WAF Weekly: Cloudflare rewrites the internet deal, UK unveils AI Cyber Shield, KDDI breach hits 12M
Cloudflare flips the AI crawler model with a Monetization Gateway, the UK NCSC reveals its AI-powered Cyber Shield blueprint, and KDDI confirms 12 million email addresses exposed in a zero-day breach.
Cloudflare rewires the economics of the web
Cloudflare made three moves this week that reshape how the internet interacts with AI. On July 1, it opened the waitlist for its Monetization Gateway, an edge enforcement engine that lets publishers charge AI agents for content using the x402 open protocol and stablecoin microtransactions. Starting September 15, new sites on Cloudflare will block AI training and agent use on ad-supported pages by default while allowing traditional search crawling. The company also launched the Cloudflare One Design Partner Designation, a channel initiative focused on SASE and AI security adoption with five initial partners. The free ride for AI crawlers is ending, and Cloudflare is building the infrastructure to enforce that change.
UK NCSC unveils AI-powered Cyber Shield
The UK National Cyber Security Centre published the blueprint for Cyber Shield, a national-scale agentic AI defense system. The plan envisions AI-powered red and blue agents that identify vulnerabilities, detect threats, and automate remediation at machine speed. The NCSC warns that AI already helps attackers discover vulnerabilities in minutes rather than weeks and expects fully autonomous attacks within the foreseeable future. Cyber Shield will start with government and critical national infrastructure before expanding to commercial deployments. Industry reception is mixed, with Computer Weekly reporting skepticism from cyber field professionals about whether the ambition matches technical reality.
This validates that autonomous cyber defense is not theoretical, it is government-funded and coming fast. The same automation trends apply to WAF technology: real-time threat detection, automated rule generation, and AI-driven analysis.
KDDI breach exposes 12 million email addresses
Japanese telecom giant KDDI confirmed that over 12 million people were affected by a June data breach. Attackers exploited a zero-day vulnerability in email infrastructure software used by five ISPs: STNet, JCOM, Chubu Telecommunications, NIFTY, and BIGLOBE. They compromised 12.2 million email addresses and 7.6 million passwords. KDDI says it evicted the attackers immediately but the vendor has not yet released a patch for the zero-day. A WAF at the ISP level could have provided defense in depth even if the application-level zero-day bypassed other controls.
Chinese espionage group targets universities via Roundcube flaw
A suspected Chinese espionage group tracked as UNK_MassTraction has been exploiting a Roundcube cross-site scripting vulnerability (CVE-2024-42009) to breach university mail servers across the US and Canada. According to Sucuri parent Proofpoint, the attack requires no click or attachment. Simply opening a rigged email triggers credential theft via a script called IceCube. The group then chains a second flaw (CVE-2025-49113) to deploy a web shell and a Go-based backdoor called VShell. Proofpoint has directly observed fewer than ten affected universities but estimates the true figure is a few dozen.
Cross-site scripting is a well-understood attack class. A properly configured WAF with virtual patching could have blocked both the initial XSS and the subsequent web shell deployment.
Microsoft expects more Patch Tuesday updates from AI-discovered flaws
Microsoft announced that Windows users should expect an increase in security updates as the company relies more heavily on AI for vulnerability discovery. Its multi-model agentic scanning harness (MDASH) scans critical Windows binaries using multiple AI models and validates findings through a Windows-specific pipeline to eliminate false positives. Human engineers still review all proposed fixes before release, but the pace of discovery is accelerating. More CVEs mean greater operational burden for security teams. A WAF with virtual patching buys time between disclosure and full deployment of OS-level fixes.
Original source: BleepingComputer
WAFplanet take
The theme of this week is AI as both threat and solution. Cloudflare is building infrastructure to control AI traffic. The NCSC is building AI agents to defend national networks. Microsoft is using AI to find vulnerabilities faster than ever. And state-sponsored attackers are exploiting known vulnerabilities in webmail systems with surgical precision.
What connects these stories is the accelerating clock speed of cyber operations. AI compresses the time between vulnerability discovery and exploitation. Defenders need tools that operate at the same speed: automated detection, virtual patching, and real-time blocking. That is exactly where WAF technology is heading.