The window between vulnerability discovery and active exploitation has been shrinking for years, and frontier AI models have accelerated that compression. To address that shift, F5 this week announced an expansion of its web application and API protection (WAAP) capabilities for its Application Delivery and Security Platform. The new features span three areas:
The AI-powered WAF is currently delivered through Distributed Cloud. F5 said it is in active engineering work to bring the same capability to BIG-IP, Nginx Plus, and Nginx Open Source for customers running on-premises or in restricted network environments.
“If the attacker is a machine and can devise new attack sequences in seconds, then your response to that cannot be signature-based. It has to be based around the behaviors that you detect and analyze,” Joel Moses, vice president of strategic engineering at F5, told Network World.
The AI-powered WAF in F5 Distributed Cloud combines the company’s existing WAF with a neural network model for behavioral characterization.
Rather than comparing traffic against a library of known attack signatures, the system assigns a numerical risk score to every request based on multiple signals. That score gives security teams specific, actionable context rather than a binary block-or-allow decision.
The concept of not relying on signatures has been a mainstay of security best practices for well over a decade, with vendors often promoting the use of heuristics-based technology. Moses said the F5 approach differs from earlier heuristics-based detection in both scale and capability. Earlier heuristics operated with a much smaller sampling window. The neural network model processes traffic across larger sampling windows and follows more paths through distance anomaly detection, making it more effective against attack patterns that have no existing signature.
The model is custom-built within F5’s AI center of excellence, not a fine-tuned version of a commercial foundation model. “It’s our own property developed inside of our AI center of excellence, and it is custom tuned for the purpose that it’s delivering,” Moses said.
The model trains continuously on real-world telemetry. F5 said this allows the system to identify novel exploit patterns and stop CVE chaining at Layer 7 before formal signatures exist.
In testing by SecureIQLab, F5 WAAP and F5 AI Guardrails achieved a combined 97.09% total security score, including 100% accuracy against key risks listed in the OWASP WAF Top 10 and API Top 10, along with perfect scores for bot attack mitigation and Layer 7 DoS protection.
For customers already on the Distributed Cloud platform, enabling the AI-powered WAF produces measurable operational changes. Moses said customers who activate the feature typically reach blocking mode faster than those relying on hand-configured signature rules. He noted that F5’s false positive rate dropped from approximately 18% to approximately 1%.
The promise of the AI-powered WAF is dramatically more powerful virtual patching against emerging threats.
Virtual patching has long been part of WAF deployments, but the threat dynamics around it have shifted. Frontier AI models can find and exploit vulnerabilities faster than most organizations can move a fix through development and testing. The combination of BIG-IP Advanced WAF and F5 Distributed Cloud Web App Scanning applies a virtual patch at the application delivery layer from the moment a vulnerability is identified. The patch operates at runtime while a software fix works through development and testing cycles.
Moses positioned virtual patching as a tool for the remediation window, not a substitute for fixing the underlying code. “It’s a tool in your arsenal, and it can be a powerful one, depending on how quick or how slow, relatively, your organization operates its fixes,” Moses said.
Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer, and has been known to spend his spare time immersed in the study of the Klingon language and satellite pictures of Area 51. He has pulled Token Ring, configured NetWare and has been known to compile his own Linux kernel. He consults to industry and media organizations on technology issues.
Sean’s writing has appeared in VentureBeat, InternetNews, TechTarget, ITPro Today, Data Center Knowledge, and TechCrunch, among other outlets.
Leave a Reply