F5 has announced new protection capabilities for web applications and APIs aimed at addressing a growing concern among security teams: border artificial intelligence is shortening the time between discovering a vulnerability and actively exploiting it. The company expands its Application Delivery and Security platform with improvements in AI-powered WAF, API security for isolated environments, and virtual patches to shield applications before a definitive fix becomes available.
This announcement reflects a harsh reality for many organizations. Attackers no longer need to wait for a classic signature or a vulnerability with a widely documented CVE. Using advanced models, automation, and analysis tools, they can test exploitation chains, identify weak patterns, and adapt attacks more rapidly. For F5, this means moving from reactive security to a proactive defense capable of detecting risk signs before an attack is formally classified.
A WAF that gauges the risk of each request
The main innovation is in F5 Distributed Cloud WAF, which incorporates expanded AI analysis capabilities. Instead of relying solely on known signatures, the system combines attack indicators with a continuously trained neural network based on real telemetry. Each request receives a numerical risk score derived from multiple signals, empowering security teams to make more informed decisions beyond simple allow or block actions.
F5 argues that this approach helps identify new exploitation patterns and halt chain vulnerabilities at Layer 7 before signatures are available. Layer 7, the application layer, is precisely where many modern threats target APIs, forms, sessions, authentication, business logic, and exposed services.
The company links this evolution to the rising issues associated with AI. According to its State of Application Strategy Report 2026, 88% of organizations face operational or security challenges related to artificial intelligence. This underscores a growing sector realization: AI not only provides new defensive tools but also accelerates the speed and scale of attacks.
F5 also references recent tests by SecureIQLab, where F5 WAAP and F5 AI Guardrails achieved a total security score of 97.09%, with 100% accuracy against risks included in OWASP WAF Top 10 and API Top 10, as well as full scores in bot mitigation and Layer 7 DDoS protection. Like any vendor evaluation, these figures should be validated with in-house testing, but they demonstrate F5’s positioning in a market moving toward more automated and contextual defenses.
| Declared Capability | What It Provides | Who Might Be Interested |
|---|---|---|
| AI-powered WAF | Dynamically scores the risk of each request | Organizations with critical web applications and high traffic volume |
| Continuously trained model | Learns from signatures, indicators, and real telemetry | SecOps teams seeking to reduce noise and false positives |
| Pre-exploitation detection | Identifies attack signals before formal signatures | Organizations exposed to fast-moving or pre-CVE attacks |
| API Security Local Edition | Discover and protect APIs offline | Defense, banking, healthcare, government, and critical infrastructure sectors |
| Integration with BIG-IP Advanced WAF | Implements blocking and policies on on-premise environments | Companies already using F5 BIG-IP |
| Virtual patching | Protects runtime while full patch is prepared | Teams with long development and validation cycles |
| Local management | Dashboard and analysis within private infrastructure | Regulated or isolated environments |
Isolated APIs for regulated sectors
The second innovation is F5 API Security Local Edition—a solution designed for organizations that cannot rely on external cloud services to protect their APIs. This is common in sectors like defense, intelligence, public administration, financial services, healthcare, and critical infrastructure, where sovereignty, isolation, or compliance requirements prevent tools from “calling home” to analyze traffic or telemetry.
The product offers API discovery, visibility, governance, and protection entirely on-premises. It can identify endpoints, map schemas, detect risks, and assess threats without external connectivity. This capability becomes even more vital with AI adoption, as APIs are now the main channels where models, agents, and inference systems connect to data and applications.
APIs have become the backbone of the digital enterprise. They enable application integration, service exposure, partner connections, process automation, and powering AI systems. However, their importance makes them attractive targets. Poorly documented, forgotten, or permission-exposed APIs can become entry points to sensitive data.
F5 presents API Security Local Edition as a response to two intersecting trends: increasing criticality of APIs and higher demand for air-gapped or sovereignty-respecting solutions. In highly regulated environments, local visibility isn’t just a preference—it can be a technical, legal, or contractual requirement.
Integration with F5 BIG-IP Advanced WAF allows it to be used as an enforcement point for policies and blocks. It also simplifies policy updates and exportation of validated documentation, supporting a shift toward positive security models where behaviors are explicitly permitted rather than solely blocking malicious activity.
Virtual patching to buy time
The third element is reinforcement of virtual patching. While not new, its value increases in environments where exploitation can occur before an organization completes its internal patch cycles. Many companies must test patches, validate dependencies, pass quality controls, and coordinate deployments, a process that can take days or weeks. Attackers, in contrast, operate in hours.
F5 proposes combining BIG-IP Advanced WAF with F5 Distributed Cloud Web App Scanning to identify vulnerabilities and apply temporary protections at the delivery layer. The goal is to maintain application security in runtime while development teams prepare, test, and deploy the final patch.
This approach doesn’t replace code fixes—virtual patches are a containment measure, not a definitive solution. But they can be decisive when a vulnerability is exposed, affects critical applications, or cannot be patched immediately without operational risks.
Practically, it aims to close the exposure window. Many security crises are not caused by ignorance of vulnerabilities but by delays in detection, prioritization, testing, and deployment. AI adds pressure to shrink this window.
Proactive application security advances
F5’s announcement illustrates a broader evolution in the WAAP market. For years, organizations have protected applications and APIs with WAFs, signatures, rules, blocklists, bot analysis, authentication controls, and scanning tools. While still necessary, these measures may now be insufficient as attacks are generated and adapted faster than traditional rule sets can respond.
Proactive defense aims to anticipate threats. Instead of waiting for an attack to be named, signed, or CVE-listed, it looks for abnormal behaviors, anomalous combinations, exploitation signals, logic abuse, and patterns resembling attacker activity. This is a significant but delicate shift: increased automation of detection requires prudent management of false positives, explainability, and tuning capabilities.
For security teams, F5’s promise is to reduce operational complexity—less manual tuning, less noise, and faster responses. For regulated companies, it means protections must also function in isolated environments where telemetry cannot always be sent to the cloud or rely on external services.
AI adoption is expanding the attack surface—more APIs, integrations, agents executing actions, and faster vulnerability discovery. As a result, applications and APIs are now central to security strategies. They are the layer connecting users, data, models, processes, and decisions.
F5 positions itself as a comprehensive solution: AI-powered WAF, local API security, and virtual patching. The real test will be its practical application. Organizations will need to verify if risk scores genuinely reduce noise, if local protections fit their on-premise architectures, and if virtual patches align with development workflows—all to improve responses against threats that no longer wait for security teams to catch up.
Frequently Asked Questions
What is WAAP?
WAAP stands for Web Application and API Protection. It’s a security category focused on defending web applications and APIs against attacks, bots, logic abuse, vulnerabilities, and threats at the application layer.
What does F5’s AI-powered WAF provide?
According to F5, its AI-driven WAF analyzes multiple signals, assigning a risk score to each request to detect new attack patterns even before specific signatures exist.
What is F5 API Security Local Edition?
It’s a solution for discovering, documenting, monitoring, and protecting APIs within on-premises or isolated environments, without relying on external cloud services. It’s tailored for regulated sectors and sensitive workloads.
What is virtual patching?
Virtual patching is a temporary protection applied at the application delivery or security layer to reduce exploitation risk while development, testing, and deployment of the final patch are underway.
via: f5