Cloudflare Launches Edge-Native API Vulnerability Scanner Powered by Workers AI
Edge-Native DAST for API Security
Cloudflare has announced the public beta of its Web and API Vulnerability Scanner, a Dynamic Application Security Testing tool running natively at the edge as part of API Shield. The first release targets BOLA (Broken Object Level Authorization) — ranked #1 in the OWASP API Top 10.
How It Works
The scanner treats APIs as call graphs rather than simple endpoint lists. This is crucial for detecting BOLA: the scanner identifies Genesis POST requests where owners create resources, then simulates attacks where other users attempt to access those resources.
AI-Powered Approach
The scanner uses Cloudflare Workers AI with GPT-OSS-120B to match data relationships, generate realistic fake data for API specifications, and produce structured scanning instructions.
Architecture
- Scanning Engine: Rust
- AI Inference: Workers AI (GPT-OSS-120B)
- Orchestration: Temporal
- Credentials: HashiCorp Vault Transit (encryption-as-a-service)
Security Model
Credentials are encrypted immediately upon submission. The public API cannot decrypt them. Decryption only occurs when test plans access customer infrastructure.
Integration
Results appear in Cloudflare Security Insights dashboard. API access enables CI/CD pipeline integration directly.