Stackpath has a pretty solid WAF at very affordable cost with no per domain cost (last time I set it up for a client at least, I am not affiliated to them so not sure that’s still the case.) Always surprised I rarely see them mentioned, Cloudflare for a similar feature set was vastly more expensive when we did a cost comparison.
What is the median price charged to your users for a single instance of 'a CNAME on their DNS to point to us'?
Own WAF with ModSecurity and DDoS Protection on Layer 7? Something like Cloudflare Magic Transit. But every bigger DDoS Protection Service habe some sort of Layer 7 Product for Enterprise.