added Exploit Prevention vs. In-App WAF section (#29996)

michaelcretzman · buraizu · web-flow · commit a14c1ed87bac · 2025-06-18T11:21:50.000-07:00
Co-authored-by: Bryce Eadie &lt;bryce.eadie@datadoghq.com&gt;
diff --git a/content/en/security/application_security/_index.md b/content/en/security/application_security/_index.md
@@ -79,6 +79,25 @@ To start configuring your environment to detect and protect threats with AAP, fo
 
 In the [Security Signals Explorer][6], click on any security signal to see what happened and the suggested steps to mitigate the attack. In the same panel, view traces with their correlated attack flow and request information to gain further context.
 
+## Exploit Prevention vs. In-App WAF
+
+This section provides a summary of Exploit Prevention and how it differs from In-App Web Application Firewall (WAF) rules.
+
+Datadog AAP includes the [Exploit Prevention][14] and [In-App WAF][15] features to protect your applications against exploits. Exploit Prevention is an extension of In-App WAF. Exploit Prevention leverages In-App WAF as the first line of defense and then blocks attacks missed by the WAF.
+
+Exploit Prevention leverages Runtime Application Self-Protection (RASP) technology to determine if an application request interacts with a vulnerable code path, and then protects it from specific vulnerability types:
+
+- SQL injection (SQLi)
+- Server-Side Request Forgery (SSRF)
+- Local File Inclusion (LFI)
+- Command Injection
+
+For library compatibility, see [Exploit Prevention][13].
+
+In addition to detecting malicious patterns in the request, Exploit Prevention differs from In-App WAF by tracking the actions performed by the application (SQL query executed, files accessed, and so on). Exploit Prevention is able to determine if user input modified the SQL query or restricted a file detrimentally, and block it. 
+
+For example, in a SQL injection attack, the goal of the attacker is to take control of the SQL query and change its meaning. Exploit Prevention parses the SQL query before execution and checks for any user parameter in the query. If one is present, Exploit Prevention checks if the SQL parser interpreted the parameter as multiple SQL tokens (changing the meaning of the SQL query). In that case, Exploit Prevention flags the query as injected.
+
 ## Disable AAP
 
 For information on disabling AAP or its features, see the following:
@@ -100,3 +119,7 @@ For information on disabling AAP or its features, see the following:
 [10]: /security/application_security/troubleshooting/#disabling-aap
 [11]: /security/application_security/troubleshooting/#disabling-software-composition-analysis
 [12]: /security/application_security/troubleshooting/#disabling-code-security
+[13]: /security/application_security/exploit-prevention/#library-compatibility
+[14]: /security/application_security/exploit-prevention/
+[15]: /security/application_security/waf-integration/
+
diff --git a/content/en/security/application_security/exploit-prevention.md b/content/en/security/application_security/exploit-prevention.md
@@ -29,6 +29,8 @@ Combine telemetry from the Datadog tracer with predefined heuristics to detect a
 
 This is powered by Runtime Application Self Protection (RASP), which allows you to detect and prevent attacks in real time.
 
+For details on how Exploit Prevention differs from In-App WAF, see [Exploit Prevention vs. In-App WAF][12].
+
 ## How exploit prevention works
 
 1. With the Datadog AAP tracing library instrumented in your applications, details are captured about every interaction within the application, including requests, code execution, and data flows.
@@ -119,3 +121,4 @@ In addition, AAP also generates a signal correlating all the blocked traces and
 [9]: https://github.com/DataDog/dd-trace-js
 [10]: https://github.com/DataDog/dd-trace-php
 [11]: https://github.com/DataDog/dd-trace-rb
+[12]: /security/application_security/#exploit-prevention-vs-in-app-waf
diff --git a/content/en/security/application_security/waf-integration.md b/content/en/security/application_security/waf-integration.md
@@ -9,7 +9,9 @@ further_reading:
   text: "Monitor AWS WAF activity with Datadog"
 ---
 
-Protecting web applications and APIs requires a multi-layered approach that combines in-app monitoring and perimeter defenses. These complementary strategies enable you to have a defense-in-depth App and API Protection approach leveraging AWS Web Application Firewall (WAF) as the first line of defense, followed by App and API Protection to block attacks that slip by the WAF.
+Protecting web applications and APIs requires a multi-layered approach that combines in-app monitoring and perimeter defenses. These complementary strategies enable you to have a *defense-in-depth* App and API Protection approach that leverages AWS Web Application Firewall (WAF) as the first line of defense, followed by Exploit Prevention for blocking attacks that slip by the WAF.
+
+For details on how Exploit Prevention differs from In-App WAF, see [Exploit Prevention vs. In-App WAF][5].
 
 ### In-app monitoring: deep visibility with distributed tracing
 
@@ -61,4 +63,5 @@ There are two main use cases supported with this [integration][1]:
 [1]: https://app.datadoghq.com/security/appsec/protection?use-case=amazon_waf
 [2]: /integrations/amazon_waf/#log-collection
 [3]: https://app.datadoghq.com/security?query=@workflow.rule.type:%22Application%20Security%22&product=appsec
-[4]: https://app.datadoghq.com/security/appsec/traces
+[4]: https://app.datadoghq.com/security/appsec/traces
+[5]: /security/application_security/#exploit-prevention-vs-in-app-waf
