WAF Migration Specialist: Imperva → Cloudflare (5-Site Portfolio, High Bot Traffic)

We operate a portfolio of five high-traffic real estate websites and need to evaluate and execute a migration from Imperva App Protect Professional to Cloudflare. We used Cloudflare Pro successfully for 10+ years before bot-driven performance issues pushed us to Imperva. Imperva's Core tier didn't resolve the issues; the upgrade to App Protect Professional stabilized our servers. We're now evaluating a return to Cloudflare for cost and operational reasons. This engagement is framed in two phases: Phase 1 — Evaluation (paid, fixed fee): Determine whether Cloudflare can credibly match our current Imperva protection for our specific traffic profile, and at what plan tier. If the honest answer is "no" or "only at Enterprise + Bot Management at $X," we want to know before we cancel Imperva, not after. Phase 2 — Migration (contingent on Phase 1): Execute the staged cutover, validate stability, and decommission Imperva. The core challenge is bots, not WAF basics. Anyone confident only on managed-ruleset / OWASP-style WAF work is not the right fit. We need someone who has defended public-facing data-heavy sites against persistent scraper and AI crawler traffic. Current State - WAF/CDN: Imperva App Protect Professional (20 Mbps / 20M req/mo), managed through a local MSP - 5 production sites in scope (details shared with shortlisted candidates under NDA) - Origin: Rackspace OSFC- Linux / Apache - Historical pressure: aggressive scrapers and AI crawlers; pre-Imperva we experienced server lockups Phase 1 Scope — Evaluation & Design (~1–2 weeks) 1. Audit current Imperva configuration across all 5 sites: custom rules (IncapRules), IP access control, rate limiting, bot access control, exceptions, cache rules 2. Pull and analyze 30 days of Imperva security event data — what is Imperva actually blocking, and what would Cloudflare need to replicate? 3. Baseline traffic profile per site: volume, bot/human split, top offending ASNs/UAs, geographic patterns 4. Recommend Cloudflare plan tier with explicit reasoning. We want a direct answer on whether Business is sufficient or whether Enterprise + Bot Management is required for our profile. Include pricing comparison vs current Imperva spend. 5. Audit origin exposure: are origin IPs leaked? What's the lockdown plan? How does it interact with server side modules/fail2ban(if applicable) 6. Go/no-go recommendation with risks documented Phase 1 Deliverable: Written report + 60-minute review call. If the recommendation is "stay on Imperva" or "Cloudflare can work but only at Enterprise tier — here's the cost," that is a valid and welcome outcome. Phase 2 Scope — Migration (contingent, ~3–4 weeks) 1. Build Cloudflare configuration to match the agreed design 2. Staged cutover: lowest-risk site first, then remaining four in sequence 3. Run Imperva and Cloudflare in parallel where feasible for direct comparison 4. Defined rollback criteria and procedure per site 5. Post-cutover stabilization window: monitor bot traffic, origin load, false positives; tune rules 6. Origin IP rotation and apache level lockdown to Cloudflare IP ranges 7. Clean Imperva offboarding only after stability is proven across all 5 sites 8. Documentation and knowledge transfer for our internal team Required Skills - Hands-on production migrations between enterprise WAFs (Imperva ↔ Cloudflare strongly preferred) - Deep Cloudflare expertise: WAF custom rules, Rate Limiting, Bot Management vs Super Bot Fight Mode tradeoffs, Rulesets engine, Transform Rules, cache configuration - Strong Imperva Cloud WAF admin: able to read and export an existing config, including IncapRules - Apache + Linux administration; real-client-IP handling behind a reverse proxy - Documented experience defending sites against scraper and AI crawler traffic at scale Nice to Have -Experience with real estate, classifieds, or other data-heavy public sites that are scraping targets -DNS migration experience with zero-downtime cutovers Engagement - Milestone-based fixed price preferred, broken out by phase - Phase 1 starts immediately upon selection - Phase 2 cutover targeted within 4–6 weeks of Phase 1 completion - Budget: open to proposals — please break out Phase 1 and Phase 2 separately To Apply In your proposal, please include: 1. A specific past project migrating between enterprise WAFs — with the bot mitigation outcome quantified (block rates, origin load reduction, etc.) 2. Your view on whether Cloudflare Business + Super Bot Fight Mode can match Imperva App Protect Professional for a real-estate-data property dealing with persistent scrapers, or whether Enterprise + Bot Management is required — and why 3. The single biggest risk you see in this migration and how you'd mitigate it 4. Your availability to start Phase 1 within the next 7 days Boilerplate / AI-generated proposals will be ignored. Shortlisted candidates will receive site details under NDA.

Project ID: 40470918