Ozon Develops Its Own Web Application Firewall to Counter Cyber Threats
Ozon is developing its own web application firewall, or WAF, designed to protect web applications from cyberattacks, according to reports from Habr, ServerNews, CNews and ICT.Moscow citing an open job posting tied to the project.
A WAF protects websites and APIs from malicious traffic, including SQL injection attempts, cross-site scripting, vulnerability scanning, attacks targeting business logic, suspicious requests and bot activity. For a large marketplace, that translates into stronger protection for customer accounts, seller dashboards, payments infrastructure, APIs and high-traffic sales events.
The Shift Toward Proprietary Security Systems
Ozon is one of Russia’s largest digital platforms. In 2025, the company’s gross merchandise value, including services, increased 45% to 4.16 trillion rubles (approximately $53 billion), while revenue reached 998 billion rubles (approximately $12.7 billion). Changes to its cybersecurity architecture therefore affect millions of customers, merchants and financial transactions. The very fact that Ozon is developing its own WAF suggests that large companies are increasingly moving away from off-the-shelf cybersecurity products toward systems tailored to their own infrastructure and traffic patterns. That trend is especially important in e-commerce, where attacks frequently target user accounts, sensitive data and marketplace business logic.
Users stand to benefit from more stable platform performance, tighter bot restrictions, fewer outages during major sales campaigns and stronger protection for accounts and payments. Meanwhile, Russia’s domestic cybersecurity expertise continues to expand alongside the growth of the country’s WAF and DDoS protection markets. If a system built for a heavily loaded marketplace proves effective, it could eventually attract interest in other markets looking for independent cybersecurity solutions.
Built for Internal Use, With Future Expansion in Mind
The primary focus of Ozon’s WAF development is internal ecosystem protection, including APIs, marketplace infrastructure, seller accounts, logistics systems and fintech services. That approach could allow the company to adapt defenses more quickly to real operational scenarios without depending on update cycles from outside vendors.
The market for web application and API protection continues to grow. About 80% of companies report increasing demand for such systems, 56% already use WAF technology and 52% deploy anti-bot protection. E-commerce remains one of the most frequent attack targets. In 2025, the sector accounted for roughly one-fifth of all DDoS attacks. Together with fintech, media, IT and telecommunications, it represented up to 80% of recorded incidents.
In the short term, the project is likely to remain an internal OzonTech product. Over time, however, the company may attempt to scale some of its practices across the broader market or introduce B2B security components for partners. Building an enterprise-grade WAF remains a technically demanding and expensive undertaking. Developing such a system for large-scale infrastructure is estimated to cost between hundreds of millions and half a billion rubles, or roughly $1.3 million to $6.4 million, excluding ongoing maintenance and future development costs.
Russian Cybersecurity Platforms Grow More Sophisticated
In 2024, Yandex Cloud launched a Web Application Firewall as part of its Smart Web Security service. The platform protects web applications against DDoS attacks and bots at the Layer 7 level while allowing customers to connect additional WAF and Advanced Rate Limiter modules. The rollout demonstrated how major cloud providers in Russia are increasingly positioning WAF technology as part of broader application security ecosystems. By 2025, WAF systems had effectively become a market standard. More than half of companies had already deployed them, while others were planning implementation. That environment creates favorable conditions for Ozon and reflects broader demand growth for web application and API protection.
During the first half of 2025, the share of malicious requests associated with reconnaissance activity targeting web application vulnerabilities increased more than fivefold, rising from 6.8% to 38.65% of all malicious traffic. That trend is particularly important for retail platforms, where attacks often begin with infrastructure mapping rather than immediate intrusion attempts. During the same period, e-commerce became one of the primary targets for DDoS campaigns. Russia’s WAF and anti-DDoS market expanded to 11 billion rubles (approximately $140 million). Estimates from BI.ZONE suggesting that a single successful web attack could cause more than 50 million rubles in damage (approximately $640,000) position Ozon’s WAF investment as part of a broader movement toward more advanced and more complex Russian cybersecurity systems.
Infrastructure-Level Maturity
Ozon is building what amounts to an application-level cyber defense platform rather than a standalone security tool. That marks a new stage of infrastructure maturity for a large-scale marketplace operator. The protection layer must account for real marketplace workflows, including product pages, shopping carts, payment systems, seller dashboards, promotional campaigns, APIs, fraud prevention systems and large-scale bot activity.
Over the next several years, the company is expected to deepen integration between WAF technologies, anti-bot protection, behavioral analytics and API security systems. Even so, the platform will likely remain internal until Ozon accumulates enough operational experience and validates performance under sustained high-load conditions.
For the broader market, the project signals a transition away from isolated WAF products toward integrated web application security platforms. These systems are expected to see the strongest demand among marketplaces, banks and fintech providers, delivery services, online education platforms and media companies, where the resilience and security of online services have become operationally critical.
