Which statement best captures the role of a WAF in relation to other security devices?

A WAF focuses on web application security by inspecting HTTP/S traffic for attacks targeting the application layer, such as SQL injection, XSS, and other web-specific exploits. It’s typically placed in front of a web server as a reverse proxy to block malicious requests before they reach the app. Because those protections are specialized for web apps, a WAF complements traditional network security devices like firewalls and IPS/IDS rather than replacing them. It’s not responsible for encrypting all traffic end-to-end (TLS termination and often re-encryption to the backend are common, not true end-to-end encryption), and it does not target DNS traffic, which is handled by DNS security controls. So the best description is that a WAF complements the network firewall, IPS, and other security products.