In a nutshell: A financial institution replaces insufficient cloud provider protection with a managed cloud WAF to block web application attacks before they reach its own data center.
Quipu GmbH, an IT service provider for the Procredit Group, experienced three web application attacks within a year that crippled banking services despite relying on the cloud provider’s built-in protection. The company subsequently decided to deploy a managed Web Application Firewall (Managed WAF) that blocks attacks in the cloud before they reach the internal data center.
The Procredit Group operates several banks in Eastern Europe and Germany with headquarters in Frankfurt. For IT service provider Quipu GmbH, which is responsible for IT infrastructure, downtime is critical — especially during DDoS or web application attacks on online banking systems. Nevertheless, three attacks occurred: not massive volumetric attacks, but targeted attacks on web applications that were nonetheless sufficient to crash the services. The root cause was excessive reliance on rate-limiting and buffering functions from the cloud provider.
The immediate measures proved unsatisfactory: reducing rate limits or blocking access from certain countries stopped the attacks but significantly restricted functionality. The cloud provider could not offer a universal solution and insisted that protection would need to be configured manually per resource — with no guarantee of effectiveness. For a company whose core business is digital banking, this was not a sustainable long-term solution.
During market analysis, Quipu’s requirements encountered several obstacles: WAF solution vendors operate with completely different pricing models — some charge by traffic volume, others by number of URLs or domains, and still others offer flat-rate packages. Two specific requirements proved particularly challenging: the company operates services on custom ports beyond 80 and 443, which many vendors do not support. Additionally, Quipu wanted a fully managed service — a so-called Managed WAF, monitored, maintained, and adjusted by the provider around the clock, rather than operating it themselves.
The distinction between on-premises appliances and cloud-based managed solutions is critical: an on-premises WAF requires hardware acquisition, installation in the company’s own data center, and full operational responsibility. More critically: the attack reaches the data center before the appliance can react — neighboring systems can suffer collateral damage. A cloud-based Managed WAF, by contrast, blocks attacks in the cloud before they ever reach the data center. Quipu had previously experienced with an on-premises WAF that administrative expertise was lost when staff changed, and systems could no longer be properly maintained. For a financial institution, this is an unacceptable risk.
Source: www.it-daily.net · Published June 19, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.