From LLMs to Cloud Infrastructure: F5 Aims to Secure the New AI Attack Surface
None
<p class="ai-optimize-8 ai-optimize-introduction"><span data-contrast="auto">At a time when buzzwords dominate boardrooms and AI is touted as the cure-all for every digital ailment, Chuck Herrin, field CTO of security at F5, is advocating for something refreshingly simple: Go back to basics. “We need to know four things: assets, actors, interfaces and actions. Who’s doing what to what via what? That’s how you secure modern applications,” he said in a recent conversation following the RSA Conference 2025.</span><span data-ccp-props="{}"> </span></p><p class="ai-optimize-9"><span data-contrast="auto">This ethos resonates throughout </span><a href="https://www.f5.com/resources/reports/state-of-application-strategy-report" target="_blank" rel="noopener"><span data-contrast="none">F5’s 2025 State of Application Strategy Report</span></a><span data-contrast="auto">, a sprawling analysis of how enterprise IT teams cope with today’s most complex application delivery and security challenges. Based on interviews with global security leaders, the report reveals a familiar tension: The pace of innovation continues to accelerate, while many defenders are still catching up to the last wave.</span><span data-ccp-props="{}"> </span></p><h3 class="ai-optimize-10"><b><span data-contrast="auto">Repatriation, Complexity and Multicloud Reality</span></b><span data-ccp-props="{}"> </span></h3><p class="ai-optimize-11"><span data-contrast="auto">Among the headline findings from the report: At least 94% of organizations are now deploying applications across multiple environments, and almost 80% have repatriated workloads from public cloud back to on-premises infrastructure for reasons tied to cost, compliance or security.</span><span data-ccp-props="{}"> </span></p><div class="code-block code-block-12 ai-track" data-ai="WzEyLCIiLCJCbG9jayAxMiIsIiIsMV0=" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-12-1" data-info="WyIxMi0xIiwyXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="VGVjaHN0cm9uZyBHYW5nIFlvdXR1YmU=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://youtu.be/Fojn5NFwaw8" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2024/12/Techstrong-Gang-Youtube-PodcastV2-770.png" alt="Techstrong Gang Youtube"></a></div> <div class="clear-custom-ad"></div> </div></div> <div class="ai-rotate-option" style="visibility: hidden; position: absolute; top: 0; left: 0; width: 100%; height: 100%;" data-index="1" data-name="QVdTIEh1Yg==" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://devops.com/builder-community-hub/?ref=in-article-ad-1&utm_source=do&utm_medium=referral&utm_campaign=in-article-ad-1" target="_blank"><img src="https://devops.com/wp-content/uploads/2024/10/Gradient-1.png" alt="AWS Hub"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><p class="ai-optimize-12"><span data-contrast="auto">That tracks with what Herrin has seen firsthand. “Everybody’s landed in multicloud,” he said. “There’s no longer any question about whether it’s AWS, GCP or Azure. It’s all the above, and on-prem, too.”</span><span data-ccp-props="{}"> </span></p><p class="ai-optimize-13"><span data-contrast="auto">That sprawl has consequences. The attack surface has ballooned with microservices, unmanaged APIs, and rapidly expanding DevOps pipelines. According to Herrin, nearly <a href="https://securityboulevard.com/2025/01/empowering-teams-with-secure-api-management/" target="_blank" rel="noopener">half of APIs discovered in the field are completely unmanaged</a>, and about a third are operating without encryption.</span><span data-ccp-props="{}"> </span></p><div class="code-block code-block-15" style="margin: 8px 0; clear: both;"> <script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-2091799172090865" crossorigin="anonymous" type="3b3ccfbfa4f590f663763596-text/javascript"></script> <!-- SB In Article Ad 1 --> <ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-2091799172090865" data-ad-slot="8723094367" data-ad-format="auto" data-full-width-responsive="true"></ins> <script type="3b3ccfbfa4f590f663763596-text/javascript"> (adsbygoogle = window.adsbygoogle || []).push({}); </script></div><p class="ai-optimize-14"><span data-contrast="auto">“You can’t defend what you don’t understand and cannot see,” he said. “And most organizations don’t have visibility into what APIs even exist in their environments.”</span><span data-ccp-props="{}"> </span></p><h3 class="ai-optimize-17"><b><span data-contrast="auto">AI’s Double-Edged Sword</span></b><span data-ccp-props="{}"> </span></h3><p class="ai-optimize-18"><span data-contrast="auto">The report notes that while only 26% of enterprises deployed generative AI in production in 2024, that number is projected to hit 96% in 2025. As organizations race to embed AI into everything, they’re also unintentionally multiplying their attack surfaces.</span><span data-ccp-props="{}"> </span></p><p class="ai-optimize-19"><span data-contrast="auto">“As everyone goes AI-all-the-things, we’re seeing a 5x explosion in APIs and endpoints,” said Herrin. “Architecture changes your attack surface. And the more we consolidate into large language models, the more valuable, and vulnerable, that single source of truth becomes.”</span><span data-ccp-props="{}"> </span></p><p class="ai-optimize-20"><span data-contrast="auto">The risks are especially acute in regulated industries. Herrin, a former CISO in banking and financial services, said regulators were among the most engaged participants during his RSA session. “Seventy-five percent of my follow-ups came from regulators, especially the Federal Reserve and the OCC,” he said.</span><span data-ccp-props="{}"> </span></p><p class="ai-optimize-21"><span data-contrast="auto">They’re asking the right questions: How do organizations ensure AI security and data privacy at scale? Are current governance models capable of handling AI’s velocity? What happens when models trained on sensitive IP are inadvertently exposed?</span><span data-ccp-props="{}"> </span></p><h3 class="ai-optimize-22"><b><span data-contrast="auto">The AI Factory is Real and Growing Fast</span></b><span data-ccp-props="{}"> </span></h3><p class="ai-optimize-23"><span data-contrast="auto">Herrin also pulled back the curtain on F5’s involvement in what he calls the “</span><a href="https://www.f5.com/company/blog/defining-an-ai-factory" target="_blank" rel="noopener"><span data-contrast="none">AI factory</span></a><span data-contrast="auto">,” massive compute environments powering the next generation of LLMs and machine learning pipelines.</span><span data-ccp-props="{}"> </span></p><p class="ai-optimize-24"><span data-contrast="auto">One of F5’s customers in </span><span aria-label="Rich text content control"><span data-contrast="auto">the southeastern U.S. </span></span><span data-contrast="auto">is operating a facility that manages traffic across 200,000 GPUs. “You can’t just feed all that data into the GPUs at once,” Herrin explained. “You have to cluster and load balance across groups of 576 GPUs at a time.”</span><span data-ccp-props="{}"> </span></p><p class="ai-optimize-25"><span data-contrast="auto">F5’s entire WAF (Web Application Firewall) and application delivery stack can run on </span><a href="https://www.nvidia.com/en-us/networking/products/data-processing-unit/" target="_blank" rel="noopener"><span data-contrast="none">NVIDIA’s Bluefield DPU architecture</span></a><span data-contrast="auto">, offloading networking and security tasks from the GPU and freeing up 30–40% of compute capacity. That optimization can mean massive cost and performance improvements in AI-intensive environments.</span><span data-ccp-props="{}"> </span></p><p class="ai-optimize-26"><span data-contrast="auto">Beyond compute efficiency, F5 is positioning itself as a critical enabler for sovereign AI initiatives in countries like Singapore, Indonesia and Saudi Arabia. These regions want locally governed LLMs that support native languages and adhere to national compliance mandates.</span><span data-ccp-props="{}"> </span></p><h3 class="ai-optimize-27"><b><span data-contrast="auto">A Gateway to AI Security</span></b><span data-ccp-props="{}"> </span></h3><p class="ai-optimize-28"><span data-contrast="auto">To address AI-specific risks, F5 launched an AI Gateway earlier this year. Herrin likens the emerging risk to what happened when web apps gave way to microservices; the security model must evolve in tandem. “There’s a </span><span aria-label="Rich text content control"><span data-contrast="auto">fundamental characteristic of machine learning, </span></span><span data-contrast="auto">where, if you don’t control how your model is used, I can steal it,” he said. “</span><span aria-label="Rich text content control"><span data-contrast="auto"></span><span data-contrast="auto">This is what allegedly happened with DeepSeek against OpenAI. </span><span data-contrast="auto"></span></span><span data-contrast="auto">We’ve already seen signs of model theft, data leakage and prompt injections. You can’t protect what you can’t observe.” F5’s gateway aims to give defenders visibility into model usage, restrict function calls and enforce policy, even when traffic is routed across clouds or on-prem.</span><span data-ccp-props="{}"> </span></p><h3 class="ai-optimize-29"><b><span data-contrast="auto">Partnering for the Long Game</span></b><span data-ccp-props="{}"> </span></h3><p class="ai-optimize-30"><span data-contrast="auto">Despite its deep-tech stack, which includes BIG-IP, NGINX, and its distributed cloud platform, F5 doesn’t see itself as a monolithic vendor. Herrin emphasizes partnership and flexibility, especially in navigating compliance challenges like </span><a href="https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en" target="_blank" rel="noopener"><span data-contrast="none">Europe’s DORA regulation</span></a><span data-contrast="auto"> or the forthcoming </span><a href="https://artificialintelligenceact.eu/" target="_blank" rel="noopener"><span data-contrast="none">EU AI Act</span></a><span data-contrast="auto">. “Multinational companies need agility. They need to meet local compliance needs without spinning up four separate security teams for four different cloud providers,” Herrin said. “F5 helps you enforce policy consistently, no matter where the workloads are running.”</span><span data-ccp-props="{}"> </span></p><p class="ai-optimize-31"><span data-contrast="auto">And while F5’s primary focus is enterprise “top 15 banks, top 10 automakers,” as Herrin puts it, their reach is growing through OEMs, partners and services. F5 also believes the future of security lies in fewer tools with more value. “We’re not here to replace your stack. We’re here to help you rationalize it.”</span><span data-ccp-props="{}"> </span></p><h3 class="ai-optimize-32"><b><span data-contrast="auto">Final Word: Augmentation, Not Replacement</span></b><span data-ccp-props="{}"> </span></h3><p class="ai-optimize-33"><span data-contrast="auto">As the AI hype cycle intensifies, Herrin maintains a balanced perspective rooted in experience. “We need to stop selling the dream and start showing real use cases with real business value and ensure the new technology is secure at the same time.” For F5, the mission is crystal clear: Enable and accelerate human-led innovation, automate the grunt work and make sure AI delivers real value without proliferating new security risks.</span><span data-ccp-props="{}"> </span></p><div class="spu-placeholder" style="display:none"></div>