platformsh · Kemi-Elizabeth · Dec 16, 2025 · Dec 16, 2025 · Dec 19, 2025 · Dec 19, 2025
diff --git a/sites/platform/src/domains/cdn/managed-fastly.md b/sites/platform/src/domains/cdn/managed-fastly.md
@@ -45,10 +45,26 @@ You can also set up consumption alerts for your resource usage. Click the Alert
 
 {{< /note >}}
 
+## How Managed Fastly works
+
+{{% vendor/name %}}’s Managed Fastly CDN routes incoming traffic through the Fastly edge network before requests reach your application. This enables global caching, edge logic (VCL), performance optimisation, and optional security features.
+
+The Fastly CDN must be provisioned and managed by {{% vendor/name %}}. Features such as the {{% vendor/name %}} Web Application Firewall (WAF), edge rate limiting, and image optimisation depend on this managed integration and cannot be used with a customer-managed Fastly account.
+
+Once enabled, Fastly operates as the first point of contact for all HTTP requests, allowing requests to be cached, filtered, transformed, or blocked entirely at the edge.
+
+{{< note theme="info" title="Feature dependencies">}}
+
+- The {{% vendor/name %}} WAF requires the {{% vendor/name %}} Managed Fastly CDN.
+- Customers cannot attach the WAF to an existing third-party Fastly service.
+- Advanced Fastly features such as virtual patching and per-project logging require a configurable Fastly workspace.
+
+{{< /note >}}
+
 ### Domain control validation
 
 When you request for a new domain to be added to your Fastly service,
-{{% vendor/name %}} support provides you with a [`CNAME` record](/domains/steps/dns.md) for [domain control validation](/domains/troubleshoot.md#ownership-verification).
+{{% vendor/name %}} [support](/learn/overview/get-support.md) provides you with a [`CNAME` record](/domains/steps/dns.md) for [domain control validation](/domains/troubleshoot.md#ownership-verification).
 To add this `CNAME` record to your domain settings,
 see how to [configure your DNS provider](/domains/steps/_index.md#2-configure-your-dns-provider).
 
@@ -94,4 +110,43 @@ typically located at `/mnt/shared/fastly_tokens.txt`.
 {{% /note %}}
 
 ## Dynamic ACL and rate limiting
-For details about updating an access control list (ACL) and applying rate limiting, check out the [Working with {{% vendor/name %}} rate-limiting implementation](https://support.platform.sh/hc/en-us/articles/29528777071890-Upsun-Fastly-Rate-Limiting-How-it-works-how-to-tune-it) article in the Upsun Community.
+
+For details about updating an access control list (ACL) and applying rate limiting, check out the [Working with {{% vendor/name %}} rate-limiting implementation](https://support.platform.sh/hc/en-us/articles/29528777071890-Upsun-Fastly-Rate-Limiting-How-it-works-how-to-tune-it) article in the Upsun Community.
+
+## Edge-level rate limiting
+
+{{% vendor/name %}} provides edge-level rate limiting through Fastly, allowing you to control how many requests a single IP address or network can make within a given time window.
+
+Rate limiting is applied at the edge, before requests reach your application, helping to reduce load and mitigate abusive traffic patterns.
+
+### What Edge-level rate limiting can do
+
+- Protect sensitive endpoints such as `/login`, `/admin`, or checkout paths
+- Limit request floods from a single IP or IP range
+- Reduce application load during traffic spikes
+- Enable {{% vendor/company_name %}} Support to better handle attacks or high-traffic events by throttling traffic at the edge
+
+Edge-level rate limiting is:
+- Included with all {{% vendor/company_name %}} Fastly Next-Gen WAF tiers
+- Available as a standalone add-on (without the WAF)
+
+### Configuration and defaults
+
+There are no default rate-limiting rules applied automatically. Rate limiting is configured during onboarding, or by request via {{% vendor/name %}} [Support](/learn/overview/get-support.md).
+
+Rules can be scoped by:
+
+- Request path
+- Request type
+- IP address or network
+- Custom thresholds and actions (block, allow, log)
+
+### Limitations
+
+Edge-level rate limiting is a rule-based control mechanism, not an automated bot-detection system. It does not:
+
+- Identify bots automatically
+- Present CAPTCHA or JavaScript challenges
+- Provide AI-driven mitigation
+
+For advanced bot and scraper protection, {{% vendor/name %}} offers separate third-party integrations.
diff --git a/sites/platform/src/security/web-application-firewall/fastly-waf.md b/sites/platform/src/security/web-application-firewall/fastly-waf.md
@@ -6,16 +6,16 @@
     type: tiered-feature
 ---
 
-On top of the [{{% vendor/name %}} Web Application Firewall (WAF)](/security/web-application-firewall/waf.md) included in Upsun Fixed Enterprise and Elite plans,
-you can subscribe to the Fastly Next-Gen WAF to further protect your app from security threats.
+On top of the [{{% vendor/name %}} Web Application Firewall (WAF)](/security/web-application-firewall/waf.md) included in {{% vendor/name %}} Fixed Enterprise and Elite plans,
+you can subscribe to the Fastly Next-Gen Web Application Firewall (Next-Gen WAF) to further protect your app from security threats.
 
 ## Available offers
 
 If you want to subscribe to the Fastly Next-Gen WAF through {{% vendor/name %}},
 you can choose from two offers:
 
-- If you subscribe to the **Basic** offer, your WAF is fully managed by {{% vendor/name %}}
-- If you subscribe to the **Basic configurable** offer, your WAF is fully managed by {{% vendor/name %}} too, but with additional flexibility and visibility provided
+- If you subscribe to the **Basic** offer, your WAF is fully managed by {{% vendor/name %}}.
+- If you subscribe to the **Basic configurable** offer, your WAF is fully managed by {{% vendor/name %}} too, but with additional flexibility and visibility provided.
 
 To view a list of all the features included in each offer, see the following table.
 
@@ -40,3 +40,103 @@
 
 To subscribe to a Fastly Next-Gen WAF offer through {{% vendor/name %}},
 [contact Sales](https://upsun.com/contact-us/).
+
+## Next-Gen WAF Tier Comparison
+
+#### Basic 
+
+- Block-only mode
+- Default attack and anomaly signals enabled
+- No virtual patching
+- No default dashboards
+- No custom signals, response codes, or API/ATO signals
+
+This tier is best suited for baseline protection with minimal configuration requirements.
+
+#### Basic Configurable 
+
+- Block, not blocking, and off modes
+- Default attack and anomaly signals enabled
+- Virtual patching available in block mode
+- Default dashboards reviewed during quarterly business reviews
+- No custom signals, response codes, or API/ATO signals 
+
+This tier is best for customers needing custom rules, CVE protection, per-project visibility, or log integration.
+
+## How the Fastly Next-Gen WAF Works
+
+The Fastly Next-Gen WAF evaluates incoming requests using a combination of signals, conditions, actions, and thresholds.
+
+### Signals
+
+Signals classify and tag requests based on observed patterns, such as:
+
+- SQL injection attempts
+- Cross-site scripting payloads
+- Repeated 404 requests
+- Known attack signatures
+
+Signals are informational and are not inherently “good” or “bad”.
+
+### Conditions
+
+Conditions define where and when a rule applies. Examples include:
+
+- Specific URL paths
+- Request methods
+- Geographic origin
+- Presence of certain signals
+
+### Actions
+
+Actions define what happens when a rule matches (allow/log apply to the configurable offer):
+
+- Block the request
+- Allow the request
+- Log the request for analysis
+
+{{< note theme="info" >}}
+
+The Basic Next-Gen WAF offer operates in block-only mode.
+
+{{< /note >}}
+
+### Thresholds
+
+Thresholds define volume-based triggers. For example, block if more than `N` suspicious requests occur from the same IP within a defined time window to distinguish normal user behaviour from automated probing or attacks.
+
+### Virtual Patching
+
+Virtual patches are temporary WAF rules provided by Fastly to block known CVEs at the edge. They:
+
+- Protect against specific, identified vulnerabilities
+- Buy time while application dependencies are patched
+- Do not replace proper application updates
+
+{{< note theme="info" >}}
+
+Virtual patching is available only in the Basic Configurable Next-Gen WAF tier.
+
+{{< /note >}}
+
+## Scope and Limitations
+
+The Fastly Next-Gen WAF mitigates many common web-based attacks, including parts of the OWASP Top 10. However, it does not replace application-level security. The WAF does not automatically protect against:
+
+- Weak authentication or password policies
+- Insecure application design
+- Business-logic flaws
+- All bot or scraper traffic
+- All DDoS attack types
+
+Some attacks are mitigated at the CDN network layer, while others require identifiable patterns that can be enforced via WAF or rate-limiting rules.
+
+{{< note theme="info" title="No automatic challenges">}}
+
+{{% vendor/name %}}’s Fastly Next-Gen WAF does not provide automatic CAPTCHA or JavaScript challenges. Traffic is evaluated using rule-based signals, thresholds, and actions configured during onboarding or [via Support](/learn/overview/get-support.md).
+
+{{< /note >}}
+
+## Configuration and enablement
+
+Fastly Next-Gen WAF features are not self-service. Enablement and configuration occur during customer onboarding, or via a [Support request](/learn/overview/get-support.md) after purchase.