A mid-market SaaS company serving 80 TB/month from three continents can see its Fastly CDN pricing land anywhere between $9,600 and $19,200 per month depending on traffic mix, security tier, and whether attack traffic gets metered. That spread matters. As of Q2 2026, Fastly still bills on a pure consumption model with region-weighted bandwidth rates, but the real cost picture only becomes clear once you layer in the security packages they restructured in late 2025. This article gives you the actual per-GB rates by region, the full security tier breakdown (Core vs. Core Plus vs. Total), a workload-profile decision matrix you will not find in Fastly's docs, and a head-to-head cost comparison against CloudFront, Cloudflare, and BlazingCDN at realistic traffic volumes.
Fastly continues to publish list rates on its pricing page, and as of May 2026 the per-GB numbers for on-demand delivery remain:
| Region | List Rate (per GB) | Effective per TB |
|---|---|---|
| North America | $0.12 | $120 |
| Europe | $0.16 | $160 |
| Asia-Pacific | $0.19 | $190 |
| South America | $0.28 | $280 |
| Australia / New Zealand | $0.19 | $190 |
Volume discounts kick in once you commit to a contract. Fastly does not publish its committed-use tiers publicly, but negotiated enterprise agreements typically land in the $0.06–$0.08/GB range for North American traffic at 100+ TB/month commitments. The catch: those contracts are annual, and overages revert to list rate. If your traffic is spiky — think product launches, seasonal media events, or gaming patch days — the overage math can erode most of the discount.
Fastly restructured its security offering into three distinct tiers during 2025. This is where fastly cdn cost gets opaque fast, because the security line items are quoted separately from bandwidth and often bundled only at the enterprise negotiation stage.
Included with all delivery contracts at no extra line item. You get volumetric DDoS mitigation at the edge (Layer 3/4), TLS termination, and access to Fastly's real-time log streaming. This tier does not meter attack traffic against your bandwidth bill — a meaningful differentiator from providers that do. However, it provides zero application-layer protection. No WAF, no bot management, no rate limiting beyond what you hand-roll in VCL.
Adds Fastly's Next-Gen WAF (the Signal Sciences engine). As of 2026, fastly next-gen waf pricing is quoted per request volume rather than per bandwidth, typically starting around $3,000/month for up to 10M requests/month on a 12-month term. You get OWASP Top 10 coverage, virtual patching, and the SmartParse detection engine that avoids regex-based false-positive spirals. Rate limiting and IP reputation feeds are included. Bot management is not.
The full stack. Adds bot management (device fingerprinting, JavaScript challenge, behavioral analysis) on top of everything in Core Plus. Fastly bot management pricing is not published, but expect an incremental $2,000–$5,000/month depending on request volume and the complexity of your bot policy. This tier also includes advanced DDoS (Layer 7 mitigation with custom rules), API protection, and dedicated security support. For organizations running public APIs or high-value e-commerce, this is realistically the minimum viable security posture — which means your true fastly cdn pricing is bandwidth plus $5,000–$8,000/month in security before you negotiate.
Three cost vectors that do not appear on the Fastly pricing page but routinely show up on invoices:
The table below models a workload delivering 50 TB/month, 70% North America / 20% Europe / 10% APAC, on committed contracts where available.
| Provider | Estimated Monthly (50 TB) | Effective per TB | Security Included |
|---|---|---|---|
| Fastly (committed) | ~$4,000–$5,500 | $80–$110 | L3/4 DDoS only; WAF extra |
| Cloudflare Enterprise | ~$2,500–$4,000 | $50–$80 | WAF + bot mgmt bundled |
| AWS CloudFront | ~$4,250–$6,000 | $85–$120 | Shield Standard free; Shield Advanced $3K/mo extra |
| BlazingCDN | ~$175–$350 | $3.50–$7 | Delivery-focused; bring your own security stack |
BlazingCDN lands at roughly 1/15th the cost of Fastly or CloudFront at this volume. It achieves fault tolerance and uptime comparable to CloudFront — with clients like Sony running production workloads on it — while offering volume pricing that drops to $0.002/GB at the 2 PB tier. For teams whose security posture already lives outside the CDN (a dedicated WAF appliance, Cloudflare in front, or a WAAP vendor), decoupling delivery from security and running BlazingCDN's volume-based delivery is the highest-leverage cost optimization available in 2026.
This is the section the Fastly docs and every competing article skip. The right plan depends on your workload shape, not your traffic volume alone.
| Workload Profile | Recommended Tier | Rationale |
|---|---|---|
| Static asset delivery (images, JS, CSS), low request rate, security handled upstream | Delivery + Security Core (or skip Fastly entirely for a pure-delivery CDN) | Paying for WAF/bot management on a cache-only workload is waste. Evaluate BlazingCDN or CloudFront with no Shield Advanced. |
| SaaS platform with auth'd API traffic, moderate bot pressure | Security Core Plus | WAF at the edge catches injection and credential stuffing before it hits your origin. Bot management is a luxury unless you see credential-stuffing at scale. |
| E-commerce with checkout flows, gift card endpoints, high-value scrapers | Security Total | Bots targeting inventory and pricing endpoints cost real revenue. The $5K–$8K/mo security spend pays for itself if you are losing even 0.1% of GMV to scrapers or inventory hoarding. |
| Live video / large-file download, 100+ TB/mo, latency-tolerant | Multi-CDN with Fastly as secondary | Fastly's per-GB rate makes it expensive as a primary at this volume. Use it for latency-sensitive first-mile delivery and offload bulk throughput to a cost-optimized provider. |
No — and this is one of Fastly's genuinely strong selling points. As of 2026, attack traffic absorbed by Fastly's L3/4 DDoS mitigation is not metered against your bandwidth bill. This applies across all tiers, including the base Security Core. Contrast this with AWS CloudFront, where Shield Standard absorbs common attacks but Shield Advanced (at $3,000/month) is required for cost protection against larger volumetric events. On Fastly, if a 200 Gbps flood hits your edge, you pay $0 for that traffic. Your bandwidth bill reflects only legitimate delivery.
The caveat: L7 DDoS (application-layer floods — slowloris, HTTP floods targeting your checkout endpoint) is only mitigated in Security Total. Security Core will happily pass those requests through to your origin, and you will pay for every byte of the response.
At list rates with traffic split 70/20/10 across North America, Europe, and APAC, expect roughly $1,300–$1,500/month for bandwidth alone. Add $3,000/month if you need the Next-Gen WAF (Core Plus). Negotiated contracts can bring bandwidth down 30–40%, but require annual commitment.
Every Fastly delivery contract includes Security Core: volumetric DDoS mitigation (L3/4), TLS management, and real-time log streaming. WAF, bot management, API protection, and L7 DDoS mitigation are add-ons available in the Core Plus and Total tiers at separate pricing.
Only Security Total includes bot management. It bundles device fingerprinting, JavaScript challenges, and behavioral analysis on top of the WAF included in Core Plus. Expect incremental pricing of $2,000–$5,000/month depending on request volume.
Cloudflare Enterprise bundles WAF, bot management, and DDoS into a single negotiated contract, typically $2,500–$5,000/month at similar traffic levels. Fastly charges for each component separately, which gives you more granularity but often results in a higher total when you need the full stack.
Per request. Tiers start around 10M requests/month at approximately $3,000/month (as of Q2 2026). This means high-request, low-bandwidth workloads like API gateways can see WAF costs exceed bandwidth costs — plan accordingly.
Pull your last 90 days of CDN logs. Break out bandwidth by region, requests by endpoint, and identify what percentage of your traffic is cacheable static assets versus dynamic API responses. Map each segment to the decision matrix above. If more than 60% of your spend is going toward pure delivery of cacheable content, you are likely overpaying by bundling security you do not use at the edge. Split the workload, benchmark two providers in parallel for 14 days, and measure origin offload, p99 TTFB, and total invoice side by side. That is how you turn a pricing page into an engineering decision.