“Automated attacks” used to mean crude scripts hammering login pages or scraping product catalogs. Generative AI has pushed automation toward something more adaptive and more capable of navigating the same multi-step flows your real users follow. When programmed well, these nefarious AI agents automatically vary tactics when blocked and scale those experiments across targets with minimal cost.
At many companies, web defense strategies have been optimized for yesterday’s traffic patterns. Signature rules and simple rate limits can still catch a lot, but they often struggle when an attacker can mutate payloads, blend into “normal” request sequences, and pivot from web pages to APIs to identity tokens.
High-impact compromises caused by AI agents can begin as ordinary-looking authentication traffic at scale, especially when automation turns valid flows into an attack surface.
So, does this mean your web application firewall (WAF) is obsolete? Far from it. But it does mean you need to use it differently. A WAF can still be one of your highest-leverage controls in that environment, but only if you update the strategy around it. The goal is to run a WAF as an evolving enforcement layer for web and API behavior, integrated with how you ship software and how you detect abuse.
What a WAF Still Does Well and How Teams Miss the Gaps
At its simplest, a WAF filters and monitors HTTP traffic between clients and your application, blocking common application-layer attacks such as SQL injection and cross-site scripting. A good WAF delivers two additional benefits. It reduces noisy exploit traffic that can obscure real incidents, and it buys you time through virtual patching when an upstream library bug becomes actively exploited before you can deploy a code fix.
A classic mistake is teams assuming that their WAF is a complete application security program. A WAF cannot compensate for broken authorization or authentication logic, unsafe object references, or an API that returns sensitive data to anyone who asks politely.
It also cannot prevent the most common “start of breach” problem today, which involves users consenting to malicious OAuth apps, tokens being stolen, or sessions being replayed. Those are identity and workflow problems first, and HTTP filtering problems second.
A modern WAF strategy is less about catching every exploit string and more about enforcing what “valid” looks like for your app and APIs. This is why the industry has converged on broader “web application and API protection” approaches, often called WAAP. Here, WAF capability is combined with bot/automation controls, API-aware enforcement, and DDoS resilience as a single operating surface.
What Changes With Malicious AI Agents
The main change is scale and fidelity.
Automated abuse of valid functionality, such as credential stuffing, scraping, scalping, and inventory denial, has long been profitable. AI-assisted agents make it easier to run these patterns and harder to distinguish them from real users, because an agent can behave like a careful human, distribute attempts across accounts and endpoints, and learn from partial failures without obvious bot signatures.
A second change is that attackers increasingly automate the human workflow steps that convert identity into access. Token theft and OAuth-consent abuse remain reliable paths to compromise, and web-based agents introduce failure modes such as prompt injection, where malicious instructions embedded in content can steer an agent toward unsafe actions or data exposure while it is performing legitimate tasks.
Updating Your WAF Strategy
To thwart AI bot attacks with your WAF, start with an inventory of what resources are actually exposed. Even the most advanced WAF can only protect what you route through it, so the first operational task is to map hostnames, paths, methods, and authentication requirements, and then decide what must be blocked outright versus what must be enforced tightly.
Next, move from generic signatures to a positive security model wherever you can. For APIs, this often means enforcing JSON schema-like expectations and rejecting requests that do not match known shapes, because business logic abuse frequently starts with unexpected but syntactically valid inputs.
Then treat automation as a first-class threat, not an afterthought. OWASP’s automated threat categories make it clear that credential stuffing and scraping are core risks for most public-facing apps. Your WAF strategy should therefore include layered controls rather than only hard denies that create false positives during traffic spikes.
Upgrade token and identity-boundary hygiene. Ensure sensitive routes never accept unauthenticated requests, enforce consistent token presentation, and add endpoint-level policies that require re-authentication or step-up signals for high-risk actions. This matters more when attackers can steal tokens through consent phishing or session replay workflows and then use them at scale, as recent agent-enabled OAuth phishing research highlights.
If your organization is exposing AI-enabled endpoints, treat those as an application surface area that needs its own WAF strategy. At the WAF layer, enforce stricter boundaries around what the AI feature is allowed to call, to constrain inputs and attachments to known-safe types and sizes, and to segment AI endpoints so their blast radius is smaller if something does go wrong.
Finally, treat your WAF like any engineering system with feedback loops. That means turning WAF telemetry into action. Log enough fields to reconstruct intent, feed events into your detection stack, and schedule routine rule reviews tied to incidents and releases.
How to Know if Your Strategy Is Working
A mature WAF strategy shows improvements beyond raw blocks. You should see fewer successful credential-abuse events on authentication endpoints, fewer high-volume automation patterns on expensive routes, and faster time to mitigate emerging abuse (measured in hours or days) without raising false positives that punish legitimate users. You should also see clear ownership, with security defining risk requirements and engineering owning deployment and tuning.
In the age of malicious AI agents, your WAF strategy must assume the attacker can behave like a user, iterate like a tester, and scale like a botnet. Start enforcing valid behavior, protecting APIs as contracts, and building tight feedback loops between telemetry and policy. Your WAF should be a fast-moving layer that raises attacker costs while your application teams keep shipping.
