Softcat Limited

CloudGen Web Application Firewall

Provide application security to websites and web apps in the cloud


  • OWASP Top 10 protection
  • Load Balancing
  • Mutual TLS
  • DDoS protection
  • Bot mitigation
  • Authentication offload
  • comprehensive logging
  • JSON and XML API Protection
  • Content Rewriting


  • Portection from web attacks
  • API Protection
  • enhanced cloud load balancing
  • advanced authentication schemes
  • comprehensive logging and reporting
  • granular security controls
  • vulnerabiliy management


£5141 per licence per year

Service documents


G-Cloud 11

Service ID

3 2 1 0 9 5 1 6 8 3 3 0 4 1 1


Softcat Limited

Charles Harrison


Service scope

Service scope
Software add-on or extension No
Cloud deployment model
  • Public cloud
  • Private cloud
  • Hybrid cloud
Service constraints Operates in Azure, AWS and GCP
Operates on Vmware, KVM and Hyper-V, Azure Stack
Hardware, Virtual and Public cloud models available.
System requirements Virtual Machine instances (KVM/OVA/Hyper-V) 1 core - 16 cores.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Availble upon request
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Basic Support (24x7 support),
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Campus documentation, sales engineer support
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction No customer data is stored in the device, but logs can be exported to CSV and Certificates downloaded
End-of-contract process Availble upon request

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices No
Service interface Yes
Description of service interface Web GUI
Accessibility standards None or don’t know
Description of accessibility Web GUI
Accessibility testing N/A
What users can and can't do using the API Availble upon request
API documentation Yes
API documentation formats Open API (also known as Swagger)
API sandbox or test environment No
Customisation available Yes
Description of customisation Via the GUI or API


Independence of resources Virtual machines are dedicated to a users cloud environment not shared.


Service usage metrics Yes
Metrics types CPU, Memory, Bandwidth, Web Attack Statistics
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Reseller providing extra support
Organisation whose services are being resold Barracuda

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency Less than once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Other
Other data at rest protection approach Not applicable
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach No customer data is stored.
Data export formats Other
Other data export formats N/A
Data import formats Other
Other data import formats N/A

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Private network or public sector network
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Not applicable
Approach to resilience Not applicable
Outage reporting Not applicable

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Other user authentication Availble upon request
Access restrictions in management interfaces and support channels Availble upon request
Access restriction testing frequency Less than once a year
Management access authentication Other
Description of management access authentication Availble upon request

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security No
Security governance certified No
Security governance approach Not applicable
Information security policies and processes Not applicable

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Availble upon request
Vulnerability management type Undisclosed
Vulnerability management approach Availble upon request
Protective monitoring type Undisclosed
Protective monitoring approach Availble upon request
Incident management type Undisclosed
Incident management approach Availble upon request

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £5141 per licence per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial 30 day unlimited free trial available
Link to free trial

Service documents

Return to top ↑