Edge & Ingress
WAF / CDN
First network line of defense: a web application firewall (WAF) and CDN that filter traffic and absorb spikes before they reach the AI services.
Plane
Edge & Ingress
Flow steps
1
Frameworks
NIST 800-53 · OWASP LLM10 · 800-207
Technology
Why use it
Filter malicious web traffic and absorb load spikes (including DDoS) as close to the user as possible, before they reach the AI application.
Why it matters to security
Shrinks the network attack surface (layer 7), blocks known attack patterns and protects service availability.
Implementations CloudflareAkamaiAzure Front Door + WAFAWS WAF
What never reaches the application cannot attack it: filter at the edge.
Recommendations by maturity tier
Foundation
Minimum viable baseline
- TLS termination and a baseline WAF rule set (OWASP Core Rule Set). NIST 800-53 SC-7 · SC-8Generic rules block classic web attacks with no bespoke configuration.
- Layer 3/4 DDoS protection and origin-address masking. NIST 800-53 SC-5Hiding the origin prevents bypassing the edge by hitting the server directly.
- Logging of denied traffic. NIST 800-53 AU-2Without a block log, rising attack campaigns go unseen.
Enterprise
Enterprise standard
- WAF rules tuned for LLM endpoints (payload size, content type). NIST 800-53 SI-10OWASP LLM10:2025A prompt is not an ordinary web request; limits must reflect AI usage.
- Per-client rate limiting and IP / geo reputation. NIST 800-53 SC-5Per-identity rate limiting contains abuse and runaway consumption.
- Bot filtering and challenges on suspicious traffic. NIST 800-53 SC-7Telling a legitimate client from an abusive bot cuts noise and automated abuse.
Advanced
High-assurance / regulated
- Adaptive L7 protection correlated with the SIEM. NIST 800-53 SI-4 · SC-5The edge tunes its rules to threats observed elsewhere in the system.
- Automatic blocking triggered by abuse signals. NIST 800-53 SI-4A detected campaign is blocked with no manual intervention.
- Edge policies versioned and tested. NIST 800-53 CM-3Edge rules are code: tested and reversible.
Architecture notes
- Don’t rely on the WAF alone against prompt injection.details ▸A WAF sees HTTP, not a prompt’s intent.Injection lives in language semantics; that is the job of AI guardrails, downstream.
References
NIST SP 800-53 Rev5
SC-5 (Denial of Service Protection), SC-7 (Boundary Protection), SC-8 (Transmission), SI-10 (Input Validation).
OWASP LLM10:2025
Unbounded Consumption — edge rate limiting is the first line of defense.
Anthropic ZTA
Defense in depth from the AI system perimeter.
Abbreviations
PDP
Policy Decision Point
PEP
Policy Enforcement Point
PIP
Policy Information Point
PAP
Policy Administration Point
IdP
Identity Provider
TSS
Token Service
NHI
Non-Human Identity
RBAC
Role-Based Access Control
ABAC
Attribute-Based Access Control
MFA
Multi-Factor Authentication
HITL
Human-in-the-loop
JIT
Just-In-Time
CAE
Continuous Access Evaluation
CAEP
Continuous Access Evaluation Profile
DPoP
Demonstrating Proof-of-Possession
mTLS
mutual TLS
PII
Personally Identifiable Information
KMS
Key Management Service
CI/CD
Continuous Integration / Continuous Delivery
SIEM
Security Information and Event Management
SOAR
Security Orchestration, Automation and Response
SCIM
System for Cross-domain Identity Management
XACML
eXtensible Access Control Markup Language
OPA
Open Policy Agent
OWASP
Open Worldwide Application Security Project
NIST
National Institute of Standards and Technology
ATLAS
Adversarial Threat Landscape for Artificial-Intelligence Systems
LLM
Large Language Model
WAF
Web Application Firewall
CDN
Content Delivery Network
DDoS
Distributed Denial of Service
DLP
Data Loss Prevention
JWT
JSON Web Token
API
Application Programming Interface
CRS
Core Rule Set (OWASP)
RAG
Retrieval-Augmented Generation
MCP
Model Context Protocol
PBAC
Permission-Based Access Control
HSM
Hardware Security Module
UEBA
User and Entity Behavior Analytics
SBOM
Software Bill of Materials
SLSA
Supply-chain Levels for Software Artifacts
WORM
Write Once, Read Many
SPIFFE
Secure Production Identity Framework For Everyone