I have a WAF in place. Is that an acceptable reason for ports to be open?

WAF stands for ‘Web Application Firewall’.

Much like load balancers, WAFs often have many ports open that can be picked up by KYND, but they are on the perimeter and not connected to your network.

WAF ports are unable to be closed and so a port served by a WAF ISP such as ‘Imperva’ or 'Incapsula' will appear in the report from KYND, but can be disregarded as a vulnerability.