Cloudflare’s new Web and API Vulnerability Scanner helps teams proactively find logic flaws. By using AI to build API call graphs, we identify vulnerabilities that standard defensive tools miss.

Cloudflare's platform is a leading provider of internet security and performance solutions, offering insights into web security, content delivery, and DNS management. Through documentation, blog posts, and webinars, Cloudflare provides insights into protecting websites and applications from cyber threats and improving performance. Developers and IT professionals can learn about CDN (Content Delivery Network), DDoS mitigation, and firewall configurations to secure and accelerate web traffic.

Cloudflare

Cloudflare is launching a beta Web and API Vulnerability Scanner focused on Broken Object Level Authorization (BOLA), the top OWASP API threat. Unlike traditional WAFs that catch syntax-based attacks, this stateful DAST tool targets logic flaws in APIs. It builds an API call graph from OpenAPI specs using AI (OpenAI's gpt-oss-120b via Workers AI) to infer data dependencies between endpoints, then walks the graph with attacker and owner credentials to detect unauthorized access. The backend is written in Rust, uses Temporal for scan orchestration, and HashiCorp Vault Transit for credential encryption. Available in open beta for API Shield customers, with plans to expand to OWASP Web Top 10 vulnerabilities like SQLi and XSS.

Active defense: introducing a stateful vulnerability scanner for APIs

Why purely defensive security misses the mark