysts. Similarly, Incapsula's DDoS mitigation solutions were awarded a leadership position in a Forrester Wave for DDoS Service Providers report.

Even more impressive is the company's growth.

When we reviewed Incapsula, its services had a few thousand users. It is now the platform of choice for numerous prominent organisations, including some of the largest bitcoin exchanges (BTC China, Bitstamp & Unocoin), online retailers (KickUSA) and popular SaaS companies (Moz).

Today, Incapsula services are being used by over 160,000 organisations worldwide.

Incapsula Service Review

Leveraging its newfound success and resources, Incapsula spent the last five years investing heavily in its technology, both to boost its legacy business and to venture into new directions, such as addressing its customers' non-security needs.

New DDoS Protection Options

Incapsula was always known for its DDoS mitigation. Playing to its strengths, many of its newest features expand its DDoS mitigation capabilities.

When we first reviewed Incapsula, they were already mitigating layer 3-4 and layer 7 DDoS attacks.

Today, Incapsula has evolved to protect against direct-to-DNS attacks. It now also offers a BGP-enabled DDoS mitigation service to complement its previous CDN-based offering. This BGP-based solution allows Incapsula to protect any type of online service (email servers, FTP, you name it) in addition to websites and web applications.

To address the increase in attack sizes and demand from new customers, Incapsula improved network protection by upgrading its scrubbing capacity to over 3.5 tbps.

One of its most interesting solutions is DDoS protection for individual IPs.

Usually, this kind of protection is only available to companies that have an entire Class C subnet. Incapsula, however, has found a smart way around that requirement, which makes it an excellent choice for small and medium businesses that don't own a subnet but still find themselves bombarded by DDoS assaults.
Incapsula recently mitigated a massive 650gbps DDoS flood

Using its array of new technologies, Incapsula has mitigated some of the largest and highest profile attacks in recent memory, including a record-setting 650gbps DDoS flood and a recent 54-hour assault against a prominent US college.

These are just a few prominent examples. To give you some idea of the entire scope of Incapsula activity, in the first quarter of 2017 the company mitigated an average of 266 network layer attacks and 1,099 application layer assaults every week. This adds up to just over 17,500 attacks in a quarter.

Performance and Reliability

In addition to its new anti-DDoS solutions, and the benefits that Imperva brought to its cloud-based WAF, Incapsula also expanded its offering to include several reliability and performance features.

In our opinion, the most interesting of these is a cloud-based load balancer that offers one centralised option for both in-data center and cross-data center load management.

The service is not TTL reliant, which enables near-instant rerouting. What's more, the traffic distribution techniques it uses are more accurate than most appliance counterparts. Specifically, it has the ability to distribute the load, based on the actual volume of process requests on each end server and the ability to perform failover in a matter of seconds.

These benefits and the fact that the service is offered in a subscription-based model makes it great value for money; especially for organisations that operate several data centers and need to purchase multiple services and appliances. On the performance front, Incapsula's CDN offering was boosted by a host of additional control and optimisation features. These offer granular control over caching policies based on resource type and file location, as well as the ability to purge cache in real-time, a standard issue for many CDN platforms.

Other new control features include an Incapsula application rule engine that governs application end delivery through custom policies. These offer a literally limitless amount of custom optimisation options that are most likely to benefit larger and more complex sites.

A Security First Application Delivery Platform

Five years ago we mostly viewed Incapsula as a CDN based WAF with some DDoS mitigation solutions. The service has since outgrown that description.

Incapsula's new availability and application delivery services, as well as many new security features, make Incapsula what it always claimed to be: a full-fledged application delivery platform that marries security, performance and availability in one cost-effective service package.

That said, Incapsula is still a security first enterprise-grade service, so it isn't a good alternative to free CDNs on the market.

However, for commercial organisations looking for more than an underlying CDN and check box security, we recommend checking out Incapsula. You can start by signing up for a free enterprise plan trial to see if it's a good fit.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.