F5's AI-Powered WAF Stopped a ChatGPT-Generated Attack — Without a Single Signature

F5's AI-Powered WAF Stopped a ChatGPT-Generated Attack — Without a Single Signature

BackerLeader 42 220 362
calendar_todayschedule6 min read

The attack took about 30 seconds to set up. Open ChatGPT. Ask it to generate a SQL injection payload. Copy the output. Paste it into a login form.

The payload that came back wasn't a known attack signature. It was a SQL injection wrapped around JSON extraction — a combination specific enough that no static rule had seen it before. When Kunal Anand, Chief Product Officer at F5, dropped it into a test finance application during the closing keynote at F5 AppWorld 2026, it worked. JSON data containing sensitive information echoed back immediately. The application was compromised in under a minute using a payload generated on demand by a consumer AI tool.

Then Anand enabled F5's new AI-enhanced WAF layer, went back to the login form, and dropped the same payload in again.

Blocked. No new signatures. No new definitions. No prior knowledge of that specific attack pattern is required.

That demo was the clearest illustration of what F5 announced at AppWorld this week: a fundamentally different approach to web application security, built on a neural network trained from scratch on F5's own traffic data.


Why Static Signatures Are Structurally Obsolete

Web application firewalls have always worked on pattern matching. Signatures, regular expressions, and known attack strings — the WAF maintains a library of what bad traffic looks like and blocks anything that matches. It's a proven model with decades of operational history.

The problem is that the model assumes a relatively stable attack landscape. New attack patterns emerge, security researchers identify them, vendors push signature updates, and defenders catch up. The cycle has latency, but it works—as long as attackers operate from a finite library of known techniques.

AI changes that assumption. An attacker with access to a capable language model can generate novel payloads on demand, specifically designed to evade known signatures. The attack surface is no longer a finite library — it's the combinatorial space of everything a capable AI can produce. Static signatures, by definition, can't keep up with that.

Anand was direct about the implications at AppWorld: "These AI agents and technologies are able to generate brand new payloads on the fly. They can learn, they can build something new, and they can counter those static rules and those static definitions, rendering them structurally obsolete."

If the attacker can learn in real time, the defense has to as well.


What F5 Built

F5 didn't patch their existing WAF. They built a new layer on top of it.

The foundation — signatures, pattern matching, attack indicators, risk intelligence — remains in place. F5 treated it as the base, not the ceiling. On top of that foundation, they trained a transformer model from scratch using their own traffic data. Not a model pulled from an open source repository. Not a general-purpose LLM fine-tuned for security. A purpose-built neural network trained on F5's proprietary dataset.

The technical constraint they solved for is important: the model runs on CPUs. No GPUs required. That means it can operate at the edge, in resource-constrained environments, without blowing up latency budgets. Bringing AI inference into the live traffic path is viable only if it doesn't introduce meaningful latency. F5's model is efficient enough to do that.

The result is a WAF that can evaluate traffic it has never seen before and make an accurate, real-time decision about whether it's malicious — without needing a signature for that specific attack.


The Numbers

F5 shared performance data from the production deployment of the AI-enhanced WAF in December. The results are concrete enough to matter:

Ten zero-day attacks were caught in December alone — without prior signatures or definitions. The model identified them as malicious based on behavioral patterns rather than known signatures.

False positive rate for new signatures dropped from 28% to 1%. That number deserves emphasis. A 28% false-positive rate for new signatures means more than a quarter of legitimate traffic is flagged as malicious when new attack patterns emerge. Getting that to 1% is the difference between a security control that creates operational chaos and one that actually works in production.

Out-of-the-box accuracy for new signatures went from 64% to 98%. Day-one accuracy without tuning or customization — which is what most organizations actually deploy into — improved from barely acceptable to near-production-ready.

These are not F5's internal benchmarks. Anand noted during the keynote that the numbers were independently verified by a third party.


Agentic Ransomware: The Threat Context

To explain why this matters, Anand shared a story from a recent conversation with a CISO.

The CISO described an agentic ransomware attack. The ransomware wasn't delivered by a human operator — it was propagated by an AI agent that handled every stage of the attack: target selection, social engineering, negotiation, and cryptocurrency collection. The victim communicated with what they believed was a human throughout. The pauses, the urgency, the negotiation cadence — all machine-generated. When the decryption key was provided and the ransom paid, the agent simply disappeared.

The security implication is precise: the adversary is no longer a human operating a tool. It's a system. That system doesn't get tired, doesn't make social-engineering mistakes, doesn't operate under human time constraints, and can run multiple simultaneous attack campaigns. A defense built on detecting human behavioral patterns has a structural blind spot.


The Roadmap: Toward Self-Improving Security

Anand described where F5 is taking this capability. The current version requires human approval before new AI-generated signatures go into production. The future state they're building toward is an agentic defense system that can operate continuously — analyzing traffic, generating candidate signatures, running them through controlled tests, and presenting validated signatures to humans for production deployment.

The human stays in the loop for the final decision. Everything before that step runs automatically. The result is a security system that continuously improves itself, compounding accuracy and efficiency over time, without requiring a human to perform the analytical work that currently creates latency between discovery and protection.

"There will be a time when AI will be good enough," Anand said. "We're not there yet. But we want to design for that world now."


The Token Economy and BIG-IP on BlueField

The closing keynote covered more than the WAF. Anand spent significant time on what he called the token economy — the economics that govern AI inference at scale.

He framed the metric shift clearly. For application and API teams, the unit of measure has always been requests per second. For AI workloads, the unit that matters is tokens per second. The five variables that govern performance in the token economy are throughput (tokens per second), perceived responsiveness (time to first token), cost (cost per token), total latency (end-to-end response time), and energy efficiency (tokens per watt).

That last variable, he argued, is the most important constraint at scale. Energy is the ultimate thermodynamic limit on AI infrastructure. Organizations that aren't optimizing for tokens per watt are burning margins as well as power.

F5's answer at the infrastructure layer is BIG-IP running on NVIDIA's BlueField DPU. The thesis: handle delivery and security before requests ever reach the GPU cluster, in a single pass, using the DPU's dedicated processing capacity.

The independent performance numbers from third-party testing:

40% increase in total throughput. For organizations running AI inference at scale, that's more tokens from the same hardware.

60% reduction in time to first token. This is the metric that governs perceived intelligence — how quickly the model starts responding. A 60% improvement is the difference between a model that feels responsive and one that feels slow.

30% improvement in end-to-end latency.

F5 announced that iRules, expanded token counting, and AI Guardrails are all coming to the DPU platform over the next year. The goal is to bring the same delivery and security controls available at the application layer directly into the AI factory infrastructure — so that as AI inference scales, the governance capabilities scale with it.


What This Means for Engineering Teams

For teams running web applications, the practical implication of an AI-enhanced WAF is that the signature maintenance burden is reduced. Not eliminated — the static signature layer still runs — but the manual tuning work required to keep false positives manageable is significantly reduced when the AI layer is doing behavioral analysis in parallel.

For teams building AI inference infrastructure, the BIG-IP on BlueField numbers present a compelling case for rethinking where security and delivery processing occur. If you can get 40% more throughput from existing hardware by moving those workloads to a DPU, the math on when to add more GPU capacity changes.

The broader argument Anand made at the close of AppWorld is worth taking seriously. The path from a user prompt to a token — ingress, workflows, inference — has control points at every stage. The organizations that understand those control points and apply appropriate security and delivery controls at each one will be better positioned as AI workloads grow. Those that don't will find the problem harder to address later, when traffic volumes are higher and the attack surface is wider.

The bottleneck, as Anand put it, is no longer source code. It's imagination. And the infrastructure that runs what imagination produces needs to be ready for it.

1 Comment

1 vote
🔥 Join developers growing publicly
Share your knowledge, build in public, and grow your developer presence with a global community.

More Posts

I’m a Senior Dev and I’ve Forgotten How to Think Without a Prompt

Karol Modelskiverified - Mar 19

AI Agents Don't Have Identities. That's Everyone's Problem.

Tom Smithverified - Mar 13

Defending Against AI Worms: Securing Multi-Agent Systems from Self-Replicating Prompts

alessandro_pignati - Apr 2

The Sovereign Vault — A Comprehensive Guide to Protocol-Driven AI

Ken W. Algerverified - Jun 4

How I Built a Secure Reverse Proxy with Nginx

MorphyBishop - Mar 11
chevron_left
14.9k Points624 Badges
181Posts
112Comments
71Connections
LLM Training & Evaluation Specialist with hands-on experience building major AI models. As one of th... Show more

Commenters (This Week)

1 comment
1 comment
1 comment

Contribute meaningful comments to climb the leaderboard and earn badges!