Web Application Firewalls (WAFs) are crucial in mitigating web-based threats such as SQLi and XSS, yet the evolving complexity of WAF detection mechanisms poses significant challenges for penetration testing (pentest) tools. Existing ML- and RL-based fuzzers often suffer from three main limitations: (1) reliance on static training datasets, making them unflexible to new WAF rules; (2) monolithic single-agent architectures, which hinder diverse strategy exploration; and (3) lack of contextual awareness due to missing integration with real-world threat intelligence. To address these challenges, we propose AutoWAFuzzer, an adaptive multi-agent framework that integrates Large Language Models (LLM), Reinforcement Learning (RL), and Retrieval-Augmented Generation (RAG). AutoWAFuzzer decomposes the testing process into modular agents: a generative LLM agent, an RL-based policy optimizer, a Reward Model agent simulating WAF feedback, and a RAG agent that continuously retrieves threat context from structured sources like MISP. This design enables parallel strategy exploration, semantic conditioning of payloads, and continuous policy refinement in a closed feedback loop. Experimental evaluations across rule-based and ML-based WAFs—including ModSecurity, Naxsi, WAF-Brain, and CloudGuard—demonstrate that AutoWAFuzzer significantly outperforms prior approaches in bypass rate, adaptability, and generalization, advancing the state-of-the-art in automated WAF penetration testing.