[nokya]

Writing all of this and concluding with a recommendation to use static analyzers feels like a joke. So we shouldn't use a tool that scans for known bad vectors but use a tool that...scans for known bad vectors instead?

Yeah, sure.

[patrakov]

Yeah, sure. The bad guys will attempt to circumvent the WAF, and, if it is just regexes, will do it after the Nth attempt. However, bad developers will not normally obfuscate their code multiple times to the degree required to evade the static analyzer.