Cloudflare launches AI-assisted API vulnerability scanner in open beta
Original: Active defense: introducing a stateful vulnerability scanner for APIs View original →
In an X post on March 9, 2026, Cloudflare highlighted its new Web and API Vulnerability Scanner and linked to a detailed launch note. The company is positioning the product as an active-defense layer for API security, with the first release entering open beta for API Shield customers. Cloudflare says the rollout begins with Broken Object Level Authorization, or BOLA, one of the most damaging issues in the OWASP API Top 10.
Cloudflare’s argument is that many important API attacks do not look malicious at the protocol level. They are valid requests made by authenticated users, but they violate business logic. In Cloudflare’s example, an attacker changes another customer’s order by reusing a legitimate endpoint with an unauthorized resource ID. Because the syntax is correct, the company says a classic WAF signature is not enough; security tooling has to understand workflow and authorization state.
To handle that, Cloudflare says the scanner builds an API call graph from OpenAPI specifications and then walks that graph with both owner and attacker contexts. The launch note says Workers AI models and structured outputs are used to infer data dependencies, fill in missing schema details, and plan the order of calls needed to reproduce security-sensitive flows. That stateful approach is the main distinction from simpler DAST tools that treat each request independently.
Cloudflare also emphasizes operational integration. Findings surface in Security Insights, while API Discovery and Schema Learning help seed the scan plan. The backend uses Temporal for orchestration, Rust services for the control plane, and HashiCorp Vault Transit for credential encryption. Cloudflare says customers can trigger scans and retrieve results through the Cloudflare API, which makes the feature easier to plug into CI/CD pipelines and security dashboards.
The immediate significance is practical. If the implementation works as described, teams get a way to proactively test authorization logic without hand-building every attack path themselves. The broader signal is that API security tooling is shifting away from static signatures and toward AI-assisted reasoning about application behavior. Cloudflare says BOLA is only the first scan type and broader API and web coverage is planned.
Related Articles
Cloudflare says Cloudflare One now links data security controls from endpoints to AI prompts. The update adds browser RDP clipboard controls, richer SaaS operation logging, on-device DLP, and Microsoft 365 Copilot scanning through API CASB.
A high-ranking Hacker News thread highlights Cloudflare’s vinext launch: an AI-assisted, Vite-based reimplementation of the Next.js API surface. The performance claims are notable, but the project is still explicitly experimental.
OpenAI announced on X that Codex Security has entered research preview. The company positions it as an application security agent that can detect, validate, and patch complex vulnerabilities with more context and less noise.
Comments (0)
No comments yet. Be the first to comment!