The WAF Comparison Project is a GitHub repository that contains testing datasets and tools to test WAF efficacy in the two most important categories:

• Security Coverage (True Positive Rate) - measures the WAF's ability to correctly identify and block malicious requests is crucial in today's threat landscape. It must preemptively block zero-day attacks as well as effectively tackle known attack techniques utilized by hackers

• Precision (False Positive Rate) – measures the WAF's ability to correctly allow legitimate requests. Any hindrance to these valid requests could lead to significant business disruption and an increased workload for administrators.

This project aims to measure the efficacy of WAFs using a very comprehensive data set

• 973,964 legitimate HTTP requests from 185 real websites in 12 categories

• 73,924 malicious payloads from a broad spectrum of commonly experienced attack vectors

The project GitHub can be found here.

It is also explained at length in this blog.