AI Security for Apps is now generally available

cloudflare’s AI security for apps Detect and mitigate threats to AI-powered applications. Today we are announcing general availability.

Featuring new features like custom topic discovery, we offer AI endpoint discovery for free to all Cloudflare customers, including Free, Pro, and Business plans, allowing everyone to see where AI is deployed across their internet-facing apps.

We are also announcing an expanded collaboration with IBM, which has selected Cloudflare to provide AI security to its cloud customers. We have also partnered with Wiz to provide mutual customers with a unified view of their AI security posture.

Traditional web applications define operations such as checking bank balances and transferring money. You can create deterministic rules to protect these interactions.

AI-powered applications and agents are different. Accept natural language and generate unpredictable responses. Inputs and outputs are probabilistic, so there is no fixed set of operations to allow or deny. Attackers can manipulate large language models to perform unauthorized actions or leak sensitive data. Rapid injection, disclosure of sensitive information, and unlimited consumption are just some of the risks listed in the catalog. Top 10 OWASP LLM Applications.

These risks increase as AI applications become agents. When AI gains access to tool calls (processing refunds, changing accounts, offering discounts, accessing customer data, etc.), a single malicious prompt instantly becomes a security incident.

Our customers tell us what they are facing. “Most of the team at Newfold Digital has their own generative AI safeguards in place, but because everyone is innovating so quickly, there are inevitably going to be some gaps eventually,” said Rick Radinger, principal systems architect at Newfold Digital, which operates Bluehost, HostGator, and Domain.com.

We built AI Security for Apps to address this. As part of Cloudflare, it sits in front of your AI-powered applications, whether you’re using a third-party model or hosting your own. reverse proxy. It helps you (1) detect AI-powered apps across your web properties, (2) detect malicious or policy-violating behavior on those endpoints, and (3) mitigate threats through a familiar WAF rule builder.

To protect your LLM-powered applications, you need to know where your applications are being used. We often hear from security teams that they don’t have a complete picture of AI deployment across their apps, especially as the LLM market evolves and developers swap models and providers.

AI Security for Apps automatically identifies LLM-powered endpoints across your web properties, regardless of where they are hosted or what model they are hosted on. Starting today, this feature is free to all Cloudflare customers, including Free, Pro, and Business plans.

^{Cloudflare’s web assets dashboard page. You will see an example of two endpoints labeled as follows: cf-llm}

Automatically discovering these endpoints requires more than just matching common path patterns, such as: /chat/completions. Many AI-powered applications, such as product search, real estate valuation tools, and recommendation engines, do not have chat interfaces. we, A detection system that monitors how endpoints behaveit’s not what it’s called. To reliably identify endpoints powered by AI, Sufficient valid traffic is required.

The discovered AI-powered endpoints are displayed below. Security → Web Assetsis labeled with cf-llm. For free plan customers, endpoint discovery begins the first time you visit. discovery page. For customers on paid plans, discovery occurs automatically and periodically in the background. If an AI-powered endpoint is detected, you can immediately see it.

AI Security for Apps detections include: Always-on approach For traffic to AI-powered endpoints. Each prompt is run through multiple detection modules for prompt injection, PII exposure, and sensitive or harmful topics. Regardless of whether the prompt is malicious or not, the results are attached as metadata and can be used in custom WAF rules to enforce policies. We are continually looking for ways to leverage our global network of monitoring traffic around the world. 20% of the webidentifies new attack patterns across millions of sites before they reach your site.

The product has built-in detection for common threats such as prompt injection, prompt injection, and more. Extracting PIIand harmful topics. But every business has its own definition of what’s off-limits. Financial services companies may need to detect discussions about specific securities. Healthcare companies may need to flag conversations that involve patient data. Retailers may want to know when customers ask questions about competing products.

The new Custom Topics feature allows you to define these categories. Once you specify a topic, the prompt is examined and a relevance score is output that can be used for logging, blocking, or any processing. Our goal is to build extensible tools that are flexible and adaptable to your use case.

^{Presenting relevance scores within AI Security for Apps}

AI Security for Apps enforces guardrails before unsafe prompts reach your infrastructure. To perform accurate detection and provide real-time protection, you must first identify prompts within the request payload. Prompts can appear anywhere in the request body, and each LLM provider has a different API structure. OpenAI and most providers $.messages[*].content For chat completion. Anthropic’s batch API nests prompts inside $.requests[*].params.messages[*].content. Custom property valuation tools may use: $.property_description.

Out-of-the-box, it supports standard formats used by OpenAI, Anthropic, Google Gemini, Mistral, Cohere, xAI, DeepSeek, and more. If it doesn’t match a known pattern, it applies the default secure posture and performs detection on the entire request body. This can lead to false positives if the payload contains fields that are sensitive but do not feed directly to the AI ​​model. $.customer_name Using fields next to the actual prompt can unnecessarily trigger PII discovery.

Soon, you’ll be able to define your own JSONPath expression to pinpoint the location of your prompt. This reduces false positives and allows for more accurate detection. We’re also building instant learning capabilities that automatically adapt to the structure of your application over time.

Once threats are identified and scored, you can block them, log them, and deliver custom responses using the same WAF rules engine you already use for the rest of your application security. The strength of Cloudflare’s shared platform is that we can combine AI-specific signals with everything else we know about the request. hundreds of fields Available with WAF. Attempts at immediate injection are questionable. Prompt injection attempts from IPs that are rotating through a botnet by probing login pages using browser fingerprints associated with previous attacks are another story. Point solutions that are only aware of the AI ​​layer cannot make these connections.

This integrated security layer is exactly what Newfold Digital needs to discover, label, and secure its AI endpoints. Radinger said: “We look forward to using this on all of these projects to act as a failsafe.”

AI Security for Applications will also be available through Cloudflare’s growing ecosystem, including integration with IBM Cloud. through IBM Cloud Internet Services (CIS)end users can already purchase advanced application security solutions and manage them directly through their IBM Cloud account.

We also partnered with Wiz to bring AI Security for Applications to Wiz AI Securityprovides mutual customers with a unified view of their AI security posture, from model and agent discovery in the cloud to application-layer guardrails at the edge.

AI Security for Apps is now available to Cloudflare’s enterprise customers. Contact your account team to get started or see the product in action. Self-guided tour.

If you have a Free, Pro, or Business plan, you can use AI endpoint detection today. Log in to your dashboard and go to Security → Web Assets Check the identified endpoints. Please pay attention. We will soon make the full functionality of AI Security for Apps available to customers on all plans.

For configuration details, see document.