Cloudflare AI Security for Apps provides a unified, always‑on protection layer for generative AI services. It discovers AI‑powered endpoints, analyzes each request for malicious prompts, and enforces policies via the existing Web Application Firewall. The solution is now generally available and free for discovery on all Cloudflare plans, bringing visibility and control to modern LLM deployments.
Threat Landscape for LLM Applications
Large language models (LLM) introduce new attack vectors that differ from traditional web services. Risks such as prompt injection, inadvertent PII exposure, and unbounded resource consumption are highlighted in the OWASP Top 10 for LLM Applications. Because LLM responses are probabilistic, static rule sets often miss nuanced threats, making dynamic detection essential.
Automatic Endpoint Discovery Mechanism
The platform continuously scans traffic to identify AI‑powered routes, even when they lack conventional path names like /chat/completions. By inspecting request behavior-such as payload size, response latency, and content patterns-the system tags discovered services with the cf‑llm label in the Security → Web Assets view. This discovery feature is free for all Cloudflare customers, and for deeper technical insight see the related Cloudflare SASE migration guide.
Detection Modules and Custom Topics
Incoming prompts pass through multiple detection modules: prompt injection identification, PII extraction, and toxic topic screening. Administrators can define custom topics-for example, financial symbols or protected health information-and receive a relevance score to trigger logs, blocks, or custom responses. This flexibility lets organizations tailor protection to industry‑specific compliance needs.
Integration with Cloudflare WAF
Detection outcomes are attached as metadata, enabling rule creation in the familiar WAF interface. Security teams can combine AI‑specific signals with traditional fields like IP reputation, user‑agent fingerprints, and rate‑limit counters. For an example of advanced rule usage, refer to the Cloudflare Active Defense scanner documentation, which illustrates how multi‑vector alerts can be orchestrated.
Supported LLM Provider Payload Formats
The detection engine parses common request schemas: OpenAI and Anthropic use $.messages[*].content, while Google Gemini and Mistral follow similar JSONPath patterns. When a payload deviates from known structures, the system defaults to scanning the entire body, which may increase false positives. Future updates will let users supply custom JSONPath expressions to pinpoint prompt locations, reducing noise and improving accuracy.
Partnerships and Enterprise Adoption
Cloudflare has expanded collaborations with IBM to extend AI security to its cloud customers and with Wiz to deliver a unified security posture view. These alliances reinforce the platforms ability to scale protections across diverse environments, from SaaS providers to large e‑commerce sites, ensuring that AI‑driven features remain trustworthy and compliant.