Cloudflare AI Security for Apps is Now Generally Available
Cloudflare makes AI Security for Apps generally available, adding LLM threat detection to its WAF. AI endpoint discovery is now free for all plans, giving teams visibility into shadow AI deployments.
Cloudflare has made its AI Security for Apps product generally available. The tool sits in front of AI-powered applications as part of Cloudflare's reverse proxy, detecting and mitigating threats specific to LLM-based endpoints. Alongside the GA launch, Cloudflare is making AI endpoint discovery free for all plans, including Free.
What It Does
AI Security for Apps addresses a gap that traditional WAF rules cannot cover well. Standard web applications have predictable operations you can write deterministic rules for. AI-powered apps accept natural language and produce unpredictable outputs. Prompt injection, PII exposure, and toxic content do not fit neatly into signature-based detection.
The product has three layers. Discovery identifies LLM-powered endpoints across your web properties automatically by analyzing endpoint behavior rather than just matching path patterns like /chat/completions. Detection runs every prompt through modules for prompt injection, PII exposure, and sensitive topics. Mitigation ties into Cloudflare's existing WAF rule builder so you can block, challenge, or log flagged requests.
Free Discovery for Everyone
The most notable move is making AI endpoint discovery free across all Cloudflare plans. Many security teams do not have a complete picture of where AI is deployed across their applications, especially as developers swap models and providers. Free plan users can trigger discovery from the Security dashboard. Paid plan users get automatic recurring discovery.
New Capabilities
The GA release adds detection for custom topics, letting teams define organization-specific sensitive categories beyond the defaults. Cloudflare is also announcing partnerships with IBM (delivering AI security to IBM Cloud customers) and Wiz (unified AI security posture views).
OWASP Alignment
The product maps to the OWASP Top 10 for LLM Applications, covering risks like prompt injection, sensitive information disclosure, and unbounded consumption. As AI applications gain agent capabilities with tool calls (processing refunds, modifying accounts, accessing customer data), a single malicious prompt becomes a security incident rather than just a nuisance.
WAFplanet Take
This is Cloudflare doing what Cloudflare does best: taking a complex problem and making it accessible at scale, including a free tier that gives everyone basic visibility. The free discovery tier is the smart play here. Once teams see their shadow AI deployments, the upsell to detection and mitigation writes itself. The real question is how well the detection holds up against adversarial prompt injection in production. AI security is an arms race, and detection models need to keep pace with attack techniques. But having this built into the WAF layer rather than as a separate product is the right architecture. If you are running AI-powered features behind Cloudflare, there is no reason not to turn on discovery today.
