Build Transformative Security with AI-Powered WAF Detections

Key Takeaways

• Akamai introduced AI-powered WAF detections to its Adaptive Security Engine to identify novel web attacks and zero-days.
• The system utilizes self-learning AI models trained on global traffic intelligence to generate precise attack prevention logic.
• AI-driven pen test tools are actively using evasive techniques, such as embedding SQL comments inside the SLEEP keyword, to bypass traditional WAF rules.
• The new AI detections run in parallel with core rules, maintaining a zero false-positive impact and requiring no additional licensing.

Affected Systems

• Web Applications
• APIs

Attack Chain

Threat actors and AI-driven pen test tools conduct automated reconnaissance and probing scans against web applications and APIs. Attackers utilize evasive techniques, such as embedding SQL comments within SQL keywords like SLEEP, to bypass traditional static WAF rules. The malicious requests are delivered via automated bots, sometimes identifiable by specific User-Agent strings like 'PentestAgent'. If successful, these techniques allow attackers to identify and exploit vulnerabilities like SQL injection or parameter pollution.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Akamai App & API Protector

Detection capabilities are built natively into Akamai's Adaptive Security Engine via AI-powered WAF detections. No standalone rules are provided.

Detection Engineering Assessment

EDR Visibility: None — The attacks described are network-based web application exploits (SQLi, parameter pollution) which are typically detected at the WAF or network layer rather than the endpoint. Network Visibility: High — WAFs and network monitoring tools have direct visibility into HTTP/S requests, User-Agent strings, and payload contents like SQLi attempts. Detection Difficulty: Moderate — While basic SQLi is easy to detect, the article highlights evasive techniques (like SQL comments inside keywords) generated by AI, which can bypass static regex-based WAF rules.

Required Log Sources

• WAF Logs
• Web Server Access Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Search web access logs for suspicious User-Agent strings such as 'PentestAgent' to identify automated vulnerability scanning.	Web Server Access Logs	Reconnaissance	Low
Analyze WAF logs for HTTP requests containing fragmented SQL keywords (e.g., SLEEP) interspersed with SQL comments.	WAF Logs	Initial Access	Medium

Control Gaps

• Static Regex WAF Rules

Key Behavioral Indicators

• Suspicious User-Agent strings (PentestAgent)
• SQL comments embedded within SQL commands
• High-frequency probing scans from single IPs or bot networks

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Review WAF logs for the 'PentestAgent' User-Agent and block if unauthorized.
• Ensure WAF policies are set to block known SQL injection patterns.

Infrastructure Hardening

• Deploy advanced, machine-learning capable WAAP/WAF solutions to detect evasive application attacks.
• Implement strict input validation and parameterized queries on all database-facing applications.

User Protection

• N/A

Security Awareness

• Educate development teams on secure coding practices to prevent SQL injection and parameter pollution vulnerabilities.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1595 - Active Scanning
• T1595.002 - Vulnerability Scanning

Additional IOCs

• Other:
  • SLEEP - SQL keyword targeted by attackers who embed SQL comments within it to evade WAF detection while testing for vulnerabilities.