F5 Upgrades WAF With AI Risk Scoring and Post-Quantum Readiness
F5 rolls out AI-powered WAF risk scoring, automated AI vulnerability remediation, bot defense for agentic AI, and post-quantum cryptography readiness across its ADSP platform.
F5 used its AppWorld event to roll out a batch of security upgrades to the F5 Application Delivery and Security Platform (ADSP). The headliners: AI-powered WAF risk scoring, automated AI model vulnerability remediation, and post-quantum cryptography readiness. All integrated into a single platform that spans hardware, cloud, and SaaS deployments.
AI-powered WAF gets smarter
The biggest news for WAF users is the updated F5 Distributed Cloud WAF. It now uses AI-powered risk scoring to automate what used to be manual threat analysis. Instead of security teams wading through signature exceptions and tuning rules by hand, the system applies outcome-based blocking policies. F5 claims this keeps false positive rates low while dramatically cutting time to protection.
This is a meaningful shift. Traditional WAF management is tedious and error-prone. If F5 can genuinely automate the risk-scoring layer without flooding teams with false positives, it solves one of the biggest pain points in WAF operations.
AI Remediate closes the red-team-to-guardrails loop
F5 also introduced AI Remediate, a new tool that bridges the gap between finding AI model vulnerabilities (via F5 AI Red Team) and enforcing runtime protections (via F5 AI Guardrails). It automates the creation and validation of guardrail packages, so security teams can move from "we found a problem" to "it is blocked in production" without manual intervention. Human approval is still required before deployment.
Bot Defense now distinguishes AI agents from humans
F5 Distributed Cloud Bot Defense received upgrades to handle the rise of agentic AI. The platform now classifies traffic into three categories: humans, bots, and AI agents. Only verified, trusted AI agents get through. Everything else gets blocked. As AI agents become more common in commercial applications, this kind of granular traffic classification will matter more.
Post-quantum cryptography readiness
F5 is positioning itself early on post-quantum cryptography (PQC). The ADSP now supports hybrid TLS cipher groups, giving organizations a migration path to quantum-resistant encryption without breaking compatibility with current systems. BIG-IP Access Policy Manager has been rebranded to BIG-IP Zero Trust Access, adding per-request validation and identity-aware proxy capabilities on a PQC-ready platform.
WAFplanet take
F5 is doing what the big security vendors need to do right now: consolidating tools instead of adding more. AI-powered risk scoring for F5 Advanced WAF addresses a real operational burden. The post-quantum readiness is forward-thinking but practical, using hybrid approaches rather than forcing a hard cutover. The AI agent classification in bot defense is smart timing as agentic commerce starts to take shape.
The question is execution. F5 has announced a lot here. If the AI risk scoring truly reduces manual WAF tuning without degrading accuracy, that alone would be worth the update. But organizations running multi-vendor setups with Cloudflare or Akamai alongside F5 will want to see how these features play in mixed environments.
