Cloudflare makes AI Security for Apps generally available and opens endpoint discovery to all customers

Cloudflare said on March 11, 2026 that AI Security for Apps is now generally available, turning what had been an early-stage product into a broader security layer for AI-powered applications. The GA release adds custom topic detection and, just as importantly, makes AI endpoint discovery free for every Cloudflare customer, including Free, Pro, and Business plans. That gives security teams a much lower-cost way to see where AI is already exposed across public web properties before they try to write detailed controls.

Cloudflare’s argument is that AI applications create a different attack surface from traditional web apps. A fixed banking workflow can be secured with deterministic allow-or-deny rules, but an AI endpoint accepts natural language, produces probabilistic outputs, and increasingly has access to tools or internal data. In that setting, prompt injection, sensitive information disclosure, and unbounded tool use become application-security issues, not just model-quality problems.

The product sits in front of applications as part of Cloudflare’s reverse proxy and focuses on three jobs: discovering AI-powered endpoints, detecting malicious or off-policy behavior, and mitigating threats through the existing WAF rule builder. Cloudflare says discovery is behavior-based rather than simple path matching, which matters because many AI features live inside recommendation engines, search flows, or other endpoints that do not look like /chat/completions. For detection, the platform analyzes prompts for prompt injection, PII exposure, and sensitive or toxic topics, then attaches the results as metadata that can feed custom WAF rules.

The GA update expands that approach. Custom topics let teams define their own off-limits categories and receive relevance scores they can log, block, or route differently. Cloudflare also says it is building custom prompt extraction so customers can point the system to the exact JSON paths that contain prompts, which should reduce false positives in mixed request bodies. On the ecosystem side, the company announced an expanded IBM relationship and a new partnership with Wiz to connect application-layer controls with broader AI security posture views.

The significance here is less about one new dashboard and more about normalization. Cloudflare is trying to fold AI-specific security signals into the same edge and WAF stack enterprises already use for conventional apps. If that model works, AI endpoint protection becomes part of mainstream application security operations rather than a separate niche tool that teams bolt on after deployment.