Radware has announced the availability of its cloud-based Web DDoS attack protection service for encrypted traffic, without the need to share TLS/SSL certificates or decrypt traffic for inspection. This is a notable development. Until now, a significant portion of Layer 7 defenses relied on decrypting traffic within the provider’s environment to analyze what was happening. This raised issues related to privacy, regulatory compliance, key management, and often caused noticeable discomfort for security and compliance teams.
The company presents this launch as a milestone within the industry and claims it is a cloud solution capable of blocking encrypted Layer 7 DDoS attacks without requiring certificates or traffic decryption. To be precise: this is Radware’s position, not an independently certified conclusion in the referenced announcement. Nevertheless, the move clearly points to a market trend: more and more companies want to protect exposed web applications without having to hand over sensitive pieces like certificates or keys to a third party.
The timing makes sense. Encrypted traffic has dominated the public web for years. Google reports that HTTPS browsing in Chrome increased from about 30-45% in 2015 to approximately 95-99% by 2020, with this adoption stabilizing at high levels. Additionally, Google notes that if only public sites are considered, Linux reaches nearly 97% HTTPS usage, Windows 98%, and Android and macOS exceed 99%. In other words: today, protecting web traffic almost always means protecting encrypted traffic.
This context has made inspecting HTTPS traffic particularly sensitive. Decrypting for inspection can work technically, but it adds legal and operational complexities. Not all organizations are willing to share certificates, nor can they do so comfortably due to regulatory requirements, internal policies, or prudence. Radware’s proposal aims to address this friction point: offering automated cloud defense against encrypted web DDoS attacks without forcing clients to relinquish control.
According to the company’s published information, the system relies on cross-behavioral analysis and machine learning models to establish a baseline of legitimate traffic, detect deviations, and generate mitigation rules dynamically. The promise is that the platform can react in real time to Layer 7 attacks without constant manual policy adjustments. In practice, this means attempting to distinguish between genuine user requests and patterns automated to crash an application, saturate a website, or degrade service.
This issue is especially relevant because attack intensity is not decreasing. Radware’s 2026 global threat report states that network DDoS attacks grew by 168%, and application-layer attacks increased by 128% during 2025. As with any provider-issued report, these figures should be understood in context, but they illustrate a long-standing industry trend: malicious traffic is more persistent, automated, and increasingly comfortable moving within encrypted channels.
Another interesting aspect of the announcement is deployment flexibility. Radware does not position this capability as a one-size-fits-all solution but as one option among various deployment models. Protection can be deployed via its cloud platform, with optional SSL decryption, as well as on-premises with DefensePro, through Alteon Protect, or in native Kubernetes architectures with Kubernetes WAAP. This allows each organization to choose the level of cloud, on-premises, hybrid, or containerized application protection suited to their needs. For many companies, this flexibility is as valuable as the technology itself.
Beyond the headline, what’s truly intriguing is what this announcement indicates about the evolution of the cybersecurity market. For years, the dominant narrative was that decrypting traffic was the only way to see inside encrypted traffic. Now, providers are trying to open other avenues: better defense without such invasive measures. In a time when privacy, data sovereignty, and regulatory compliance weigh more heavily than ever, any technology that reduces the need to share cryptographic secrets immediately gains importance.
There’s also an operational perspective. For many organizations, the challenge isn’t just the threat but the administrative burden that security solutions entail. Sharing certificates, changing keys, compliance audits, and reviews add time, cost, and risk. If a platform can reduce this load without sacrificing responsiveness against sophisticated web DDoS attacks, its value extends beyond enhanced blocking — it also simplifies operations.
It remains to be seen how the market responds and how effectively this approach performs in real-world scenarios compared to its promising theoretical benefits. Nonetheless, Radware’s message is clear: the future of web DDoS protection isn’t just about more mitigation power, but about finding solutions better integrated with encrypted environments, regulatory demands, and increasingly complex cloud operations. And in that context, reducing dependency on decryption could become a significant advantage.
Frequently Asked Questions
How can a Layer 7 DDoS attack over HTTPS traffic be stopped without decrypting at all?
By analyzing behavioral patterns, volume, frequency, anomalies, and signals within encrypted flows without opening the content. Radware claims its service uses behavior analysis and machine learning to detect deviations and generate mitigation rules in real time without requiring continuous decryption of traffic.
What’s the benefit of not sharing TLS/SSL certificates with a cloud DDoS protection provider?
The main advantage is reducing privacy concerns, regulatory compliance issues, and key management challenges. Sharing certificates or decrypting traffic in the cloud may create reticence in regulated sectors or organizations with strict policies on credential and secret custody.
How does a Layer 7 web DDoS attack differ from a traditional network DDoS?
A network DDoS typically aims to saturate infrastructure links or resources with high traffic volumes. Layer 7 web DDoS targets the application layer, mimicking legitimate HTTP/HTTPS requests to exhaust service resources, impact availability, or degrade user experience. Radware’s protection focuses specifically on web and Layer 7 threats.
Is this kind of protection useful for Kubernetes apps and hybrid environments?
Yes, at least according to Radware. The company states this protection can be deployed in the cloud, on-premises, hybrid setups, or in native Kubernetes environments via Kubernetes WAAP, fitting modern architectures where applications are distributed across multiple environments.