F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

 

 

Grand Prize Winner - Injeyan_Kostas​ 

Rule: LLM Prompt Injection Detection & Enforcement

Summary

This iRule addresses the emerging threat of prompt injection attacks on AI APIs by implementing a real-time detection engine within the F5 BIG-IP platform. This iRule operates entirely within the data plane, requiring no backend changes, and enforces a configurable security policy to prevent malicious content from reaching language models. By utilizing a multi-layer scoring system and managing patterns externally, it allows security teams to fine-tune detection and adjust thresholds dynamically.

 

2nd Place - Marcio_G​ & svs​ 

Rule: AI Token Limit Enforcement

Summary

This iRule addresses the critical challenge of resource control in on-premise AI inference services by enforcing token budgets per user and role. By leveraging BIG-IP LTM iRules, it validates JWTs to extract user and role information, applying role-based token limits before requests reach the inference service. This ensures that organizations can manage and protect their AI infrastructure from uncontrolled usage without requiring additional modules or external gateways.

 

3rd Place - Daniel_Wolf​ 

Rule: JSON-query'ish meta language for iRules

Summary

This iRule addresses the complexity and inefficiency of JSON parsing in F5's BIG-IP iRules by introducing a framework that simplifies the process. It provides a set of procedures, [call json_get] and [call json_set], which allow developers to efficiently slice information in and out of JSON data structures with a clear and concise syntax. This approach not only reduces the need for deep JSON schema knowledge but also improves performance by approximately 20% per JSON request.

 

Category Awards

 

The (Don’t) Socket To Me Award - mcabral10​ 

Because not every AI agent deserves a socket to speak into.

Rule: Rate limiting WebSocket messages for Agents

The Rogue Bot Throttle Jockey Award - TimRiker​ 

Wrangling distributed egress so your edge doesn't have to beg.

Rule: AI/Bot Traffic Throttling iRule (UA Substring + IP Range Mapping)

The Don't Lose the Thread Award - Antonio__LR_Mex​ & rod_b​ 

Session affinity for the age of streaming intelligence.

Rule: LLM Streaming Session Pinning for WebSocket AI Gateways

The 20 Lines or Less Award - BeCur​ 

In honor of Colin Walker - short on lines, long on legend. The scroll bar never stood a chance.

Rule: Logging/Blocking possible prompt injection

The Budget Bodyguard Award - Joe Negron

Security hardening for those who write TCL instead of checks.

Rule: Poor Man's WAF for AI API Endpoints

Gratitude

• Tnanks to buulam​ for championing the return of iRules contest, this would not have happened without his grit and tenacity.
• Thanks to our judges:
  • John_Alam​ 
  • Joel_Moses​ 
  • Moe_Jartin​ 
  • Chris_Miller​
  • Michael_Waechter​ 
  • dennypayne​ 
  • Kevin_Stewart​ 
  • Austin_Geraci​ 
• Thanks to Austin_Geraci​ and WorldTech IT throwing in an additional $5,000 to the grand prize winner! Amazing!
• Thanks to the contestants for giving up their evening to work on AI infrastructure challenges. Inspiring!
• Thanks to the F5 leadership team for making events like AppWorld possible.

What's Next?

Stay tuned for future contests, we are not one and done here. Could be iRules specific...or they could expand to include all programmabilty. Can't wait to see what you're going to build next.