AI Security for Apps
AI Security for Apps (formerly Firewall for AI) offers a series of detections that can help protect apps and agents powered by large language models (LLMs) against abuse. This model-agnostic detection module helps you do the following:
- PII detection — Prevent personally identifiable information (PII) from leaking. For example, phone numbers, email addresses, social security numbers, and credit card numbers.
- Unsafe and custom topic detection — For example, detect prompts potentially related to violent crimes, hate speech, or any unsafe topic you define.
- Prompt injection detection — Detect prompts intentionally designed to subvert the intended behavior of your LLM as specified by the developer.
When enabled, the detection module runs on incoming traffic, searching for any LLM prompts attempting to exploit the model. Currently, the detection only handles requests with a JSON content type (application/json).
Cloudflare will populate AI detection fields based on the scan results. You can check these results in the Security Analytics dashboard by filtering on the cf-llm managed endpoint label and reviewing the detection results on your traffic. Additionally, you can use these fields in rule expressions (custom rules or rate limiting rules) to protect your application against LLM abuse and data leaks.
AI Security for Apps capabilities vary by Cloudflare plan:
| Capability | Free | Pro | Business | Enterprise |
|---|---|---|---|---|
| LLM endpoint discovery — Automatically identify AI-powered endpoints across your web properties | Yes | Yes | Yes | Yes |
| AI Security Log Mode Ruleset — Pre-built ruleset that logs the full request body alongside detection results | No | No | No | Yes |
| AI detection fields — PII detection, prompt injection scoring, unsafe topic detection, custom topics | No | No | No | Yes |
To get access to the AI Security Log Mode Ruleset and enable AI detection fields, contact your account team.
AI Security for Apps is built into the Cloudflare Web Application Firewall (WAF) — the WAF must be enabled on your zone before detection fields can be populated and used in rule expressions.