A WAF (web application firewall) is a Layer 7 (application) defensive control, one of the protections a thorough DDoS test is built to exercise. It sits inline in front of the origin and inspects each HTTP request against a ruleset: signature matches, reputation lists, rate rules, and managed rule groups that target known application-layer flood patterns. Requests matching a block rule are dropped at the edge before they reach application compute.
Why it matters in DDoS testing
A WAF is only as effective as the rules actually enforcing under attack. A test characterizes which managed rule groups fire against L7 floods, whether a rule sits in count-only mode (logging without dropping), and the false-positive rate that decides whether operators dare leave it blocking during an incident. A ruleset that looks complete in the console can pass attack traffic untouched if a recent change left a critical group disabled.
For how WAF behavior fits a structured resilience exercise, see DDoS resilience testing.