There is very little understanding of the application context and vulnerabilities specific to the application that hackers can exploit are left unprotected. As in life, applications in the real world are far from ideal, leading to a lot of false positives and false negatives, making the solution ineffective. WAF requires tuning of standard rules to meet application-specific needs, but unfortunately, this needs expertise and time, which are not easy to find. The approach to WAF is based on an automated scanner that can identify the risk posture of the site.
Source: https://thehackernews.com/2019/07/apptrana-web-application-security.html