There are two main evasion issues to be concerned with for any WAF - 1) Evasion of the engine/parsing itself These are usually impedance mispatches between the WAF and underlying app. There were some issues in the past with handling null bytes and multi-part filenames identified by Stefan Esser http://www.suspekt.org/downloads/RSS09-WebApplicationFirewallBypassesAndPHPExploits.pdf There was a similar recent one found by my SpiderLabs colleague Andrew Wilson where clients can specify random/invalid content-types and ModSecurity would not inspect it but the app would handle it normally. This was fixed in recent OWASP CRS updates. 2) Evasion of the rules There are always issues with negative security rules. You can test out evasions here - http://www.modsecurity.org/demo/crs-demo.html We had an SQL Injection Challenge last summer which included evasions for the ModSecurity OWASP CRS - http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons-learned.html Hope this info helps.