Web application firewalls were designed in an era when attacks were noisy, signature-matched, and over in seconds. Modern intrusions are quiet, multi-step, and measured in months. The architecture hasn't caught up.
The public-facing application has become the modern attack surface. In 2025, API attacks rose 113% per organisation across all sectors. Mandiant's M-Trends 2026 reports espionage-motivated intrusions persisting undetected for a median of 122 days in targeted industries, with some running over a year.
The pattern is consistent across sectors. Whether the target is a carrier's subscriber database, an e-commerce platform's customer accounts, a fintech's transaction API or a SaaS provider's admin interface, the attacker playbook is the same: probe quietly, find what existing WAFs let through, hold the access, and use it.
This is not a vertical problem. It is an architectural problem.
The dominant WAF and ADC architecture evaluates each inbound request against a ruleset. If the request matches a known-bad pattern, it is blocked. If it doesn't, it is forwarded to the origin server and the platform moves on. The response from the application — the only place evidence of harm lives — is never inspected.
This design assumption — that a request which cleared the rules must have been safe — was tenable when attacks were obvious. It is no longer tenable. Modern adversaries craft requests specifically to clear standard rulesets. By the time anyone notices, the attacker has been inside for months.
Parrera is built on the opposite assumption: that any request you weren't certain about deserves to have its outcome verified.
The standard flow — step by step