[mikeweiss]

Uhh ... No. This is absolutely not true for industry leading WAFs like Akamai, Cloudflare, Imperva, or even AWS WAF which monitor for new and known critical vulnerables in the wild and will issue new rules for them in short order.

Just last year we had React2Shell (CVE-2025-55182) which allowed RCE for many apps using React Server Components. Within 24 hours the big WAF providers rolled out rules capable of blocking requests matching the exploit pattern.

Yes a patch was available and patching is always the primary solution for resolving critical vulnerabilities, but WAF can step in as a crucial temporary protection until patching can happen.