Curated topic

security

Posts tagged with security

Cloudflare BlogMar 4, 2026

Always-on detections: eliminating the WAF “log versus block” trade-off

Why it matters: This shift from binary 'log vs. block' to continuous detection allows engineers to gain deep security insights without impacting latency or risking false positives. It enables more sophisticated, context-aware defenses by correlating full HTTP transactions instead of just inspecting requests.

Cloudflare is introducing an 'always-on' framework that separates WAF detection from mitigation, eliminating the traditional trade-off between visibility and protection.
Attack Signature Detection runs on every request, providing rich metadata including confidence scores, attack categories, and unique Ref IDs without stopping evaluation upon a match.
The system optimizes performance by running detections asynchronously after the request is sent to the origin, unless a specific blocking rule is active.
Full-Transaction Detection is being developed to correlate both requests and responses, enabling the identification of reflective SQL injection and data exfiltration.
Engineers can use new fields like cf.waf.signature.request.confidence and categories to build highly precise security policies in the Edge Rules Engine.
This evolution allows for easier onboarding and tuning by providing complete visibility into which signatures would have fired before switching to blocking mode.

#security #dist

Read original

Cloudflare BlogMar 4, 2026

Mind the gap: new tools for continuous enforcement from boot to login

Why it matters: These tools close critical security gaps by ensuring continuous enforcement from device boot. By decoupling MFA from the primary IdP, engineers can prevent lateral movement even if SSO credentials are compromised, significantly reducing the blast radius of potential breaches.

Cloudflare is introducing mandatory authentication to ensure devices are secured and visible from the moment of system boot.
The Cloudflare One Client now acts as a gatekeeper, using a system firewall to block all internet traffic until a user successfully authenticates.
A new independent MFA feature provides a secondary root of trust at the network edge, separate from the primary Identity Provider (IdP).
Independent MFA supports biometrics, FIDO2 security keys, and TOTP to protect against SSO session hijacking and credential compromise.
Administrators can define granular, per-application policies, requiring higher assurance authentication for sensitive resources like production databases.

#security #sre

Read original

Cloudflare BlogMar 4, 2026

Defeating the deepfake: stopping laptop farms and insider threats

Why it matters: Traditional Zero Trust is insufficient when attackers use deepfakes and laptop farms to bypass credential checks. Integrating biometric identity verification into the SASE layer closes the identity assurance gap, preventing nation-state actors from infiltrating corporate networks.

Remote IT worker fraud involves laptop farms where attackers use stolen identities and remote access to infiltrate corporate networks.
Traditional Zero Trust models often verify devices and credentials but fail to verify the actual person, creating an identity assurance gap.
Cloudflare is partnering with Nametag to integrate identity-verified onboarding and continuous assurance into the Cloudflare One SASE platform.
The integration uses OpenID Connect (OIDC) to chain Nametag as an identity provider or an external evaluation factor within Cloudflare Access.
Nametag's Deepfake Defense engine uses biometrics and AI to detect injection attacks and fabricated government IDs during authentication.
The system ensures that the person receiving and configuring a corporate device is the legitimate hire before granting access to sensitive resources.

#security

Read original

Cloudflare BlogMar 4, 2026

Moving from license plates to badges: the Gateway Authorization Proxy

Why it matters: This enables identity-based security for unmanaged devices without endpoint agents. Engineers can enforce granular policies and gain visibility in restricted environments like VDI or M&A, bridging the gap between network-level proxying and user-level identity.

Cloudflare introduced the Gateway Authorization Proxy to provide identity-based filtering for unmanaged devices without requiring client software.
The system replaces static IP-based identification with Cloudflare Access-style authentication using signed JWT cookies.
A domain-specific token generation process ensures seamless user authentication across different domains via Cloudflare's global edge network.
New Proxy Auto-Configuration (PAC) File Hosting allows teams to host and manage proxy settings directly on Cloudflare with built-in templates.
The solution supports multiple identity providers simultaneously, facilitating complex environments like mergers and acquisitions.
Identity-aware logging and granular policy enforcement are now possible for browser-based traffic on any device reaching the Internet.

#security #dist

Read original

Cloudflare BlogMar 4, 2026

Stop reacting to breaches and start preventing them with User Risk Scoring

Why it matters: It shifts security from static, binary login checks to continuous, adaptive authorization. By automating responses to behavioral risks and integrating third-party telemetry, engineers can reduce incident response times and prevent lateral movement without manual intervention.

Cloudflare One now incorporates User Risk Scores into Zero Trust Network Access (ZTNA) policies for real-time, behavior-based access control.
Risk scores are calculated continuously using internal telemetry from Cloudflare Access and Gateway, monitoring events like impossible travel and DLP violations.
The platform integrates third-party signals from security partners like CrowdStrike and SentinelOne to ingest external device posture and threat data.
Administrators can define deterministic risk levels and automate responses, such as requiring physical security keys or revoking access.
Integration with the Shared Signals Framework allows risk data to be synchronized with Identity Providers like Okta to secure the SSO ecosystem.

#security

Read original

Cloudflare BlogMar 3, 2026

Evolving Cloudflare’s Threat Intelligence Platform: actionable, scalable, and ETL-less

Why it matters: This architecture demonstrates how to build high-scale, low-latency platforms by moving compute and storage to the edge. By eliminating ETL and using sharded SQLite via Durable Objects, engineers can gain real-time insights from massive datasets without centralized database bottlenecks.

Cloudflare evolved its Threat Intelligence Platform (TIP) to eliminate complex ETL pipelines using a sharded, SQLite-backed architecture.
The platform leverages Cloudflare Workers and Durable Objects to run GraphQL directly at the edge, achieving sub-second query latency.
Data is distributed across thousands of logical shards, allowing for high-volume ingestion and parallel query execution without central bottlenecks.
The system integrates global telemetry with manual investigations to create a single source of truth for proactive threat blocking.
Cloudflare Queues handle asynchronous telemetry ingestion, while R2 provides long-term storage and SQLite handles the hot index for instant retrieval.

#security #dist #data

Read original

Cloudflare BlogMar 3, 2026

Introducing the 2026 Cloudflare Threat Report

Why it matters: Attackers are shifting from complex hacks to high-efficiency exploitation of trusted cloud tools and session tokens. Engineers must move beyond perimeter defense to secure SaaS integrations, identity tokens, and detect 'living off the land' tactics hidden in legitimate enterprise traffic.

Attackers are prioritizing 'Measure of Effectiveness' (MOE), favoring high-throughput tactics like session token theft over expensive, one-off zero-day exploits.
Generative AI is being used to automate high-velocity operations, including real-time network mapping, exploit development, and deepfake persona creation.
Threat actors are 'living off the land' by weaponizing trusted SaaS and IaaS tools like Google Calendar and GitHub to mask command-and-control (C2) traffic.
Over-privileged third-party API integrations create cascading risks, where a single compromised integration can breach hundreds of distinct corporate environments.
Infostealers are increasingly used to harvest active session tokens, allowing attackers to bypass multi-factor authentication (MFA) and move to post-authentication actions.
Hyper-volumetric DDoS attacks, powered by massive botnets like Aisuru, are reaching scales that exhaust infrastructure capacity and minimize human response windows.

#security #dist

Read original

Cloudflare BlogMar 3, 2026

From reactive to proactive: closing the phishing gap with LLMs

Why it matters: This approach transforms security from a reactive arms race into a proactive system. By using LLMs for automated threat discovery and specialized models for enforcement, engineers can close detection gaps faster and mitigate sophisticated, evolving phishing attacks at global scale.

Cloudflare is shifting from reactive email security to proactive defense by using LLMs to analyze and categorize millions of daily messages.
LLMs act as a discovery layer, identifying complex concepts like intent, urgency, and deception across unstructured email data.
High-fidelity LLM-generated tags allow analysts to surface emerging threat vectors, such as sophisticated 'Sales Outreach' phishing, in near real-time.
Insights from LLMs are used to curate high-precision training datasets, focusing on linguistic traits and sentiment rather than static indicators.
Specialized sentiment analysis models are trained on these datasets to provide fast, scalable enforcement without the overhead of a general-purpose LLM.
This continuous feedback loop enables model refinement as attackers adapt, significantly reducing the time-to-detection for new phishing variants.

#security #mlp #data

Read original

Cloudflare BlogMar 3, 2026

How Cloudy translates complex security into human action

Why it matters: Cloudy bridges the gap between sophisticated ML detections and human action. By providing clear context for security flags, it reduces alert fatigue for SOC teams and empowers end users to make better security decisions in real-time without needing deep technical expertise.

Cloudy is an LLM-powered explanation layer built on Cloudflare Workers AI to translate complex security telemetry into human-readable guidance.
The system integrates with Cloudflare Email Security to provide real-time summaries explaining why specific messages were flagged as malicious or suspicious.
By embedding explanations into the Phishnet reporting tool, Cloudy helps reduce SOC noise by educating end users at the point of interaction.
For Cloudflare CASB, Cloudy simplifies SaaS security findings by surfacing the reasoning behind detections and providing clear remediation paths.
The architecture utilizes Llama 3 and a chain-of-thought prompting approach to ensure explanations are grounded in specific, structured ML model outputs.

#security #mlp #data

Read original

Cloudflare BlogMar 3, 2026

See risk, fix risk: introducing Remediation in Cloudflare CASB

Why it matters: This update bridges the gap between threat detection and response in SaaS environments. By automating remediation through a durable serverless architecture, engineers can eliminate manual cleanup tasks and ensure a consistent security posture across disparate cloud platforms.

Cloudflare CASB now includes Remediation, allowing users to fix risky file-sharing configurations directly from the Cloudflare One dashboard.
The feature initially supports Microsoft 365 and Google Workspace, addressing public links, company-wide sharing, and external access.
Built using Cloudflare Workflows, the system ensures durable execution and handles vendor API rate limits (429s) with native retry logic.
The architecture leverages Workers, Queues, KV, and Hyperdrive to achieve a p50 end-to-end job completion time of 48 seconds.
Remediation actions focus on removing risky sharing permissions without deleting files or changing ownership.
All actions are recorded in Cloudflare One Admin logs, providing an audit trail for security teams and SIEM integrations.

#security #dist

Read original

Page 3 of 12

Prev 1 2 3 4 5...12 Next