fwd:cloudsec 2026

Web Application Firewalls have a reputation problem. Security teams know WAF is one of the few controls that can buy critical hours during a zero-day; a virtual patch deployed in minutes while engineering queues up a weeks-long rollout across a sprawling estate. Log4Shell made believers out of skeptics overnight.
But the promise collapses under its own weight at scale. Fine-tuning WAF rules across hundreds of distinct technology stacks, application owners, and risk profiles is a domain-expertise problem that doesn't scale with headcount. The result is a familiar compromise: rules so broad they're useless, or so tight they become a reliability incident waiting to happen. Teams end up choosing between security theater and engineering pain.
This talk shares lessons from operating WAF at enterprise scale — and what changes when you introduce agentic AI into that loop. We'll walk through how AI-assisted rule generation, context-aware tuning, and autonomous remediation workflows can compress the cycle from "vulnerability disclosed" to "fleet protected" from days to minutes, without requiring a WAF expert embedded in every product team. We'll cover where the AI gets it wrong, what guardrails matter, and what it looks like when a virtual patch is the difference between a contained incident and a headline.
Attendees will leave with a framework for thinking about AI-augmented defensive controls not as magic, but as a new kind of teammate, one that needs supervision, clear trust boundaries, and a very good memory for what "normal" looks like.