F5 Advances Enterprise Application Security for the AI and Post-quantum Era

Key Terms

zero trust access technical

Zero trust access is a security approach that treats every user, device and request as untrusted until verified, requiring continuous checks and the least possible access needed to do a task. Think of it like a doorman who checks ID and purpose at every doorway rather than a single lobby pass. For investors, it matters because strong zero trust controls reduce breach risk, regulatory fines and downtime, which can protect revenue, reputation and valuation.

web application firewall (WAF) technical

A web application firewall (WAF) is a security tool placed between a website or online service and incoming internet traffic that inspects requests and blocks malicious activity such as hacking attempts, bots, or attempts to steal data. For investors, a WAF matters because it helps protect customer information, maintain uptime and trust, and reduce the risk of costly breaches, regulatory penalties and reputation damage—much like a security guard protecting a storefront.

web application and API protection (WAAP) technical

Web application and API protection (WAAP) is a set of security tools and practices that guard websites and the automated interfaces they use to talk to other software from hacking, abuse, and outages. Think of it as a combined security guard and traffic controller for a company’s online storefront and delivery lanes: it helps prevent revenue loss, data breaches, service interruptions and regulatory penalties, so investors can better assess operational and cyber risk.

distributed cloud bot defense technical

A distributed cloud bot defense is a security service that runs across many cloud locations to spot and stop automated programs (bots) that try to scrape data, commit fraud, or overload websites and APIs. For investors, it matters because it helps protect revenue, uptime, customer trust and regulatory compliance—think of it as a network of security guards positioned around the world that keep machines from causing damage to an online business.

post-quantum cryptography (PQC) technical

Post-quantum cryptography (PQC) involves developing new security methods designed to protect digital information against the future threat of powerful quantum computers. These advanced computers could potentially break current encryption techniques, making data vulnerable. For investors, PQC is important because it aims to safeguard sensitive financial and personal information in a world where quantum technology might eventually become a reality.

hybrid multicloud technical

A hybrid multicloud is an IT approach that combines an organization’s private on‑site computing resources with services from two or more public cloud providers, letting data and applications move between them as needed. For investors, it matters because this setup can improve flexibility, resilience and cost control—like storing goods in a mix of your own warehouse and several rented facilities—while also creating vendor, security and execution risks that can affect a company’s profitability and growth prospects.

identity aware proxy technical

An identity aware proxy is a network service that sits between users and applications, checks who is trying to connect and whether their device, location and permissions are appropriate, and only forwards requests that meet those checks. Like a building guard who inspects badges and reasons for entry, it reduces the chance of unauthorized access, lowers the risk of costly data breaches or regulatory fines, and can affect operational resilience and security-related costs that matter to investors.

api gateway technical

An API gateway is software that sits between external users and a company's internal services, routing requests, enforcing security rules, and translating protocols so different systems can communicate. Think of it as a building’s reception desk that checks visitors, directs them to the right office, and prevents unauthorized access. For investors, it matters because a reliable gateway reduces downtime, security risks and integration costs, which can affect operational efficiency and customer trust.

New security innovations in the F5 Application Delivery and Security Platform unify AI-driven protection, zero trust access, and post-quantum readiness across hybrid multicloud environments

LAS VEGAS--(BUSINESS WIRE)-- Today at AppWorld, F5 (NASDAQ: FFIV), the global leader in delivering and securing every app and API, unveiled new security capabilities that strengthen protection for AI-driven and modern applications. Integrated within the F5 Application Delivery and Security Platform (ADSP), the innovations unify intelligent threat protection, zero trust access controls, and crypto-agile architecture to help enterprises secure distributed applications and prepare for emerging post-quantum risks.

“Security teams do not need more alarms. They need fewer gaps,” said Kunal Anand, Chief Product Officer at F5. “ADSP closes the loop from finding risk to enforcing protection. That includes moving from identified AI model vulnerabilities to validated runtime guardrails, AI-powered risk scoring, and a practical path to zero trust and post-quantum readiness. The point is simple: move faster while reducing your threat landscape.”

AI-driven protection for modern threats

As organizations scale applications across data center, hybrid multicloud, and edge environments, they need faster, more intelligent responses to emerging threats. F5 addresses this through AI-powered protections in the F5 ADSP, automating risk-based web application firewall (WAF) capabilities that reduce operational overhead and improve threat detection, bridging the gaps between risk identification and mitigation.

New to the F5 ADSP, F5 AI Remediate closes a gap between identifying AI model vulnerabilities with F5 AI Red Team and enforcing validated runtime protections with F5 AI Guardrails. AI Remediate accelerates time to response by automating the creation, optimization, and validation of targeted guardrail packages, enabling security teams to put evidence-backed protections into production with human approval. As part of the ADSP, AI Remediate helps organizations reduce exposure quickly without disrupting live AI applications, eliminating repetitive tasks while supporting accountable AI adoption.

Additionally, the latest F5 Distributed Cloud WAF release introduces AI-powered risk scoring, transforming manual processes into automated protections. With outcome-based blocking policies, CISOs, SecOps, and NetOps teams can eliminate threats, reduce operational burden, and achieve rapid time to protection, all while maintaining low false positive rates through layered analysis. F5 Web Application and API Protection (WAAP) solutions such as this minimize reliance on signature-level exceptions and tedious tuning for enterprises with significant application portfolios. Whether safeguarding on-premises hardware or virtual systems, cloud-based SaaS applications, or containerized deployments, F5 enables consistent, enterprise-grade security across ecosystems.

Security in the age of agentic AI

F5 is introducing powerful capabilities within F5 Distributed Cloud Bot Defense to address the emerging challenges of AI-driven automation. These enhanced features combat analytics distortion, automated abuse, and impersonation attempts created by AI agents—threats that increasingly impact both users and the business.

Within the F5 ADSP, Distributed Cloud Bot Defense now offers deeper visibility across application traffic, clearly distinguishing humans, bots, and AI agents. Only trusted, verifiable AI agents are allowed to interact with applications, ensuring malicious or ungoverned activity is blocked while enabling safe, controlled agentic commerce. With unified governance and consistent policy controls for human, bot, and AI agent interactions, these new capabilities help organizations safeguard revenue from harmful automation and confidently participate in the emerging agentic economy.

ADSP also now integrates F5 Distributed Cloud Web App Scanning with F5 BIG-IP Advanced WAF, delivering scalable, automated vulnerability detection for BIG-IP customers. Security teams can identify threats through automated penetration testing and rapidly deploy precise virtual patches. This integration streamlines vulnerability detection and exploit response, reducing time to protection. This approach showcases F5's platform advantage: unified security across hardware, software, and SaaS, offering unmatched flexibility to protect applications and APIs in any environment.

Unified zero trust across hybrid multicloud environments

F5 is evolving BIG-IP Access Policy Manager (APM) into BIG-IP Zero Trust Access, emphasizing its zero trust application access (ZTAA) capabilities as part of the ADSP. Unlike SaaS-based zero trust network access (ZTNA) solutions, BIG-IP Zero Trust Access delivers hybrid zero trust operations with continual identity- and context-aware policy enforcement for modern, cloud, SaaS, and legacy applications. With per-request validation limiting horizontal movement, it strengthens application security across diverse access environments—supporting Identity Aware Proxy, SSL VPN, or IPsec VPN on a post-quantum cryptography (PQC)-ready platform. BIG-IP Zero Trust Access provides a seamless path to adopt zero trust principles while extending F5's ADSP vision.

New API discovery and security options within F5 Distributed Cloud API Security provide flexibility and control for modern, hybrid application environments. Enhancements include out-of-band discovery across multiple data planes, including BIG-IP, NGINX, Kong, and Apigee. Additionally, F5 is also introducing a deployable API security software solution for air-gapped, highly regulated, and cloud-constrained environments. This empowers organizations to maintain full API visibility and oversight without external connections, meeting compliance and data sovereignty requirements. By integrating seamlessly with existing architectures, F5 extends its ADSP vision with API discovery and security that fits any environment without disrupting application performance or workflows.

Building for what’s next: Crypto-agility and post-quantum readiness

F5 is reinforcing its leadership in PQC readiness by delivering a comprehensive, crypto-agile solution within its unified ADSP. By supporting hybrid TLS cipher groups, F5 provides immediate post-quantum security while maintaining compatibility with existing cryptographic workflows—ensuring a practical, standards-aligned approach to future-proofing against quantum threats. As organizations continue to prepare for the eventual arrival of Q-Day by attempting to address quantum-safe requirements, F5 proactively enables seamless quantum resistance today, minimizing long-term risks and supporting security across hybrid infrastructures.

Collectively, F5’s latest security advances deliver on the ADSP promise of seamless application delivery and robust cybersecurity across any deployment scenario. Enterprises benefit from taking a unified platform approach to meeting their security needs.

According to Gartner^®, “Organizations should start by evaluating platform solutions first, and many will find that they need to combine a CDN, WAF or API threat protection solution with an API gateway. Again, the key is to look for existing platforms that can be extended or new platforms that offer significant combined capabilities across protection categories. This approach minimizes the number of moving parts and prevents ‘proxy overload,’ which can lead to excessive performance and availability risk.”¹

With F5’s platform-based approach, enterprises gain extended choice to meet their users where they operate, securing applications across hybrid cloud, multicloud, edge, or on-premises ecosystems—all while reducing complexity and time to action. Further details are available in an additional press release focused on the F5 ADSP.

Supporting materials

• Blog: F5 AI Remediate: Closing the AI security gap
• Blog: API security without compromise: Introducing flexible new discovery options with F5 API security
• Blog: Hello, F5 BIG-IP Zero Trust Access
• Blog: F5 extends NIST-compliant PQC cipher support

About F5

F5, Inc. (NASDAQ: FFIV) is the global leader that delivers and secures every app. Backed by three decades of expertise, F5 has built the industry’s premier platform—F5 Application Delivery and Security Platform (ADSP)—to deliver and secure every app, every API, anywhere: on-premises, in the cloud, at the edge, and across hybrid, multicloud environments. F5 is committed to innovating and partnering with the world’s largest and most advanced organizations to deliver fast, available, and secure digital experiences. Together, we help each other thrive and bring a better digital world to life.

For more information visit f5.com
Explore F5 Labs threat research at f5.com/labs
Follow to learn more about F5, our partners, and technologies:
Blog | LinkedIn | X | YouTube | Instagram | Facebook

F5, BIG-IP, and NGINX are trademarks, service marks, or tradenames of F5, Inc., in the U.S. and other countries. All other product and company names herein may be trademarks of their respective owners.

Gartner is a trademark of Gartner, Inc. and/or its affiliates.

[1] Gartner, Implement Effective Application and API Security Controls, April 10, 2025

###

Source: F5, Inc.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260311660169/en/

Dan Sorensen

F5

(650) 228-4842

d.sorensen@f5.com

Holly Lancaster

We. Communications

(415) 547-7054

hlancaster@wecommunications.com

Source: F5, Inc.