Cloud architecture that holds up under pressure.
WAF++ is an open, community-driven framework for engineering leaders who design cloud architectures that need to be secure, cost-efficient, and free of vendor lock-in — built from real-world experience, not vendor marketing.
What engineering leaders face every day
Multi-cloud environments are the new normal. But most frameworks were designed for a single-provider world.
GDPR, NIS2, BSI C5, ISO 27001 — compliance requirements are multiplying and fragmented across cloud providers.
Proprietary services and tightly coupled architectures make switching providers prohibitively expensive.
Data residency, access by foreign authorities, and contractual dependencies create governance blind spots.
Without a structured cost optimization pillar, cloud bills scale faster than business value.
Migrating to a different provider is often framed as regaining sovereignty. In reality, without architectural visibility it just trades one dependency for another — adding complexity, not control.
You cannot govern what you cannot see. Incomplete dependency maps and opaque service meshes leave CTOs making decisions based on assumptions, not facts.
What is WAF++?
WAF++ extends the established Well-Architected Framework concept — open, vendor-neutral, and designed for the realities of modern cloud operations.
The Well Architected Framework++ (WAF++) is a community-driven, open-source framework that gives engineering leaders a structured, vendor-neutral baseline for cloud architecture decisions.
Where conventional frameworks focus on a single provider's best practices, WAF++ was designed from the ground up for multi-cloud reality — covering security, cost, reliability, operations, performance, sustainability, and digital sovereignty in one coherent model.
WAF++ is transparent, peer-reviewed, and evolves through the contributions of cloud professionals across DACH and beyond. It is not a product. It is not maintained by a vendor. It is owned by the community.
"Sovereignty begins with visibility. And visibility begins with the willingness to look honestly. An exit that many propose is not sovereignty — it means fleeing into more complexity."
WAF++ Community
Built collaboratively by cloud professionals. No vendor bias. No paywalls.
Works equally well on AWS, Azure, GCP, and on-prem. Framework decisions don't favour any platform.
Controls mapped to GDPR, NIS2, BSI C5, ISO 27001, SOC 2 — across every pillar.
Validate your Terraform and CDK against WAF++ controls automatically — in CI/CD, no cloud credentials required.
Shape the future of cloud architecture standards
We are conducting a survey among CTOs and engineering leaders to understand the real challenges behind multi-cloud architecture, digital sovereignty, and compliance in the DACH region.
Your answers directly inform the next iteration of WAF++ and help us build tooling that solves actual problems — not hypothetical ones.
Takes approx. 5–8 minutes • Anonymous • Results published in the WAF++ community
Validate IaC against WAF++ automatically
WAFPass is the open-source CLI that checks your Terraform and CDK against WAF++ controls — before anything reaches production.
No cloud credentials, no runtime state. Runs entirely on source code — safe for CI/CD.
PDF reports with findings mapped to GDPR, BSI C5, ISO 27001, SOC 2, NIS2.
Native GitHub Actions and GitLab CI integrations. Block merges on policy violations.
Detects hardcoded credentials in IaC. Full audit trail for waivers and risk acceptances.
Ready to explore WAF++?
Dive into the framework documentation, contribute to the community, or start validating your infrastructure today.
Questions? Reach us at page@waf2p.dev