April 16, 2026 - SaaS - v10.10.4

We've made updates in the following areas for F5 AI Security:

• AI Red Team
• AI Guardrails
• Resolved issues

AI Red Team

Custom attacks: refusal evaluator

Red Team users who run custom attacks can now use a refusal evaluator, which checks whether a model refuses to respond.

The refusal evaluator reduces the number of vulnerabilities that you need to review and the number of manual checks you need to make.

The evaluator identifies and reviews the response and detects:

• Explicit refusals, such as "I can't do that"
• Implicit refusals, such as "I don't have access to that information"

Custom intent severity tags

With severity tags, you can now prioritize risks in the following areas:

• Campaigns: You can now add the following tags: high, medium, or low
• Reports: We now organize results by severity
• Sort: You can now filter and sort by severity in the Raw data view
• Security Information and Event Management (SIEM) integration: If you use SIEM, you can use severity tags to prioritize alerts and trigger playbooks

Prompt injection: small talk, real risk

The May signature attack pack adds 10,000+ malicious prompts. It includes a prompt injection technique called topic steering.

Topic steering targets AI models that use external content, such as search results. An attacker hides a fake conversation inside that external content. The fake conversation starts with a harmless topic and then shifts toward a malicious instruction. A final prompt pushes the model to follow the injected instruction instead of your original request.

Use this attack pack to test for this type of subtle prompt injection and reduce the risk of hard-to-detect manipulation.

Comprehensive AI Security Index leaderboard

In the Comprehensive AI Security Index (CASI) leaderboard, you can review attack success rate and vulnerabilities by intent category. To do so:

1. Go to Reports
2. Select the CASI leaderboard tab
3. Select the report of your choice.

• CASI leaderboard models are tested with a subset of the 10,000+ attacks in the monthly Signature attack pack. This month's leaderboard uses 3,682 signature attacks.
• The leaderboard shows results from the most recent attack pack by default. To view older results, select Filter, and then change the Attack pack selection.

April leaderboard evaluates 63 models

The CASI leaderboard now includes results from the April attack pack. We tested 63 models. CASI scores range from 98 (four Anthropic models) to 14 (xAI grok-3-mini). New entrants on the leaderboard include:

• NVIDIA Nemotron Super 120B
• MiniMax M2.5
• Qwen3 Max Thinking

For detailed analysis of this month's results and trends, see F5's AI Security Insights.

Usability improvements for reports

These updates reduce required steps when you work with reports:

• In Reports, the raw data view now opens in the same tab and includes breadcrumbs. You can return to the report with your browser Back button or breadcrumbs.
• You can now delete a report in the UI. Next to the report, select the More options (three dots) menu. Previously, you could delete reports only through the API.

AI Guardrails

Fingerprints for Anthropic connections

Agent fingerprints now supports all Anthropic connections, including Claude code. Previously, fingerprints were limited to an OpenAI-compatible API connection.

Deprecated options now removed

We found several features that were not being used. We previously deprecated them, and are now removing them in this release:

• Global search modal. Pages in the product have their own search fields for locating information specific to that topic.

• Legacy guardrails. These have been deprecated for over a year.

• Guardrails sharing. Use the import/export feature for sharing guardrails across deployments.

• API endpoints. In the last release we announced three API endpoints that had been deprecated. Those endpoints are now removed:

• /backend/v1/endpoints

• /backend/v1/endpoint

• /backend/v1/groups

Resolved issues

Agent fingerprints

• Fixed an issue that caused fingerprints to fail to render.

Attack campaigns

• Updated the filter list to show Agentic resistance instead of Agentic warfare.

Connections

• Fixed an issue where model toggle settings from an OpenAI connection carried over and affected new Anthropic connections.

Dashboard

• Fixed an issue where some users saw every prompt as blocked. Prompt history showed the prompts were not blocked.

Guardrails

• Added a loading indicator in the Update window when Guardrail actions take longer than expected.
• Fixed an issue where users without permission could select Update.
• Fixed a visual flicker in the Update dialog.

Navigation

• Hid empty navigation lists for unauthorized users.

Projects

• Updated the Add member dialog to replace Group with Project.

Prompt history

• Show a red error tag in scan details when a guardrail fails to run.

Reports

• Fixed an intermittent issue where the Raw data view didn't load more results when you scrolled, after modifying the sort order.
• Fixed an issue in the Raw data view where sorting a column showed results outside the active filter.
• Fixed an issue where you couldn't select the Reports breadcrumb or the Reports menu item while viewing raw data.
• Fixed an issue where refreshing the browser while viewing an in-progress campaign caused the page to stop responding with an "unexpected error" message.
• Fixed an issue where the campaign name disappeared after you returned from the Fingerprints page.

Upload dataset

• Updated the dataset details to show the Deleted package message when appropriate.