Got an AI agent past a Cloudflare WAF by giving it a RAG over past bypass research
Sharing a workflow that worked for me. The retrieval layer involved is my own project, so mentioning that upfront.
Setup: I was testing an XSS on a target behind Cloudflare, and every payload I tried was getting blocked by the WAF.
This time, instead of manually digging through old writeups, I gave my agent access to a retrieval layer built on top of a corpus of web security research (Preview RAG). The agent queries it in plain language, gets back actual writeups with sources attached, and uses that context to generate and test payload variants. One of those variants eventually got through and the XSS fired.
I'm not claiming the bypass itself is novel. It may already exist in a public writeup somewhere. What mattered to me was the workflow: the agent wasn't limited to whatever happened to be inside its training data. It could pull in relevant prior research and iterate from there.
That's the main reason I built this in the first place. Models have a training cutoff, but WAF evasion evolves quickly. Public bypasses get patched, new techniques appear, and the most useful information is usually the newest information. A retrieval layer helps bridge that gap.
The corpus is updated regularly and exposed over MCP, so it can be connected to any model with minimal setup, including smaller open-weight models.
Current limitations: it's strongest on client-side topics right now—XSS, WAF evasion, CSP, CORS, SSRF, request smuggling, and similar areas. Server-side coverage is improving, but still thinner, and it definitely won't have an answer for every problem.
Happy to share more about the setup. I'm honestly more interested in where this approach fails than where it succeeds. If you've experimented with agent-driven WAF bypassing and ran into hard limits, I'd love to hear about them.