Cloudflare Takes AI Security for Apps to GA and Makes AI Endpoint Discovery Free

What Cloudflare Announced

Cloudflare announced on March 11, 2026 that AI Security for Apps is now generally available. The product is positioned as an application-security layer for AI-powered apps and agents, and the GA release comes with two notable changes: AI endpoint discovery is now free for every Cloudflare customer, including Free, Pro, and Business plans, and the platform is adding features such as custom topics detection for organization-specific policy enforcement.

In Cloudflare’s framing, AI applications create a different attack surface from conventional web apps because natural-language inputs and model outputs are probabilistic rather than deterministic. That makes classic allow-or-deny rules less sufficient on their own. The company explicitly calls out prompt injection, sensitive information disclosure, and unbounded usage as recurring risks, and argues those risks become more serious once AI agents are allowed to trigger tool calls that can change accounts, process refunds, or expose customer data.

How the Product Works

Cloudflare says AI Security for Apps sits in front of an AI-powered application as part of its reverse proxy stack. The service is meant to do three things: discover AI endpoints across a customer’s web properties, detect malicious or off-policy activity targeting those endpoints, and let customers mitigate threats using the same WAF rules engine they already use for broader application security.

According to the post, prompts are inspected through detection modules for prompt injection, PII exposure, and sensitive or toxic topics. The resulting signals are attached as metadata for policy enforcement. Cloudflare also says it supports the standard request structures used by providers such as OpenAI, Anthropic, Google Gemini, Mistral, Cohere, xAI, and DeepSeek. When it cannot confidently locate the prompt field, it falls back to scanning the entire request body under a default-secure posture. Cloudflare says future work includes custom JSONPath prompt extraction and a prompt-learning system to reduce false positives over time.

What Changed at GA

The biggest shift is accessibility. Endpoint discovery is now broadly available, which matters because many organizations still do not have a full inventory of where AI is actually deployed inside customer-facing applications. Cloudflare says its detection system looks at endpoint behavior instead of just URL patterns, which is important for AI features embedded in product search, recommendation systems, valuation tools, and other non-chat interfaces.

The GA launch also adds custom topics detection, allowing companies to define business-specific policy categories rather than relying only on generic threat classes. Cloudflare paired the announcement with an expanded IBM relationship and a Wiz integration so customers can connect application-layer AI protections with broader cloud AI posture management.

Why It Matters

This release is significant because it pushes AI application protection closer to mainstream web-security operations instead of treating it as a separate experimental layer. Free endpoint discovery lowers the barrier for customers to map exposure first, then move into detection and mitigation later. The practical question now is adoption depth: Cloudflare is making discovery broadly available today, but the full protection stack remains centered on Enterprise customers for now.

Source: Cloudflare blog