Tentatively named "Protecting Web Applications and APIs with F5 Distributed Cloud WAAP" this is a security course covering all major web application firewall, bot defense, DoS protection, and API discovery/protection components offered through the XC WAAP console with the exception of SOC‐ based DoS protection. The course explores the header and method elements of HTTP which must be recognized to configure protection from external client vectors. Students will exploit vulnerabilities in the target application in before‐and‐after learning scenarios. Major topics are web application firewall policies, attack signatures, threat campaigns, and differentiation between positive and negative security. We will address handling violations, false positives, and how to manage security events with exclusion rules. The course then takes a deep dive into controlling HTTP request flows at layer 7 with service policies. We will configure bot defense and threat mitigation using machine learning and artificial intelligence. Additional topics include discovery of public API endpoints and securing those endpoints. The course wraps up with API automation using Postman environments, collections, and variables. The official course material for this course is only available for the duration of the course.