Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Security is traditionally a game of defense. You build walls, set up gates, and write rules to block traffic that looks suspicious. For years, Cloudflare has been a leader in this space: our Application Security platform is designed to catch attacks in flight, dropping malicious requests at the edge before they ever reach your origin. But for API security, defensive posturing isn’t enough. That’s why today, we are launching the beta of Cloudflare’s Web and API Vulnerability Scanner.

AI systems are no longer just isolated models responding to human prompts. In modern production environments, they are increasingly chained together – delegating tasks, calling tools, and coordinating decisions with limited or no human oversight. Almost all that communication happens through APIs. This shift offers enormous productivity benefits. But it has also complicated security. Because as soon as systems can talk to each other, they can be attacked through each other.

Broken authorization is one of the most widely known API vulnerabilities. It features in the OWASP Top 10, AppSec conversations, and secure coding guidelines. Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA) account for hundreds of API vulnerabilities every quarter. According to the 2026 API ThreatStats report, authorization issues ranked ninth in the API Top 10, “reflecting chronic difficulty in managing roles and permissions at scale.”

For the past two years, the adoption of Generative AI has felt like a gold rush. Organizations raced to integrate Large Language Models and build autonomous agents to assist employees. They often bypassed standard governance processes in the name of speed and innovation. That era of unrestricted experimentation is rapidly drawing to a close. A massive regulatory wave is forming worldwide. Frameworks like the EU AI Act and the new ISO/IEC 42001 standard are forcing a corporate reckoning.

In many organizations, there is a dangerous unspoken rule: The SOC handles endpoints and networks; Engineering handles APIs. This silo creates a massive blind spot. We recently spoke with the Senior Manager of Security Engineering at a major insurance provider, who described this exact pain point.

Last month, Microsoft quietly confirmed something that should keep every CISO up at night. As first reported by BleepingComputer and later detailed by TechCrunch, a bug in Microsoft Office allowed Copilot, the AI assistant embedded in millions of enterprise environments, to summarize confidential emails and hand them to users who had no business seeing them. Sensitivity labels? Ignored. Data loss prevention (DLP) policies? Bypassed entirely. This wasn't the work of a hacker or malware.

WordPress released version 6.9 in December 2025, introducing a new framework that changes how the platform communicates with external tools. The update added support for WordPress Abilities API and the Model Context Protocol (MCP), allowing WordPress sites and plugins to describe their capabilities in a structured, machine- and human-readable format. The change reflects a broader shift in how websites are managed.