Cloudflare has officially launched its AI Security for Apps service, making it generally available to customers. This new offering aims to detect and neutralize threats targeting applications built with artificial intelligence. The company is also rolling out enhanced capabilities, including the detection of custom topics, and is making AI endpoint discovery a free feature for every Cloudflare customer, spanning Free, Pro, and Business plans. This move provides universal visibility into where AI is being deployed across internet-facing applications.
The announcement also details an expanded partnership with IBM, which will leverage Cloudflare's security solutions for its cloud customers. Additionally, a collaboration with Wiz aims to offer mutual clients a consolidated view of their AI security posture.
A Shifting Attack Surface
Traditional web applications operate with predictable functions, allowing for rule-based security. AI-powered applications, however, process natural language inputs and generate unpredictable outputs, creating a dynamic and less defined attack surface. This inherent unpredictability opens doors for attackers to manipulate large language models (LLMs) for unauthorized actions or data exfiltration. Risks like prompt injection, sensitive data disclosure, and unbounded resource consumption are now prominent concerns, as highlighted in the OWASP Top 10 for LLM Applications.
The stakes rise significantly when AI applications gain agentic capabilities, enabling them to perform actions like processing refunds, modifying accounts, or accessing customer data. A single malicious prompt in such scenarios can immediately escalate into a critical security incident.
Rick Radinger, Principal Systems Architect at Newfold Digital, commented on the evolving landscape: "Most of Newfold Digital's teams are putting in their own Generative AI safeguards, but everybody is innovating so quickly that there are inevitably going to be some gaps eventually."
How AI Security for Apps Works
Cloudflare's AI Security for Apps is designed to sit in front of AI applications, acting as a reverse proxy. It operates in three key areas: discovering AI-powered applications, detecting malicious or policy-violating behavior, and mitigating threats through Cloudflare's existing WAF rule builder.
Discovery: Now Free for All
Before security measures can be implemented, organizations need to know where their AI applications reside. Cloudflare's solution automatically identifies LLM-powered endpoints across web properties, irrespective of hosting location or the specific model used. This feature is now available at no cost to all Cloudflare customers.
This automatic discovery goes beyond simple path pattern matching, analyzing endpoint behavior to identify AI applications like product search tools or valuation engines, not just chatbots. Discovered endpoints will be marked as 'cf-llm' within the Cloudflare dashboard's Web Assets section. For Free plan users, discovery is initiated upon first access to the Discovery page, while paid plan users benefit from automatic, recurring background discovery.
Detection Capabilities
The service provides continuous monitoring of traffic to AI endpoints. Each prompt undergoes analysis for prompt injection, Personally Identifiable Information (PII) exposure, and sensitive or toxic topics. The results are attached as metadata, usable within custom WAF rules for policy enforcement.
Cloudflare leverages its extensive global network, which handles traffic for approximately 20% of the web, to identify emerging attack patterns across millions of sites.
New in General Availability: Custom Topics Detection
Beyond built-in protections against common threats, AI Security for Apps now allows users to define their own categories of off-limits content. Financial services firms can flag discussions of specific securities, healthcare companies can identify patient data mentions, and retailers can monitor competitor product inquiries. Users specify the topic, and the system provides a relevance score for the prompt and output, enabling custom logging, blocking, or other actions.
New in General Availability: Custom Prompt Extraction
To ensure accurate detections and real-time protection, the system needs to precisely locate prompts within request payloads. While Cloudflare supports standard formats from major LLM providers like OpenAI, Anthropic, and Google Gemini, custom applications may structure prompts differently. The upcoming ability to define custom JSONPath expressions will allow users to specify exact prompt locations, reducing false positives and improving detection accuracy. A prompt learning capability is also in development to adapt to application structures automatically.
Mitigation Strategies
Once a threat is identified, users can leverage Cloudflare's WAF to block it, log it, or return custom responses. This integration allows AI-specific signals to be combined with existing security intelligence, such as IP reputation and browser fingerprinting, for a more comprehensive defense. Radinger noted, "This unified security layer is exactly what they need at Newfold Digital to discover, label, and protect AI endpoints."
Expanding Ecosystem and Partnerships
AI Security for Apps will also be accessible via Cloudflare's ecosystem partners. Integration with IBM Cloud Internet Services (CIS) will allow users to manage security solutions directly from their IBM Cloud accounts. The partnership with Wiz will provide a unified view of AI security posture across cloud discovery and edge application guardrails.
Getting Started
AI Security for Apps is available for Cloudflare Enterprise customers, who can contact their account team. AI endpoint discovery is currently free for all Free, Pro, and Business plan users. Users can access this feature by navigating to Security → Web Assets in their Cloudflare dashboard. Cloudflare plans to make all AI Security for Apps capabilities available to all customers in the future.
