F5 ADSP story example, from Heyhack Acquisition to ADSP Integration and WAF-Driven Remediation

Introduction

Modern application security requires continuous visibility, automated vulnerability discovery, and rapid mitigation across highly distributed environments. In March 2024, F5 enhanced its application security capabilities by acquiring Heyhack, an innovative provider of automated penetration testing technologies. This acquisition filled the gap in F5 portfolio and led to the introduction of F5 Distributed Cloud Web Application Scanning, a SaaS-based Dynamic Application Security Testing (DAST) solution that is now tightly integrated into F5’s broader Application Delivery and Security Platform (ADSP).

Role within F5 ADSP (Application Delivery and Security Platform)

F5’s ADSP represents a strategic evolution, converging application delivery, security, and observability into a single unified control plane across BIG‑IP, Distributed Cloud and NGINX.

Within ADSP, Web Application Scanning plays a critical role and fulfills

• Risk identification layer - Detects vulnerabilities in applications and APIs
• Data input for automation - Feeds findings into policy engines and remediation workflows
• Bridge between security testing and runtime protection

With Web Application Scanning capabilities, ADSP closes the loop from finding risk to enforcing protection. This closed-loop model is a key differentiator, instead of separate tools for scanning and protection, ADSP enables end-to-end security lifecycle automation.

Integration with BIG‑IP Advanced WAF (AWAF)

Very good example of ADSP integration is with BIG‑IP AWAF, where Web Application Scanning acts as an external vulnerability scanner and feeding the policy engine with list of vulnerabilities to be patched.

Vulnerability Import and Virtual Patching

Scan results can be exported (XML or API-based) and imported into BIG-IP AWAF

• Vulnerabilities are mapped to specific endpoints and parameters
• AWAF suggests or applies targeted protections
• Security policies can be updated based on real findings

This enables virtual patching, where vulnerabilities are mitigated immediately at the WAF layer, even before code fixes are deployed and allows organizations to transition from traditional WAF tuning toward data-driven policy generation, based on real application vulnerabilities.

Integration with Distributed Cloud WAF

In addition to BIG‑IP AWAF, Web Application Scanning integrates natively within the Distributed Cloud ecosystem, including Distributed Cloud WAF.

While the integration is less about file import/export (compared to BIG‑IP AWAF) and more about platform-native workflows. Scan results are used to recommend WAF signatures, Blocking rules and API security policies.

This represents a true DevSecOps feedback loop, embedded directly into application delivery pipelines. Through tight integration with BIG‑IP AWAF and Distributed Cloud WAF, organizations can leverage scan results to implement automated, precise, and scalable mitigation strategies, including virtual patching and AI-driven policy enforcement. 

Within the context of the F5 ADSP, this capability helps achieve a fully integrated security lifecycle—where risks are not only identified but also acted upon immediately, closing the gap between detection and protection in modern application environments.

What do you think, could this be the right step forward to improve protection of modern distributed and dynamic applications and APIs also in your organization?