Cloudflare Blog

https://blog.cloudflare.com/

Cloudflare BlogMar 3, 2026

Introducing the 2026 Cloudflare Threat Report

Why it matters: Attackers are shifting from complex hacks to high-efficiency exploitation of trusted cloud tools and session tokens. Engineers must move beyond perimeter defense to secure SaaS integrations, identity tokens, and detect 'living off the land' tactics hidden in legitimate enterprise traffic.

Attackers are prioritizing 'Measure of Effectiveness' (MOE), favoring high-throughput tactics like session token theft over expensive, one-off zero-day exploits.
Generative AI is being used to automate high-velocity operations, including real-time network mapping, exploit development, and deepfake persona creation.
Threat actors are 'living off the land' by weaponizing trusted SaaS and IaaS tools like Google Calendar and GitHub to mask command-and-control (C2) traffic.
Over-privileged third-party API integrations create cascading risks, where a single compromised integration can breach hundreds of distinct corporate environments.
Infostealers are increasingly used to harvest active session tokens, allowing attackers to bypass multi-factor authentication (MFA) and move to post-authentication actions.
Hyper-volumetric DDoS attacks, powered by massive botnets like Aisuru, are reaching scales that exhaust infrastructure capacity and minimize human response windows.

#security #dist

Read original

Cloudflare BlogMar 3, 2026

From reactive to proactive: closing the phishing gap with LLMs

Why it matters: This approach transforms security from a reactive arms race into a proactive system. By using LLMs for automated threat discovery and specialized models for enforcement, engineers can close detection gaps faster and mitigate sophisticated, evolving phishing attacks at global scale.

Cloudflare is shifting from reactive email security to proactive defense by using LLMs to analyze and categorize millions of daily messages.
LLMs act as a discovery layer, identifying complex concepts like intent, urgency, and deception across unstructured email data.
High-fidelity LLM-generated tags allow analysts to surface emerging threat vectors, such as sophisticated 'Sales Outreach' phishing, in near real-time.
Insights from LLMs are used to curate high-precision training datasets, focusing on linguistic traits and sentiment rather than static indicators.
Specialized sentiment analysis models are trained on these datasets to provide fast, scalable enforcement without the overhead of a general-purpose LLM.
This continuous feedback loop enables model refinement as attackers adapt, significantly reducing the time-to-detection for new phishing variants.

#security #mlp #data

Read original

Cloudflare BlogMar 3, 2026

How Cloudy translates complex security into human action

Why it matters: Cloudy bridges the gap between sophisticated ML detections and human action. By providing clear context for security flags, it reduces alert fatigue for SOC teams and empowers end users to make better security decisions in real-time without needing deep technical expertise.

Cloudy is an LLM-powered explanation layer built on Cloudflare Workers AI to translate complex security telemetry into human-readable guidance.
The system integrates with Cloudflare Email Security to provide real-time summaries explaining why specific messages were flagged as malicious or suspicious.
By embedding explanations into the Phishnet reporting tool, Cloudy helps reduce SOC noise by educating end users at the point of interaction.
For Cloudflare CASB, Cloudy simplifies SaaS security findings by surfacing the reasoning behind detections and providing clear remediation paths.
The architecture utilizes Llama 3 and a chain-of-thought prompting approach to ensure explanations are grounded in specific, structured ML model outputs.

#security #mlp #data

Read original

Cloudflare BlogMar 3, 2026

See risk, fix risk: introducing Remediation in Cloudflare CASB

Why it matters: This update bridges the gap between threat detection and response in SaaS environments. By automating remediation through a durable serverless architecture, engineers can eliminate manual cleanup tasks and ensure a consistent security posture across disparate cloud platforms.

Cloudflare CASB now includes Remediation, allowing users to fix risky file-sharing configurations directly from the Cloudflare One dashboard.
The feature initially supports Microsoft 365 and Google Workspace, addressing public links, company-wide sharing, and external access.
Built using Cloudflare Workflows, the system ensures durable execution and handles vendor API rate limits (429s) with native retry logic.
The architecture leverages Workers, Queues, KV, and Hyperdrive to achieve a p50 end-to-end job completion time of 48 seconds.
Remediation actions focus on removing risky sharing permissions without deleting files or changing ownership.
All actions are recorded in Cloudflare One Admin logs, providing an audit trail for security teams and SIEM integrations.

#security #dist

Read original

Cloudflare BlogMar 2, 2026

Beyond the blank slate: how Cloudflare accelerates your Zero Trust journey

Why it matters: Project Helix reduces Zero Trust adoption barriers by replacing manual, error-prone configurations with automated best practices. This allows engineers to deploy secure, optimized SASE environments in minutes while ensuring consistency across complex network architectures.

Project Helix automates the configuration of Cloudflare One to eliminate the 'blank slate' problem and reduce deployment friction.
The system codifies best practices from solutions engineers into reusable Terraform templates for consistent, error-free SASE setups.
Automated policies cover DNS protection, TLS inspection, Remote Browser Isolation, and visibility controls for AI applications.
Helix addresses complex networking tasks like configuring CGNAT ranges for private app routing and managing split-tunneling for real-time apps.
The solution leverages a web-based UI hosted on Cloudflare Workers to trigger infrastructure-as-code deployments via API.

#security #sre

Read original

Cloudflare BlogMar 2, 2026

Modernizing with agile SASE: a Cloudflare One blog takeover

Why it matters: Agile SASE moves security from rigid hardware silos to a programmable, single-pass global network. For engineers, this reduces technical debt, eliminates performance bottlenecks caused by service-chaining, and enables custom security logic via native developer platforms like Cloudflare Workers.

Cloudflare One introduces agile SASE, a composable platform designed to replace fragmented legacy hardware and VPNs with a unified connectivity cloud.
The platform utilizes a single-pass architecture across 300+ cities, eliminating service-chaining bottlenecks by running all security checks on every server simultaneously.
Integration with Cloudflare Workers allows developers to write custom code for real-time security event interception, moving beyond static allow/block rules.
Modernization focuses on five key areas: remote access, AI-powered email protection, DNS filtering, safe AI governance, and simplified branch networking.
Upcoming technical deep-dives will cover identity evolution, AI-driven threat detection, and the engineering behind the autonomous edge for performance-centric security.

#security #dist #sre

Read original

Cloudflare BlogMar 2, 2026

The truly programmable SASE platform

Why it matters: Cloudflare's programmable SASE allows engineers to build context-aware security policies using code. By executing logic at the edge, teams can integrate external data into access decisions in real-time, reducing latency and complexity compared to traditional webhook-based automation.

Cloudflare defines true programmability as the ability to intercept security events, enrich them with external context, and act in real-time.
The platform integrates SASE (Cloudflare One) with the Developer Platform (Workers), allowing security logic to run on the same global edge network.
Engineers can move beyond static 'allow/block' rules by using Workers to inject dynamic headers or query external risk APIs inline.
Managed actions provide templates for common IT and compliance workflows, while custom actions allow for bespoke logic via serverless functions.
This architecture eliminates the latency overhead typically associated with routing traffic to separate cloud environments for policy enforcement.
Real-world use cases include automated device session revocation and context-aware access based on external training or certification databases.

#security #dist #sre

Read original

Cloudflare BlogFeb 27, 2026

Toxic combinations: when small signals add up to a security incident

Why it matters: Engineers often overlook minor anomalies, but their convergence signals sophisticated attacks. Understanding toxic combinations helps teams move beyond signature-based defense to intent-based security, identifying breaches that lack obvious exploit payloads.

Toxic combinations are security incidents where attackers exploit multiple minor misconfigurations or anomalies that appear harmless in isolation.
Cloudflare identifies these by intersecting bot traffic data, sensitive application paths (e.g., /wp-admin, /debug), and request anomalies like geo jumps or identity mismatches.
Traditional point defenses like WAFs often focus on individual requests, whereas toxic combination detection analyzes the broader context and intent of multiple signals.
Analysis shows that while only 0.25% of non-WordPress hosts are susceptible, these represent high-risk vulnerabilities to compromise.
Engineers can use tools like Cloudflare Log Explorer to run queries that identify automated probing of administrative endpoints and debug flags.

#security #data

Read original

Cloudflare BlogFeb 27, 2026

ASPA: making Internet routing more secure

Why it matters: BGP route leaks cause major outages and security risks. ASPA extends RPKI to verify the entire routing path, not just the destination. For network engineers, this standard is a critical step toward a more secure and predictable Internet by cryptographically preventing unauthorized traffic detours.

ASPA (Autonomous System Provider Authorization) is a new cryptographic standard designed to prevent BGP route leaks by validating the entire network path.
While RPKI and ROAs verify the destination of traffic, ASPA verifies the sequence of Autonomous Systems (AS_PATH) it traverses.
ASPA allows network operators to publish a list of authorized upstream providers within the existing RPKI infrastructure.
Validation follows valley-free routing principles, ensuring traffic moves up to providers and down to customers without unauthorized lateral or downward-then-upward shifts.
Cloudflare Radar has introduced a monitoring tool to track ASPA adoption trends across Regional Internet Registries and individual Autonomous Systems.

#security #dist

Read original

Cloudflare BlogFeb 27, 2026

Bringing more transparency to post-quantum usage, encrypted messaging, and routing security

Why it matters: As quantum computing threats loom, transitioning to post-quantum cryptography and securing BGP routing are critical for long-term data integrity. These tools provide the transparency needed to audit infrastructure readiness and verify the security of encrypted communication channels.

Cloudflare Radar now monitors post-quantum (PQ) encryption support for origin-facing connections, complementing existing client-side tracking.
A new public tool allows users to verify if specific hostnames support PQ-secure hybrid key exchange algorithms like X25519MLKEM768.
The Key Transparency dashboard provides real-time verification status of logs for encrypted messaging services, ensuring public key integrity.
Routing security insights now include data on ASPA (Autonomous System Provider Authorization) deployment to mitigate BGP route leaks.
Origin-side PQ support has seen a 10x increase over the past year, driven by default enablement in libraries like OpenSSL 3.5.0 and Go 1.24.

#security #data #dist

Read original

Page 3 of 10

Prev 1 2 3 4 5...10 Next