March 2026 Summaries
37 posts from Cloudflare
Filter
Month:
Year:
Post Summaries
Back to Blog
Programmable Flow Protection, introduced by Cloudflare for Magic Transit Enterprise customers, is a customizable system designed to enhance DDoS mitigation by allowing clients to implement their own custom logic across Cloudflare's global network. This beta feature addresses the challenge of detecting and mitigating attacks on custom or proprietary UDP protocols, which standard DDoS defenses struggle with due to a lack of protocol-specific knowledge. Customers can write eBPF programs to define "good" versus "bad" packets, enabling precise traffic management and mitigation without impacting legitimate users. By leveraging Cloudflare's infrastructure, users can deploy these programs to handle massive attack traffic efficiently, even executing stateful tracking and client challenges to verify the legitimacy of traffic. This approach provides greater flexibility and control over network security, going beyond traditional firewall capabilities, and is especially useful for applications reliant on UDP, such as online gaming.
Mar 31, 2026
1,845 words in the original blog post.
Client-side skimming attacks, capable of stealing data without disrupting user experience, pose significant security challenges, as illustrated by recent incidents involving keyloggers and malicious npm packages. To combat such threats and democratize access to robust security features, Cloudflare has made its Client-Side Security Advanced available to self-serve customers and introduced complimentary domain-based threat intelligence for all users. The Client-Side Security system, which operates without latency impact, leverages machine learning and a Large Language Model (LLM) to enhance the detection of malicious JavaScript while significantly reducing false positives. This two-stage detection pipeline begins with a Graph Neural Network (GNN) that assesses script structures, followed by an LLM that provides a semantic evaluation, thus minimizing false alarms and improving true positive rates. This approach has already proven effective in identifying sophisticated threats like the core.js router exploit, which traditional security measures might miss. By offering these security tools, including domain-based threat intelligence, Cloudflare aims to empower all web users, particularly smaller businesses, in maintaining high security standards.
Mar 30, 2026
1,809 words in the original blog post.
Cloudflare Workflows is a durable execution engine enabling developers to create complex, dynamic workflows by chaining steps, retrying on failures, and managing state across long-running processes, supporting applications like data pipelines and human-in-the-loop systems. Recently, Cloudflare introduced a feature that provides a complete visual diagram of each deployed workflow, enhancing developers' ability to visualize and understand the structure and execution flow of their applications. Unlike traditional visual workflow builders that rely on declarative configurations, Cloudflare Workflows are built with code, allowing for a robust, dynamic execution model. This model involves using Abstract Syntax Trees (ASTs) to statically derive the execution graph, tracking relationships among Promises and Await statements to determine parallel executions, blocks, and connections between workflow components. The visual diagrams aim to aid in diagnosing and debugging by accurately translating the code into a graph that represents the workflow's execution, even when the code is minified. This feature is designed to evolve, providing developers with a comprehensive tool for real-time execution tracing, error detection, and workflow testing, while feedback from users is encouraged to refine the system further.
Mar 27, 2026
2,460 words in the original blog post.
Engineers faced a significant bottleneck when restarting Atlantis, a tool used to manage Terraform changes, due to Kubernetes' default behavior of recursively changing file permissions on a persistent volume. This resulted in 30-minute restart times, blocking engineering work and triggering false alarms. The issue arose because the persistent volume had grown to millions of files, causing inode exhaustion and slow operations. The team identified that Kubernetes' fsGroupChangePolicy, which defaults to Always, was unnecessarily changing permissions on every file during restarts. By setting this policy to OnRootMismatch, they reduced restart times to 30 seconds, reclaiming nearly 50 hours of engineering time per month. This fix highlights how default Kubernetes settings can become bottlenecks as data scales, and emphasizes the importance of auditing securityContext settings to optimize performance.
Mar 26, 2026
1,346 words in the original blog post.
Cloudflare's introduction of Code Mode emphasizes the shift from tool-based task execution to code-driven processes, where agents write code to call APIs. By converting an MCP server into a TypeScript API, token usage is significantly reduced, and the new Cloudflare MCP server can expose the entire Cloudflare API using fewer resources. The Dynamic Worker Loader API, now in open beta, allows Cloudflare Workers to instantiate new Workers with runtime-specified code in isolated sandboxes, promising rapid scalability and security. This approach leverages V8 isolates, which are considerably faster and more memory-efficient than containers, enabling seamless scaling to millions of requests per second. The system supports JavaScript as the primary language due to its web-sandboxing nature, while TypeScript is favored for its concise API representation. The platform also provides robust security measures, including automatic V8 security patches and additional sandboxing layers. With helper libraries like @cloudflare/codemode and @cloudflare/worker-bundler, developers can efficiently run model-generated code against AI tools, bundle modules, and manage virtual filesystems. Applications range from custom automation creation to AI-generated app platforms, with pricing set at $0.002 per unique Worker loaded per day, though waived during the beta period.
Mar 24, 2026
3,177 words in the original blog post.
Cloudflare's transition to the FL2, a Rust-based rewrite of its core request handling layer, has led to the introduction of the Gen 13 server hardware, which features substantial improvements over its predecessor, Gen 12. The Gen 13 server is equipped with a 192-core AMD EPYC™ Turin 9965 processor, 768 GB of DDR5-6400 memory, and 24 TB of PCIe 5.0 NVMe storage, offering up to twice the throughput while maintaining latency SLAs and improving performance per watt by up to 50%. This new architecture supports up to 60% higher throughput per rack, doubles memory capacity, and quadruples network bandwidth, while integrating PCIe encryption hardware support and improving thermal management for powerful PCIe accelerators. The server's design focuses on maintaining operational simplicity, forward compatibility, and enhanced efficiency, ensuring it meets the growing demands of Cloudflare's global network and software stack. As Gen 13 servers begin deployment, Cloudflare continues to plan for future generations, emphasizing the company's commitment to building a better Internet.
Mar 23, 2026
3,440 words in the original blog post.
Cloudflare's transition from their 12th Generation server fleet to the 13th Generation, powered by AMD's EPYC 5th Gen Turin-based processors, marked a significant leap in performance efficiency and scalability at the edge. The primary challenge was the reduction in cache size per core, which initially hindered performance due to increased latency in their legacy request handling software, FL1. By developing FL2, a Rust-based rewrite of their core request handling layer, Cloudflare successfully overcame these limitations, allowing the new system to fully exploit the higher core count and achieve linear throughput scaling without exceeding latency service level agreements (SLAs). FL2's architecture, with improved memory access patterns and reduced dependency on large caches, doubled throughput and boosted power efficiency by 50% compared to the previous generation. These advancements reduced the carbon footprint per request and enhanced Cloudflare's ability to handle global traffic efficiently, offering a compelling example of effective hardware-software co-design.
Mar 23, 2026
1,756 words in the original blog post.
Cloudflare is enhancing its platform to support the development and deployment of AI agents with the introduction of Workers AI, which now offers powerful open-source models like Moonshot AI's Kimi K2.5. This model is noted for its extensive 256k context window and capabilities in multi-turn tool calling, vision inputs, and structured outputs, making it suitable for agentic tasks. Cloudflare engineers have incorporated Kimi K2.5 into their internal tools, finding it a cost-effective alternative to larger proprietary models, significantly reducing expenses by 77% in some use cases. The platform has been optimized to support large-scale AI models through techniques such as custom kernels, data parallelization, and prefix caching to improve performance and reduce costs. Additionally, Cloudflare has introduced new features like session affinity headers and a revamped asynchronous API to enhance cache hit rates and manage inference requests efficiently. These advancements allow for scalable deployment of AI models, offering an attractive solution for enterprises seeking to transition to cost-effective, open-source AI models.
Mar 19, 2026
1,949 words in the original blog post.
Cloudflare's Regional Services product enhances data sovereignty compliance by leveraging the company's global network to provide both local compliance and global-scale security. The expansion includes new pre-defined regions such as Turkey, the UAE, IRAP (Australian compliance), and ISMAP (Japanese compliance), along with the introduction of Custom Regions, which allow customers to define their own geographical boundaries for traffic processing. This approach differs from traditional sovereign cloud providers by not isolating traffic to a single geography, instead using Cloudflare's vast network for DDoS protection and intelligent routing. Custom Regions enable users to tailor regions to their specific needs, such as regionalizing AI inference or aligning with government operations, without compromising on security. This flexibility allows users to match their internal structures or specific marketing strategies while maintaining compliance with data localization requirements.
Mar 18, 2026
849 words in the original blog post.
Cloudflare is engaged in a legal battle against the Italian regulatory scheme "Piracy Shield," which it argues undermines the fundamental architecture of the Internet by allowing media companies to control online content without traditional legal safeguards. The Piracy Shield, implemented by the Italian communications regulator AGCOM, requires service providers to block websites and IP addresses within 30 minutes of a request from private companies, leading to potential overblocking and disruption of legitimate sites. Despite being fined €14 million by AGCOM for non-compliance, Cloudflare is appealing the decision and challenging the legality of the regulation, asserting it violates EU laws like the Digital Services Act that mandate transparency, oversight, and due process. The European Commission has expressed similar concerns about the lack of oversight, and an Italian court has ordered AGCOM to disclose records supporting its blocking orders, although transparency issues persist. Cloudflare continues to advocate for a better Internet where global infrastructure remains free, open, and secure, and where rightsholders' interests are balanced with legal due process and the integrity of the Internet.
Mar 16, 2026
1,345 words in the original blog post.
Migrating to a Zero Trust architecture presents significant challenges for organizations, particularly during high-stakes cutover events where missteps can cause widespread disruption. Cloudflare and CDW offer a strategic approach to these migrations by combining Cloudflare's Zero Trust platform with CDW's expertise in handling complex deployments. This partnership emphasizes a phased, risk-aware methodology that avoids the pitfalls of traditional "lift and shift" migrations. By using Cloudflare Access, organizations can modernize their security posture without rewriting legacy applications, significantly reducing attack surfaces. CDW further mitigates migration risks with a tiered application strategy, ensuring that complex systems are addressed with thoughtful planning. Their process includes pre-migration audits and stress tests to ensure compatibility and continuous session integrity. Ultimately, the partnership aims to transform legacy infrastructures into agile, secure environments, prioritizing coexistence and performance throughout the transition. This approach not only enhances security but also streamlines operations, positioning organizations for a resilient future.
Mar 13, 2026
1,415 words in the original blog post.
Cloudflare has unveiled a new suite of fraud prevention capabilities aimed at preventing account abuse by addressing both automated and human-driven threats. The initiative builds on existing measures like leaked credentials detection and account takeover (ATO) detection, now incorporating tools such as disposable email checks and email risk assessments to identify and mitigate fake account creation and risky email patterns. A notable addition is the Hashed User IDs, which provide per-domain identifiers that enhance visibility into suspicious account activity without compromising user privacy. These capabilities, available to Bot Management Enterprise customers in Early Access, aim to tackle the growing threat of industrialized fraud by offering a layered security approach that focuses on both automation and the authenticity of user intent. This comprehensive strategy seeks to protect every stage of the user journey, from account creation to login and transaction integrity.
Mar 12, 2026
1,848 words in the original blog post.
Cloudflare has introduced a significant update to improve how AI agents handle errors by replacing traditional HTML error pages with RFC 9457-compliant structured Markdown and JSON error responses. This change allows AI agents to receive clear, machine-readable instructions rather than human-oriented error pages, enhancing efficiency by reducing payload size and token usage by over 98%. The new structured responses provide actionable guidance for agents, such as retrying after specific intervals or escalating issues, using a stable schema that conforms to the Problem Details for HTTP APIs standard. This update is automatically implemented across the Cloudflare network, requiring no additional configuration from site owners, while browsers continue to receive traditional HTML pages. The structured error responses help streamline agent operations, reduce costs, and improve recovery times, marking a shift towards more efficient and deterministic error handling in AI agent workflows.
Mar 11, 2026
2,351 words in the original blog post.
Cloudflare has launched AI Security for Apps, a service designed to detect and mitigate threats to AI-powered applications, now generally available to all its customers, including those on Free, Pro, and Business plans. This service features AI endpoint discovery, which is free for all users, and includes capabilities like detection for custom topics and prompt injection threats. Cloudflare is collaborating with IBM to offer this security to IBM's cloud customers and partnering with Wiz for a unified AI security overview. The AI Security for Apps operates by identifying AI endpoints across web properties, detecting malicious activities, and mitigating threats using Cloudflare's WAF rule builder. It supports discovery of endpoints regardless of hosting, using behavior-based detection rather than path matching, and includes custom prompt extraction and mitigation options. The service aims to provide a comprehensive security layer integrating AI-specific data with Cloudflare's broader security platform, offering enhanced protection against complex threat patterns.
Mar 11, 2026
1,326 words in the original blog post.
Organizations are faced with expanding attack surfaces as they launch new digital assets like domains, applications, and APIs, which can become entry points for attackers if left unmanaged. To address this challenge, Cloudflare and Mastercard have partnered to integrate Mastercard's RiskRecon attack surface intelligence with Cloudflare's security capabilities, allowing for continuous discovery and monitoring of internet-facing vulnerabilities. This integration, set for preview in 2026, aims to enable organizations to detect and secure shadow IT, such as forgotten subdomains and unauthorized cloud servers, using Mastercard's data to identify vulnerabilities and Cloudflare's proxy to implement security controls. Mastercard's analysis of a large sample of organizations revealed that those using Cloudflare as a proxy showed significantly better security hygiene across several metrics, including software patching and web encryption. The partnership seeks to provide organizations with comprehensive visibility into their internet footprint, enabling proactive remediation of security gaps and reducing the likelihood of cybersecurity incidents like ransomware attacks and data breaches.
Mar 10, 2026
1,175 words in the original blog post.
Cloudflare's Log Explorer serves as a comprehensive tool for cybersecurity forensics, providing 360-degree visibility by integrating 14 new datasets that cover the entire surface of Cloudflare's Application Services and Cloudflare One product portfolios. It centralizes raw logs from application-layer HTTP requests, network-layer DDoS and Firewall logs, and Zero Trust Access events into a unified interface, allowing security analysts to quickly investigate and correlate data across multiple sources, significantly reducing Mean Time to Detect (MTTD) and unmasking sophisticated, multi-layered attacks. By functioning as a "flight recorder," Log Explorer captures every interaction and potential threat before requests reach a user's infrastructure, offering granular insights through zone-scoped and account-scoped logs that track everything from website traffic and security events to internal security and network activity. The tool's extensibility, driven by a JSON Schema-based ingestion pipeline, enables the integration of additional data sources, positioning Log Explorer as a potential single pane of glass for correlating Cloudflare's telemetry with third-party logs. Recent architectural upgrades have improved the speed and resilience of data ingestion, reducing latency and enabling faster response times to multi-vector attacks, with future enhancements planned to further augment its capabilities.
Mar 10, 2026
2,266 words in the original blog post.
The modern security landscape faces challenges not from a lack of data but from an overwhelming abundance of it, leading to noise without actionable context. In response, a new Security Overview dashboard has been developed to shift focus from reactive monitoring to proactive control, offering a unified interface that prioritizes security action items based on criticality. This system is designed to bridge the gap between detection and investigation, surfacing vulnerabilities and misconfigurations that are often missed due to the complexity of navigating multiple tools. The dashboard includes features like Security Action Items, Detection Tools, and Suspicious Activity cards that streamline processes by providing context and insights into configuration gaps, ensuring tools are not just present but actively protecting the organization. A sophisticated engine underpins this system, utilizing specialized microservices, or checkers, for various stack components, operating both through scheduled checks and real-time event handlers to maintain a proactive defense. The dashboard also introduces Contextual Insights, which provide detailed information on the impact and root causes of detected issues, such as dangling DNS records, to enable immediate and informed action. This approach aims to transform security management from a reactive burden into a strategic advantage, helping organizations prioritize and address the most critical risks efficiently.
Mar 10, 2026
2,250 words in the original blog post.
Cloudflare is challenging the traditional complexities and prolonged timelines associated with migrating to a zero trust architecture by offering a more streamlined and programmable approach through its Cloudflare One platform. By partnering with companies like TachTech and Adapture, Cloudflare has demonstrated that what typically takes up to 18 months with legacy Secure Access Service Edge (SASE) vendors can be reduced to just six weeks. This reduction in deployment time is achieved by focusing on identity-first on-ramps, consolidated policy engines, and cloud-native connectors, which eliminate the need for complex hardware replacements and reduce latency issues. Cloudflare's approach not only simplifies the transition but also enhances security by integrating features such as robust telemetry, global network coverage, and AI security measures. The platform's extensible architecture allows partners to adapt to unique environments and specific requirements without compromising security. Furthermore, Cloudflare One facilitates safe AI adoption by providing a unified defense across the AI lifecycle and ensuring data governance and protection. This modern approach positions organizations to overcome the limitations of legacy systems and leverage cutting-edge security solutions efficiently.
Mar 09, 2026
1,212 words in the original blog post.
Cloudflare is expanding its security offerings with the introduction of a Web and API Vulnerability Scanner, initially targeting the OWASP API Top 10 threat of Broken Object Level Authorization (BOLA). Unlike traditional defensive security measures like WAFs, which focus on blocking suspicious traffic, this scanner actively hunts for logical flaws in APIs, which appear as valid HTTP requests but conflict with business logic. Cloudflare's approach leverages its API Shield, which passively scans for anomalies and provides context for detecting vulnerabilities, and uses dynamic application security testing (DAST) to create new test traffic profiles. The scanner integrates seamlessly with existing Cloudflare security tools, utilizing features such as API Discovery and Schema Learning to automatically construct scan plans. It also employs Cloudflare's Workers AI platform to address inconsistencies in OpenAPI specifications, ensuring accurate modeling of API endpoint relationships. Built on proven infrastructure with robust security measures for handling API credentials, the scanner is launching as an Open Beta for API Shield customers and will gradually expand to include more API and web application threats.
Mar 09, 2026
2,161 words in the original blog post.
In December 2025, Cloudflare was alerted to HTTP/1.x request smuggling vulnerabilities in the Pingora open-source framework when used as an ingress proxy, identified as CVE-2026-2833, CVE-2026-2835, and CVE-2026-2836. These vulnerabilities, reported by Rajat Raghav through a bug bounty program, were found not to affect Cloudflare's CDN due to its architecture but posed risks for standalone Pingora deployments exposed to the internet. The vulnerabilities could allow attackers to bypass security controls, desynchronize HTTP requests/responses, and poison proxy-layer caches. Pingora 0.8.0 was released with fixes to these vulnerabilities, and Cloudflare recommended users of Pingora upgrade promptly despite no detected impact on Cloudflare customers. The vulnerabilities involved improper handling of Upgrade requests, incorrect parsing of HTTP/1.0 requests with Transfer-Encoding, and default cache key construction flaws. Cloudflare's internal investigations confirmed that its services were not vulnerable due to strict RFC compliance and additional security layers, while the company emphasized the importance of adhering to RFC standards to enhance security and promote best practices across the internet.
Mar 09, 2026
1,763 words in the original blog post.
Cloudflare One has evolved from focusing on network security to encompassing endpoint and SaaS application security, emphasizing that data security is a vital aspect of enterprise security. The platform's approach revolves around understanding where sensitive data resides, who can access it, and how it can potentially move to unauthorized locations. To enhance data security, Cloudflare One integrates visibility, control, and enforcement across various stages of data interaction, from transit and at rest to in use and at the prompt, especially with the rise of AI interfaces. Recent updates include features like browser-based Remote Desktop Protocol (RDP) clipboard controls, operation-level logging, and endpoint data loss prevention (DLP), which aim to provide granular control and visibility over data movements. Additionally, Cloudflare One has introduced AI security scanning for Microsoft 365 Copilot, allowing organizations to monitor Copilot activities for data security issues. These enhancements reflect Cloudflare One's commitment to creating a unified data security model that follows data across different environments, ensuring consistent protection regardless of the tools or platforms in use.
Mar 06, 2026
1,537 words in the original blog post.
A common issue faced by Internet users is the "PMTUD Black Hole," where packets too large for a network path fail to trigger feedback to the sender, causing connectivity problems. This typically happens in networks with maximum transmission unit (MTU) restrictions, where legacy infrastructure fails to send proper feedback. Cloudflare addresses this by implementing Path MTU Discovery (PMTUD) in its Cloudflare One Client, which uses active probing to determine the optimal packet size for a network path, preventing disruptions. This method is particularly beneficial in complex network environments, such as those encountered by first responders and global hybrid workers, by maintaining stable connections and optimizing packet flow. The Cloudflare One Client's utilization of the MASQUE protocol facilitates this process, providing a seamless, adaptable, and robust connection experience. Users can access PMTUD for free with the Cloudflare One Client, enhancing their network reliability and speed.
Mar 05, 2026
887 words in the original blog post.
Cloudflare has re-engineered its Cloudflare One Client's proxy mode to enhance user performance without compromising security by transitioning from a WireGuard-based approach to using QUIC for direct Layer 4 proxying. This change eliminates the inefficiencies of previous methods that relied on converting application-layer TCP traffic into Layer 3 packets, which resulted in sluggish performance, particularly on media-heavy sites. By integrating QUIC and HTTP/3, Cloudflare now maintains traffic at Layer 4, allowing for modern congestion control and flow control and enabling significant performance improvements, such as doubling download and upload speeds and reducing latency. These advancements are particularly beneficial for users requiring coexistence with third-party VPNs, high-bandwidth application partitioning, and developers needing efficient proxy support for CLI tools or scripts. The update is available for devices running Windows, macOS, and Linux, with users encouraged to upgrade to the latest client version to capitalize on these enhancements.
Mar 05, 2026
878 words in the original blog post.
Cloudflare is addressing the challenge of IP address conflicts in enterprise networks by introducing Automatic Return Routing (ARR) as part of its Cloudflare One platform. ARR allows overlapping networks to coexist without traditional routing complexities like Network Address Translation (NAT) or Virtual Routing and Forwarding (VRF) by using stateful tracking to remember the originating tunnel for each flow. This "zero-touch" solution eliminates the need for routing table consultations, enabling seamless traffic return and reducing administrative overhead. ARR is built on Cloudflare's Unified Routing framework, which integrates Zero Trust and WAN services, offering improved performance and interoperability. Currently in closed beta, ARR supports Internet access from overlapping IPs and is expanding to include private data center access and additional failover capabilities, aiming to simplify network management for complex global deployments.
Mar 05, 2026
1,606 words in the original blog post.
Traditional Web Application Firewalls (WAFs) often require extensive manual configuration to effectively block malicious traffic, which can lead to a trade-off between visibility and protection. Cloudflare addresses these challenges with its new Attack Signature Detection, which inspects every request for malicious payloads and provides detailed detection metadata without impacting performance. This approach enables security teams to create precise mitigation policies, reducing false positives. The system separates detection from mitigation, ensuring continuous analysis while maintaining performance. Cloudflare is also developing Full-Transaction Detection, which analyzes both request and response data to identify threats that traditional methods might miss, such as subtle SQL injections or data exfiltration patterns. Both initiatives aim to enhance web application security by offering comprehensive visibility, allowing users to create custom security rules with greater confidence. Attack Signature Detection offers early access, while Full-Transaction Detection is still under development.
Mar 04, 2026
2,462 words in the original blog post.
Cloudflare has introduced the Gateway Authorization Proxy and Proxy Auto-Configuration (PAC) File Hosting to enhance security and simplify management for unmanaged devices connecting to the internet, addressing challenges when devices cannot have software installed, such as during company acquisitions or in regulated environments. This new system shifts the identity verification from device-based to network-based, using browser proxy capabilities and Cloudflare's global network to enforce policies. Unlike previous methods relying on static IPs, the Authorization Proxy identifies users through a Cloudflare Access-style login, allowing for precise user-based access and policy enforcement, even supporting multiple identity providers like Okta and Azure AD. This setup removes the need for manual PAC file hosting and reduces maintenance, offering users a seamless experience without noticeable delays, as authentication through signed JWT cookies occurs rapidly. The service is now in open beta, aiming to offer flexible authentication methods and broaden clientless security options, making it ideal for scenarios like virtual desktops, mergers and acquisitions, and compliance-restricted environments.
Mar 04, 2026
1,005 words in the original blog post.
Cloudflare is enhancing its SASE toolbox with new security features aimed at strengthening remote access without adding user friction. The introduction of mandatory authentication ensures that the Cloudflare One Client acts as a gatekeeper from the moment a device boots up, requiring user authentication to maintain visibility and control over network access. This addresses potential security gaps arising from unauthenticated devices. Additionally, Cloudflare has launched its own multi-factor authentication (MFA) system as a secondary layer of trust, independent of primary identity providers, to protect against compromised single sign-on (SSO) sessions. The MFA offers various authentication methods, including biometrics and security keys, allowing administrators to enforce flexible security policies tailored to different applications and user groups. These updates aim to tighten security while simplifying user workflows, reducing the risk of breaches by ensuring continuous, automated posture enforcement.
Mar 04, 2026
1,022 words in the original blog post.
Trust, especially in the human element of security, is a critical vulnerability in modern security architecture, as highlighted in the 2026 Cloudflare Threat Report. The report underscores the increasing threat of "remote IT worker" fraud, often linked to organized operations by nation-states, which use sophisticated techniques like generative AI and deepfake tools to bypass traditional security measures. These schemes exploit the gap between hiring and onboarding, where attackers with stolen identities infiltrate companies. Cloudflare, in partnership with Nametag, addresses this issue by introducing identity-verified onboarding and continuous identity assurance to its SASE platform, Cloudflare One. This integration ensures that the person interacting with company resources is legitimate, using advanced cryptography and biometric verification to prevent bad actors from accessing sensitive data. As AI-driven fraud becomes more prevalent, this approach moves beyond mere device and credential verification, providing a layered defense that adapts to the dynamic threat landscape by incorporating user risk scores and step-up verification processes.
Mar 04, 2026
1,339 words in the original blog post.
Cloudflare has enhanced its SASE platform, Cloudflare One, by integrating User Risk Scores into Zero Trust Network Access (ZTNA) policies, enabling more dynamic and intelligent access control. This system evaluates user behaviors, such as impossible travel or multiple failed login attempts, to calculate a risk score that influences access permissions in real time. Administrators can define which behaviors are significant and apply adaptive access rules based on these risk scores, allowing for automatic enforcement of security measures without disrupting corporate operations. The platform supports integrations with third-party services like CrowdStrike and SentinelOne to enrich its risk assessment capabilities and shares risk signals with platforms like Okta. This approach shifts security from static, binary checks at login to a continuous evaluation process, offering organizations a proactive way to manage access and security challenges.
Mar 04, 2026
907 words in the original blog post.
The 2026 Cloudflare Threat Report highlights a significant evolution in the cyber threat landscape, emphasizing a shift from brute force attacks to high-trust exploitation tactics that maximize operational outcomes. This transition is driven by the Measure of Effectiveness (MOE), which prioritizes efficiency over complexity, leading adversaries to favor methods like identity theft and cloud-based infrastructure abuse. Key trends identified include the automation of attacks using AI, the weaponization of legitimate SaaS tools, deepfake infiltration into organizations, and the increasing sophistication of DDoS attacks. The report underscores the urgency for organizations to adopt autonomous defense systems to counteract these advanced threats, stressing the need for real-time visibility and automated responses. It also details the activities of various nation-state actors and their exploitation of cloud resources to blend malicious activities with legitimate enterprise traffic. Cloudforce One's comprehensive approach combines global telemetry and AI-driven research to provide actionable intelligence, advocating for an industry-wide pivot toward proactive, automated cyber defense strategies.
Mar 03, 2026
1,459 words in the original blog post.
Email security is an ongoing challenge characterized by a constant battle between evolving defenses and adaptive attackers. Traditional security systems rely on reactive strategies, improving detection based on user-reported misses, which often means reacting to threats after they have already been exploited. To address this, Cloudflare has incorporated Large Language Models (LLMs) into its email security tools, shifting from a reactive to a proactive approach by identifying threats before they materialize. LLMs enhance the capability to detect and categorize nuanced threats, such as phishing emails that mimic legitimate business communications. This integration allows for the creation of specialized machine learning models that target specific threat patterns, significantly reducing the number of malicious emails reaching users. The approach has led to a notable decrease in user-reported misses and improved overall security. Cloudflare's use of LLMs enables a more comprehensive understanding of the threat landscape, facilitating earlier interventions and reducing the workload on security teams. This proactive strategy marks a significant advancement in the arms race of email security by focusing on unseen vulnerabilities and adapting quickly to emerging threats.
Mar 03, 2026
1,466 words in the original blog post.
Cloudflare's Threat Intelligence Platform (TIP) addresses the cybersecurity industry's "data gravity" problem by providing a centralized system that collects, aggregates, and organizes data on known and emerging cyber threats. Designed as a cloud-first, agentic-capable platform, it eliminates the need for complex ETL pipelines by using a sharded, SQLite-backed architecture that enables sub-second query latency, even when handling millions of events. By integrating with Cloudflare Workers and using GraphQL at the edge, the platform allows real-time visualization and automation of threat responses, enabling security teams to move from reactive to proactive defense. The TIP complements traditional SIEM systems by providing long-term, structured storage for threat events, enriched with historical actor patterns, and facilitates interoperability through STIX2 exports and automated rule generation via the Firewall API. With dynamic visualization tools like Sankey Diagrams, it helps users see patterns in the threat landscape and correlate disparate threat events into cohesive campaigns. The platform's human-in-the-loop intelligence integrates Requests for Information, allowing deep-dive investigations by Cloudforce One analysts, whose findings enhance the platform's automated defenses. By shifting the compute to the edge, the TIP ensures that intelligence is immediately accessible, enabling faster and more accurate decision-making, while its tiered access structure—Cloudforce One Essentials, Advantage, and Elite—caters to different customer needs and threat detection capabilities.
Mar 03, 2026
2,208 words in the original blog post.
Cloudflare has launched a new Remediation feature for its Cloud Access Security Broker (CASB) within the Cloudflare One platform, allowing customers to address file-sharing risks directly from the dashboard. This marks a significant advancement for the CASB tool, which has traditionally focused on identifying and flagging risky file-sharing and misconfigurations across popular SaaS applications like Microsoft 365 and Google Workspace. The Remediation feature enables users to fix issues such as public file sharing and unauthorized access with a single click, enhancing the ability to manage security risks efficiently. The system supporting CASB Remediation is designed for speed, durability, and ease of use, leveraging several Cloudflare products to streamline the process. With performance results indicating rapid job completion times, Cloudflare plans to expand CASB Remediation capabilities, including additional SaaS integrations and advanced features like Autoremediation and Custom Webhook actions. The feature is available to Cloudflare One customers with a CASB license, offering a proactive approach to securing file-sharing activities in cloud-based environments.
Mar 03, 2026
1,227 words in the original blog post.
Cloudflare's Cloudy is a powerful LLM-powered explanation tool integrated into Cloudflare One, designed to translate complex security telemetry into human-readable guidance for security teams and end users. It enhances decision-making and reduces unnecessary noise by providing clear, contextual explanations of why an email is flagged or a SaaS issue is detected. Initially launched for email security, Cloudy helps end users understand the reasoning behind message classifications like Malicious or Suspicious, addressing the gap left by traditional security awareness training. This reduces the burden on security operations centers (SOC) by preventing unnecessary escalations. Cloudy is also applied to Cloudflare's CASB, offering structured explanations for security findings across SaaS environments, allowing administrators to quickly understand risks and prioritize remediation. The tool is built on Cloudflare's privacy-first infrastructure, ensuring data protection while leveraging AI for real-time feedback. Cloudflare plans to expand Cloudy's capabilities further, aiming to integrate it more deeply into daily workflows and enhance collaboration between users and SOC teams.
Mar 03, 2026
2,317 words in the original blog post.
As the corporate landscape evolves, the concept of the office is shifting, with agile Secure Access Service Edge (SASE) frameworks becoming essential for modern network security. The traditional reliance on fragmented legacy systems and VPNs is giving way to platforms like Cloudflare One, which integrates networking and security into a cohesive global connectivity cloud. This approach eliminates bottlenecks associated with service-chaining by enabling simultaneous security checks across a vast network. Cloudflare One's composable and programmable nature allows for customizable security responses and supports agile enterprise growth. The platform's features are showcased through a week-long series of technical deep-dives, highlighting advancements in areas such as identity verification, AI-driven security, and network performance. By adopting Cloudflare One, enterprises can enhance security, streamline operations, and prepare for future technological challenges in a rapidly changing digital environment.
Mar 02, 2026
785 words in the original blog post.
Cloudflare has introduced Project Helix to streamline the deployment of its Cloudflare One platform, reducing the complexity and time required for customers to configure advanced security settings. While Cloudflare One offers a wide range of features, including DNS protection, Secure Web Gateway, and Zero Trust Access, the initial setup can be daunting due to the numerous configurations needed. Project Helix addresses this by using Terraform and Cloudflare Workers to automate the setup process through a user-friendly interface, allowing even novice users to deploy a full-functioning baseline configuration quickly and consistently. This initiative not only saves significant time but also minimizes human error, ensuring a seamless transition to Cloudflare's SASE platform. Additionally, Project Helix supports internationalization and optimizes interoperability with various captive portals, enhancing user experience across different regions and networks.
Mar 02, 2026
1,528 words in the original blog post.
Cloudflare emphasizes the importance of programmability in enhancing security and networking flexibility for organizations by utilizing its global network and SASE platform, Cloudflare One. Programmability goes beyond traditional methods, allowing real-time decision-making and custom logic integration, such as verifying user compliance before granting access to sensitive applications. Cloudflare's network, operating across over 330 cities, supports both its SASE and Developer Platform, enabling seamless integration and real-time policy enforcement at the edge. This capability allows customers to implement dynamic security measures without the latency or complexity of separate infrastructures. The platform's flexibility empowers users to create tailored solutions quickly, turning custom integrations into competitive advantages. As Cloudflare continues to integrate its SASE and Developer Platform, customers can expect enhanced dynamic policy enforcement and request augmentation capabilities, providing a customizable security framework that adapts to evolving needs.
Mar 02, 2026
1,599 words in the original blog post.