
<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:media="http://search.yahoo.com/mrss/">
    <channel>
        <title><![CDATA[ The Cloudflare Blog ]]></title>
        <description><![CDATA[ Get the latest news on how products at Cloudflare are built, technologies used, and join the teams helping to build a better Internet. ]]></description>
        <link>https://blog.cloudflare.com</link>
        <atom:link href="https://blog.cloudflare.com/" rel="self" type="application/rss+xml"/>
        <language>en-us</language>
        <image>
            <url>https://blog.cloudflare.com/favicon.png</url>
            <title>The Cloudflare Blog</title>
            <link>https://blog.cloudflare.com</link>
        </image>
        <lastBuildDate>Wed, 01 Jul 2026 14:00:11 GMT</lastBuildDate>
        <item>
            <title><![CDATA[Announcing the Monetization Gateway: charge for any resource behind Cloudflare via x402]]></title>
            <link>https://blog.cloudflare.com/monetization-gateway/</link>
            <pubDate>Wed, 01 Jul 2026 13:00:00 GMT</pubDate>
            <description><![CDATA[ We're opening the waitlist for our Monetization Gateway, which will allow you to charge for any web page, dataset, API, or MCP tool behind Cloudflare. The charges will settle in stablecoins over the x402 open protocol, with no payments stack of your own to build. ]]></description>
            <content:encoded><![CDATA[ <p>Today, we are announcing the Cloudflare Monetization Gateway, an engine that will give Cloudflare customers the ability to charge for any asset protected by Cloudflare: web pages, datasets, APIs, or MCP tools. </p><p>It will provide a single control plane to manage payment policies and access controls across your applications, while also protecting your origin from high payment volumes by handling payment verification and enforcement at the edge. At launch, payments will settle in stablecoins over<a href="https://www.x402.org/"><u> x402</u></a>, the open protocol <a href="https://blog.cloudflare.com/x402/"><u>we are building</u></a> with a coalition of more than 25 industry leaders via the <a href="https://www.linuxfoundation.org/press/linux-foundation-is-launching-the-x402-foundation-and-welcoming-the-contribution-of-the-x402-protocol"><u>x402 Foundation</u></a>. </p>
    <div>
      <h3>The evolving business model of the web</h3>
      <a href="#the-evolving-business-model-of-the-web">
        
      </a>
    </div>
    <p>For 30 years, the web has run on a simple economic bargain: trading content for human attention. That attention has been monetized through advertising, subscriptions, and e-commerce. This bargain funded the Internet as we know it. </p><p>But as agents become the dominant Internet users, the model is breaking. An agent does not look at ads or need to maintain a monthly subscription to all the tools it wants to access. It reads a page or consumes a data feed once, takes what it needs, and moves on. Across the web, AI crawlers already request content anywhere from a hundred to tens of thousands of times for every visitor they <a href="https://blog.cloudflare.com/ai-crawler-traffic-by-purpose-and-industry/"><u>send back</u></a>. </p><p>This reality demands a new model: usage-based pricing for everything. If attention and e-commerce are moving from websites to AI harnesses and AI-written software, then agents should pay for the inputs they need — training data, inference content, developer tooling, and API usage. The natural unit of payment for software is the request, the token, or the outcome, not the seat or the month. A few examples of what that could look like:</p><ul><li><p>A few cents per web search, billed per call</p></li><li><p>\$0.001 base fee plus a \$0.01 per MB charge for an upload endpoint</p></li><li><p>\$0.99 per resolved support escalation, paid only when the work succeeds</p></li></ul><p>This is the same shift behind <a href="https://blog.cloudflare.com/making-ai-search-smarter"><u>paying creators when an answer engine uses their content</u></a> — a fair exchange of value whenever content or a resource is used, priced on neutral rails built for the purpose. People often envision an agent buying high-priced assets like web domains, but most of what an agent pays for sits upstream of any checkout, and is priced far lower.</p><p>Some of the Internet already works this way. Cloud and APIs have been sold by the call and by the hour for years, but only to a known buyer: a user signs up, they are issued an API key, and they incur usage-based metered billing. Content mostly skipped payment and ran on advertising instead. These business models have never been able to serve unverified buyers for sub-cent transactions because <a href="https://stripe.com/resources/more/what-are-payment-rails#what-are-payment-rails"><u>the payment rails</u></a> cost too much and took too long to settle. Below a certain price, collecting the payment cost more than the payment was worth.</p><p>Historically, usage-based billing was difficult to implement. Businesses needed to effectively become payments companies, running their own accounting to track internal usage in a robust and auditable way. Tracking this usage required significant overhauls of backend systems. Many instead chose per-seat pricing because it is simpler and frequently more profitable. </p><p>Agents flip this dynamic. A single agent can do the work of an entire team around the clock, making a flat one-time fee disconnected from actual consumption. At the same time, an agent can make thousands of micropayments without friction, while asking a person to approve each payment would be impossibly burdensome. Usage-based price points are where agents live and where stablecoin-based micropayments shine. That's because stablecoins (such as <a href="https://joinopenstandard.com/"><u>Open USD</u></a> and <a href="https://www.circle.com/usdc"><u>USDC</u></a>) allow buyers to transfer tiny sums across the Internet, incurring negligible fees and settling in less than a second. This is not feasible with other payment rails today.</p><p>Here’s where we can help. Cloudflare has spent years building usage-based accounting for our own billing systems and for our customers’ analytics. We can dramatically simplify the implementation of usage-based billing for web-based assets thanks to our position as a proxy layer between buyers and sellers. As shown below, with Cloudflare supporting usage-based billing, the evidence of payment can move into the request itself, and the payment validation and the request paths merge.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/775Xg4N8Ic9Vk7Y4dvMgTE/0267b9f7672fd65d7c329553eb567d8c/BLOG-3342_2.png" />
          </figure><p>And here’s the benefit to you: the metering, the payment exchange, and the settlement move off your origin. What stays with you is what matters — your rules, your prices, and your revenue. You will not need to onboard the buyer or stand up a billing system. You will write a rule and agentic buyers will pay for what they use.</p>
    <div>
      <h3>A refresher on x402</h3>
      <a href="#a-refresher-on-x402">
        
      </a>
    </div>
    <p>Last year on <a href="https://blog.cloudflare.com/content-independence-day-no-ai-crawl-without-compensation/"><u>Content Independence Day</u></a>, we gave site owners one-click control over which AI crawlers could reach their content, and with <a href="https://blog.cloudflare.com/introducing-pay-per-crawl/"><u>Pay Per Crawl</u></a> we let them charge crawlers for it. The Monetization Gateway is the next step: instead of only charging crawlers for content, you will be able to charge any caller for any resource, from an API to data to an MCP tool call, and you will not have to build the payment machinery yourself.</p><p>x402 is an open protocol that makes it possible to pay over HTTP, named for the 402 status code it finally puts to use. The x402 exchange is simple: a client requests a payment-gated resource. Instead of serving it, the server responds with 402 Payment Required and a small payload that states the price, the accepted asset, and where to pay. The client pays and repeats the request with proof of payment attached. A facilitator verifies, and the server returns the resource. It all happens inside ordinary HTTP requests and responses, with no redirect to a checkout page and no separate payment API to call. Settlement happens peer-to-peer, so any funds that a buyer sends to a seller are directly deposited to the seller’s wallet. We are designing the Monetization Gateway to keep payment overhead low and are aiming for sub-second payment settlement.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/23fb2mEg4PIGZWVXR5hkd3/cb344847b6bbf7e027944276f4d27481/BLOG-3342_3.png" />
          </figure><p><sup><i>x402 Payment Flow: AI Agent ↔ APIServer ↔ Blockchain, Source: </i></sup><a href="https://github.com/coinbase/x402#typical-x402-flow"><sup><i><u>x402 Readme on GitHub</u></i></sup></a><sup><i> </i></sup></p><p>Two properties make x402 a good fit for machine payments. The payment amounts can be small, down to fractions of a cent, because the protocol adds almost no overhead. And the buyer needs no account with the seller, because the payment itself is the credential. x402 is rail agnostic, but it is a natural fit for stablecoins, which can settle in under a second for a fraction of a cent with zero chargebacks.</p>
    <div>
      <h3>What the Monetization Gateway does</h3>
      <a href="#what-the-monetization-gateway-does">
        
      </a>
    </div>
    <p>The Monetization Gateway will provide a flexible payment rules API that will allow you to express exactly when you want a caller to pay to access your digital resources.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/450isiCLVtenTKCSCQjlam/61495cc09b8b0a636667202eee221312/BLOG-3342_4.png" />
          </figure><p>Here’s how it will work. Tokens, APIs, MCP tool calls, and data already flow through that path. You will decide, as precisely as you want, which of that traffic has to pay. And you will be able to enforce your decisions by writing expressions, similar to expressions that you already write for other Cloudflare rules, in a simple, dedicated product API. The Monetization Gateway will scale with Cloudflare’s global network across 330+ cities, which means that the x402 handshake will occur in close proximity to your buyer. This will reduce request latency and protect your origin. </p><p>A few examples of planned capabilities:</p><ul><li><p>Charge for specific REST verbs: Require payment on calls to a specific route, for example $0.01 for every GET or POST request to /api/premium/*.</p></li><li><p>Variable pricing: Charge variable amounts for tasks of varying complexity, for example, image generation might charge any amount up to $2, depending on the compute used.</p></li><li><p>Charge only unauthenticated callers: Intercept HTTP 401 "Unauthorized" responses from your origin and return 402 "Payment Required" instead with pricing and payment instructions.</p></li></ul><p>When a request matches, the Monetization Gateway will verify payment before letting it through. You will be able to set these rules in the dashboard, or manage them as code through the Cloudflare API and Terraform, so a paid endpoint is just another part of your infrastructure config.</p><p>The Monetization Gateway will initially allow users to require buyers to pay for services and resources in stablecoins. Sellers will be able to use the stablecoins they accumulate for their own transactions or redeem the stablecoins for equivalent fiat currency in their bank account. Using the Monetization Gateway offers a way to increase the addressable market for your products. With the Gateway, agents can request your resource, be told the price, pay, and get the response. No signup, no API key, no prior relationship required. You will decide how much you need to know about that buyer, and you will have the flexibility to require agents to authenticate with <a href="https://developers.cloudflare.com/bots/reference/bot-verification/web-bot-auth/"><u>Web Bot Auth</u></a> and apply usage-based pricing against accounts they already hold.</p>
    <div>
      <h3>Where we see this going</h3>
      <a href="#where-we-see-this-going">
        
      </a>
    </div>
    <p>The Monetization Gateway will turn the request into a payment and give Cloudflare customers new revenue opportunities, but where this goes is far bigger.</p><p>An agent is software that acts autonomously on a user’s behalf, and agents are starting to act on their own. Soon they will carry wallets and buy what they need without a person in the loop: a dataset, an API call, a tool, a block of compute. Some of those resources will be free, and some will require proof of who the agent is and who it acts for, through verified agent identity. Many will require both an identity and a payment, and Cloudflare is one of the few places that will be able to settle all of it inside a single request, by verifying the agent, applying the rule, and checking the payment before the origin ever sees the call. The agent becomes the primary buyer on the Internet, and the request becomes the transaction.</p><p>There is an enormous amount of value moving across the Internet today that goes unmonetized or undermonetized, not because no one would pay for it, but because the tools to charge for it have never existed. Every useful API call, every answer, every tool invocation an agent makes has value, and almost none of it is paid for today. That is the opportunity in front of us, and it is what the Monetization Gateway will unlock.</p><p>This is what we are building toward: an agent-first Internet with Internet-scale settlement built in. Where the people who make something worth paying for get paid by the software that uses it, automatically. And where the smallest new API can reach the same buyers, on the same terms, as the largest company on the web, and the independent creator is paid by the large language models that use their work. That is the next business model of the Internet, and we are building to power it.</p>
    <div>
      <h3>Sign up for our waitlist</h3>
      <a href="#sign-up-for-our-waitlist">
        
      </a>
    </div>
    <p>The Monetization Gateway waitlist is open now for Cloudflare customers. If you’re interested in monetizing your web page, dataset, API, or MCP tool with usage-based pricing, <a href="https://docs.google.com/forms/d/e/1FAIpQLSfq6yaIgp57FCGFg7riXlSWTeD8d8Adur2c8tWaKY4SuzweiQ/viewform?usp=header"><u>please join our early access list</u></a>.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3FCzNi8AbQlu6DsFrrPak8/89c6e0b9d0af7202836c0d8a57ce3bdc/BLOG-3342_5.png" />
          </figure><p></p> ]]></content:encoded>
            <category><![CDATA[Content Independence Day]]></category>
            <category><![CDATA[AI Bots]]></category>
            <category><![CDATA[Bots]]></category>
            <category><![CDATA[AI]]></category>
            <category><![CDATA[x402]]></category>
            <category><![CDATA[Payments]]></category>
            <guid isPermaLink="false">6dNg0U03j4cnbacP8txDok</guid>
            <dc:creator>Rohin Lohe</dc:creator>
            <dc:creator>Justin Ridgely</dc:creator>
            <dc:creator>Will Papper</dc:creator>
        </item>
        <item>
            <title><![CDATA[Content Independence Day, one year on: building the business model for the agentic Internet]]></title>
            <link>https://blog.cloudflare.com/agentic-internet-bot-report/</link>
            <pubDate>Wed, 01 Jul 2026 13:00:00 GMT</pubDate>
            <description><![CDATA[ One year after declaring Content Independence Day, a dynamic market for monetized content has officially emerged. In this report, we examine how the rise of autonomous AI agents is upending traditional search referrals and detail the new infrastructure required to support a sustainable web economy.  ]]></description>
            <content:encoded><![CDATA[ <p>One year ago, we declared <a href="https://blog.cloudflare.com/content-independence-day-no-ai-crawl-without-compensation/"><u>Content Independence Day</u></a>. At the time, we could see what many in the industry were beginning to sense: the fundamental economics of the Internet were shifting. AI adoption was accelerating, publishers were experiencing rapid declines in referral traffic, and AI companies were crawling the web at unprecedented scale, often without clearly declaring intent, and almost always without compensation.</p><p>We changed the defaults. For all new domains on Cloudflare, AI training crawlers would be blocked by default unless domain owners chose otherwise. We didn't do this to wall off the web. We did it because we believed a healthier ecosystem required transparency, control, scarcity, and ultimately, a market where high-quality content could be valued and exchanged fairly.</p><p>A year later, that market has emerged. But the transformation of the Internet has happened even faster than we anticipated. In this report, we share key data points that illustrate how quickly the business model of the Internet has shifted – and what this new content market means for publishers and site owners.</p>
    <div>
      <h2>Part I: The Internet has changed – faster than anyone expected</h2>
      <a href="#part-i-the-internet-has-changed-faster-than-anyone-expected">
        
      </a>
    </div>
    
    <div>
      <h3>The vertical adoption curve</h3>
      <a href="#the-vertical-adoption-curve">
        
      </a>
    </div>
    <p>AI is not just another technology cycle. It is a platform shift happening at more than 2x the speed that smartphones were adopted. In just 3.5 years, over 30% of humanity — 2.5 billion active users — has adopted regular use of generative AI. The adoption curve isn't merely steep: it's going vertical.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3M69Z8Mu3wANYivgEMbUqZ/e891d57b2569c021bad63c0bfeca0530/BLOG-3368_2.png" />
          </figure>
    <div>
      <h3>The decline of the open web</h3>
      <a href="#the-decline-of-the-open-web">
        
      </a>
    </div>
    <p>Never before have we seen such a rapid change in how humans interact with information, perform work, and spend time online.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5wQGImgn0OFJeZCUY2Qhq5/28a11af7ceaf09de87dabe6f5d55e3f7/BLOG-3368_3.png" />
          </figure><p>
The way people use the Internet is changing dramatically. Today, for every hour spent online searching for information, only 15 minutes is spent on the open web. Traditional search behavior is collapsing as users shift to AI-driven discovery and consumption. Instead of visiting multiple sites to source and compare information, users simply type a prompt and receive a nearly instantaneous, consolidated answer.</p>
    <div>
      <h3>The agentic Internet is here</h3>
      <a href="#the-agentic-internet-is-here">
        
      </a>
    </div>
    <p>This year, agent traffic crossed a historic threshold for the first time: more than 50% of traffic on the Internet is now non-human. This shift has staggering implications for publishers, content owners, and the future of the open web.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5YkpFdETFdLIerSyejSQTI/72ed1bddb4f713cfaa68376ffca78d7e/BLOG-3368_4.png" />
          </figure>
    <div>
      <h3>Crawlers have changed their purpose</h3>
      <a href="#crawlers-have-changed-their-purpose">
        
      </a>
    </div>
    <p>When looking at the crawlers Cloudflare identifies by purpose, the composition of crawler traffic tells the story clearly:</p><ul><li><p>52% of crawler requests are now for AI training as of June 2026, up from 22% in Spring 2025.</p></li><li><p>Mixed-use crawlers (those blending search, agent use, and training) represent over 36% of activity.</p></li><li><p>Pure search crawling now represents a small and declining share of overall crawler activity, despite remaining critical for publisher visibility. </p></li></ul>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/2as6G3xsTXPJXccFOKsjXx/83a0a06d713f878b1b6ea61563593e0e/f2f4f782-ecdf-48bd-9b88-62fa649d2963.png" />
          </figure><p>As AI training becomes a primary driver of crawler activity, the ability to distinguish between discovery and training becomes increasingly important. Mixed-use crawlers blur that distinction, putting content owners in a difficult position: choose between remaining discoverable in the agentic era, and giving away their most valuable content without compensation.</p>
    <div>
      <h3>The old business model is gone</h3>
      <a href="#the-old-business-model-is-gone">
        
      </a>
    </div>
    <p>For decades, the economic model of the open web was straightforward. Content creators exchanged access to their content for visibility in search engines, which returned referral traffic. That traffic became the primary mechanism through which publishers, creators, and businesses generated economic value.</p><p>But today, that exchange is breaking down. Content is still being crawled, indexed, and used — but increasingly without corresponding traffic being returned to the source. As AI systems answer questions, compare products, conduct research, and complete tasks directly, information across the open web is increasingly becoming part of AI training and retrieval systems. The existential question this raises is simple: if content is consumed without audiences ever visiting the source, how do content creators sustain themselves?</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/60T7EMNO25yQ4tlA6JHpKl/abc121511a14c89f8c01cca5f70ec65c/BLOG-3368_6.png" />
          </figure>
    <div>
      <h3>The implications are industry-agnostic</h3>
      <a href="#the-implications-are-industry-agnostic">
        
      </a>
    </div>
    <p>The earliest industries to feel the impact were news organizations and media companies. Today, similar dynamics are impacting businesses across retail, software, IT, and finance. Some of the most heavily crawled categories have seen human traffic decline as much as 40% in less than one year.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5j3sF7FpYa4b5eLGgSXqhs/a1748b3f3feca6b8722a03d6912bcd72/BLOG-3368_7.png" />
          </figure><p>Many publishers are now preparing for what they call "Google Zero" — a world where little to no traffic comes from search referrals.</p><p>The implications extend to essentially every industry. Any organization that publishes proprietary information on the Internet will need to understand how to operate in an agentic era. This dynamic matters not just to content owners, but to all of us. The Internet is a critical part of the global economy and one of the world's most important public resources for surfacing information. Ensuring it remains healthy and sustainable is essential for all.</p>
    <div>
      <h2>Part II: The market has emerged</h2>
      <a href="#part-ii-the-market-has-emerged">
        
      </a>
    </div>
    
    <div>
      <h3>What we built</h3>
      <a href="#what-we-built">
        
      </a>
    </div>
    <p>When we launched Content Independence Day, we committed to three things:</p><ol><li><p>Transparency and control for site owners, enabling them to define how their content is accessed and monetized.</p></li><li><p>Tools that create scarcity, shifting the balance of power back to content owners.</p></li><li><p>A marketplace where content creators and AI companies of all sizes can discover, license, and determine the value of content more efficiently.</p></li></ol><p>One year later, a market for monetized content is here, and the conditions for a dynamic marketplace are forming.</p>
    <div>
      <h3>Transparency and control created scarcity</h3>
      <a href="#transparency-and-control-created-scarcity">
        
      </a>
    </div>
    <p>Historically, publishers have had limited visibility into how AI companies accessed and used their content. As referral traffic declined, that lack of visibility became an economic problem prompting publishers to seek new ways to capture value.</p><p>Cloudflare's attribution, business intelligence, and enforcement tools gave publishers visibility into AI consumption at the network level — an enforcement mechanism far more effective than voluntary standards like robots.txt. For the first time, publishers could determine how their content was accessed and monetized. That control created scarcity, and drove a supply-and-demand content economy.</p>
    <div>
      <h3>Scarcity created leverage</h3>
      <a href="#scarcity-created-leverage">
        
      </a>
    </div>
    <p>Publishers that exercised control over access successfully created scarcity, giving them negotiating leverage that led to better deals. For the first time, publishers gained operator-level attribution data — evidence of how often LLMs attempted to access their content, which competitive LLMs were crawling, what their most in-demand URLs were, and what their crawl-to-referral ratios looked like. This reduced information asymmetry in licensing discussions and enabled publishers to negotiate from a position of knowledge.</p>
    <div>
      <h3>Leverage is changing the balance of power</h3>
      <a href="#leverage-is-changing-the-balance-of-power">
        
      </a>
    </div>
    <p>This leverage has empowered our customers. As they have gained greater visibility into how AI systems access and use their content, they’ve become better equipped to understand the implications for their businesses and more confidently articulate the value of the information, brand, and audiences they have built.</p><p>As the balance of power between content owners and AI companies begins to change, a licensing economy is emerging: </p><ul><li><p>More than 50 publisher-AI agreements have been signed since 2023.</p></li><li><p>Major AI companies now actively license content, increasingly recognizing the value of differentiated and premium content.</p></li><li><p>Collective licensing models continue to emerge and scale.</p></li><li><p>Large publishers are securing meaningful licensing agreements, demonstrating that content has real economic value within the AI ecosystem.</p></li></ul><p>The conversation is no longer <i>whether</i> content should be compensated. The conversation now is <i>how</i>.</p>
    <div>
      <h3>The market is maturing, but inefficiencies remain</h3>
      <a href="#the-market-is-maturing-but-inefficiencies-remain">
        
      </a>
    </div>
    <p>Early licensing agreements proved demand exists, but licensing today remains largely bespoke and unlikely to fully replace lost referral, advertising, and affiliate revenue. As a result, publishers are increasingly optimizing for AI consumption alongside traditional human discovery while exploring new monetization pathways.</p><p>Supply and demand remain difficult to match efficiently, and while there’s an understanding that not all content carries the same value, content valuation is still unresolved.</p>
    <div>
      <h3>The Google convergence problem</h3>
      <a href="#the-google-convergence-problem">
        
      </a>
    </div>
    <p>No discussion of this market is complete without addressing Google's unique role. Google remains the dominant gateway to online discovery, accounting for approximately 88% of referral traffic. But increasingly, Google is helping users consume content directly within Google-owned AI experiences.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4npzNthY9RDNXRhqe0L2z0/f8414329fd1451bfe5e1ce4d4a9cdc97/BLOG-3368_9.png" />
          </figure><p>Discovery and consumption serve fundamentally different purposes. Search drives users to content, while AI-powered experiences increasingly summarize and reuse it without requiring users to visit the source. Website owners view these activities differently because one generates traffic, while the other increasingly substitutes for it.</p><p>These differences become especially important when site owners are deciding who should be allowed to access their content and for what purpose. Most leading AI companies separate discovery crawlers from training crawlers, making it relatively simple for publishers to enable content access for one purpose or the other. Google does not. Today, Google has access to about 2x more information than leading AI companies because Google leverages a mixed-use bot that makes it difficult for customers to participate in Google's search ecosystem without also participating in Google's AI ecosystem. </p><p>Unlike other AI providers, Google’s mixed-use crawler also limits transparency for site owners. Because discovery and AI access are combined into a single crawler, publishers cannot tell why Google is accessing their content or distinguish between traffic used for search and traffic used for AI experiences. They also lose the visibility and evidence that comes from being able to allow or block these activities independently at the network level.</p><p>This dynamic has accelerated demand for greater transparency and control, as well as new monetization models to better serve both content owners and AI companies of all sizes.</p>
    <div>
      <h2>Part III: A unique view of the ecosystem</h2>
      <a href="#part-iii-a-unique-view-of-the-ecosystem">
        
      </a>
    </div>
    <p>Cloudflare sits at the intersection of the emerging agentic economy.</p><p>More than 20% of the web sits behind Cloudflare’s network. Of the world's most-visited websites, 36% rely on our network, and more than 40% of the Fortune 500 are Cloudflare customers. Nearly 80% of leading AI companies use Cloudflare, alongside thousands of developers and emerging AI companies.</p><p>This unique position gives us visibility into both sides of the market. We see the content owners creating content, the AI companies consuming it, and the signals increasingly connecting them. That perspective has given us a unique view into how the market has evolved over the past year, and what it now requires.</p>
    <div>
      <h2>Part IV: Lessons from an emerging market</h2>
      <a href="#part-iv-lessons-from-an-emerging-market">
        
      </a>
    </div>
    <p>As publishers and AI companies adapt to a new agentic economy, Cloudflare has gained a clearer understanding of what the ecosystem now needs.</p>
    <div>
      <h3>Transparency must become the standard</h3>
      <a href="#transparency-must-become-the-standard">
        
      </a>
    </div>
    <p>Content owners increasingly need visibility and control over who is accessing their content, how it is being used, and for what purpose. AI companies increasingly recognize that transparency builds trust and reduces friction with publishers. Visibility and enforcement are no longer security concerns alone — they have become business requirements that directly influence licensing negotiations and commercial decision making.</p><p>To help make transparency the standard, Cloudflare is continuing to invest in enhanced attribution, measurement, and publisher controls that give content owners greater visibility into and control over how their content is accessed and used.</p><p>As the industry shifts toward greater transparency, we believe that verifiable bot self-identification and declarations of crawl intent are fundamental to a sustainable ecosystem. Today, more than one-third of crawler activity on our network still comes from mixed-use bots that make it impossible for content owners to distinguish crawl intent. We are actively engaging with the ecosystem and investing in tooling to help drive that number to zero by this time next year.</p>
    <div>
      <h3>Better AI requires better signals</h3>
      <a href="#better-ai-requires-better-signals">
        
      </a>
    </div>
    <p>Over the past year, it has become increasingly clear that AI companies need more than access to content. They need better ways to determine what to access, when to access it, and how frequently it has changed. Indiscriminate crawling wastes compute for AI companies and creates unnecessary bandwidth burden for publishers, reducing efficiency across the ecosystem.</p><p>We believe better answers require better intelligence. We are investing in real-time freshness signals with richer trust, quality, and relevance to help AI companies discover differentiated information while reducing unnecessary crawling across the web.</p>
    <div>
      <h3>Markets need better discovery before better pricing</h3>
      <a href="#markets-need-better-discovery-before-better-pricing">
        
      </a>
    </div>
    <p>We believe better discovery must precede better pricing. In order for the market to mature, publishers and AI companies need better information about one another. We are investing in richer market intelligence, content signaling, and capabilities that improve discovery between both sides of the ecosystem, laying the foundation for more scalable market mechanisms over time.</p>
    <div>
      <h2>Part V. Building the infrastructure for the agentic Internet</h2>
      <a href="#part-v-building-the-infrastructure-for-the-agentic-internet">
        
      </a>
    </div>
    <p>One year ago, Content Independence Day introduced a simple idea: content owners should have greater control over how AI companies access and use their information.</p><p>Over the past twelve months, that control helped give rise to a market. Transparency created scarcity. Scarcity created leverage. Leverage accelerated licensing. What was once a theoretical discussion about the future of AI and content has become an active market, with publishers, AI companies, and technology providers all adapting to a new set of economic realities.</p><p>The market is now entering a new phase that demands new infrastructure. As the Internet becomes increasingly agentic, the underlying systems that support it must evolve to handle permissions, licensing, and commercial transactions at scale. Content owners and AI companies need more efficient ways to connect and exchange value. We believe these capabilities will converge into programmable, scalable mechanisms for content discovery and monetization – reducing friction while unlocking richer forms of value exchange.</p><p>Cloudflare's role is to build the infrastructure and business intelligence, and contribute to the standards that allow the market to determine value more efficiently and help publishers and AI companies participate in a healthier, more dynamic content economy.</p><p>The Internet has always evolved. This evolution is faster and more consequential than most. But with the right infrastructure, the right incentives, and a commitment to transparency, we believe the agentic Internet can become more sustainable, more efficient, and better for everyone.</p><p><b>Methodology:
</b>The data in this report is compiled from <a href="https://radar.cloudflare.com/"><u>Cloudflare Radar</u></a> and the <a href="https://cloudflare.net/files/doc_downloads/Presentations/2026/06/15/New/Master-Deck-2026-Investor-Day-FINAL.pdf"><u>Cloudflare Investor Day 2026 Presentation</u></a>.</p><p>Cloudflare Radar is a hub showcasing global Internet traffic, attack, and technology trends and insights. Powered by data from Cloudflare's global network, Radar was created to help anyone understand what is happening on the Internet from a security, performance and usage perspective.</p><p>Cloudflare's unique understanding of the Internet comes from its global network — one of the world's largest, spanning 330+ cities in 100+ countries — and aggregated and anonymized data from Cloudflare's 1.1.1.1 public DNS Resolver, widely used as a fast and private way to browse the Internet. More than 20% of the web sits behind Cloudflare’s network.</p> ]]></content:encoded>
            <category><![CDATA[Content Independence Day]]></category>
            <category><![CDATA[Bots]]></category>
            <category><![CDATA[Bot Management]]></category>
            <category><![CDATA[Radar]]></category>
            <category><![CDATA[Internet Traffic]]></category>
            <category><![CDATA[AI]]></category>
            <guid isPermaLink="false">3qEwyKxigFNDK4JTlPfl8A</guid>
            <dc:creator>Arielle Weiss</dc:creator>
            <dc:creator>Zach Albertson</dc:creator>
            <dc:creator>Emily Lanfear</dc:creator>
        </item>
        <item>
            <title><![CDATA[Making AI search smarter]]></title>
            <link>https://blog.cloudflare.com/making-ai-search-smarter/</link>
            <pubDate>Wed, 01 Jul 2026 13:00:00 GMT</pubDate>
            <description><![CDATA[ Search is how we find nearly everything on the web — creators, merchants, answers. AI is rewriting the rules, leaving creators caught between staying discoverable in an agentic era and getting paid for their work. Today we're launching two initiatives to help. ]]></description>
            <content:encoded><![CDATA[ <p>Search drives most experiences on the web. It's how we get things done, and how nearly everything on the web gets found — the creators, the merchants, the answer to whatever you just typed into a box. For nearly 30 years, that discovery journey ran on a simple bargain: let a search engine crawl your content, and it sends you visitors. You turned those visitors into a business — through ads, subscriptions, or just the audience itself. Being discoverable and getting paid were the same thing. A year ago, on the <a href="https://blog.cloudflare.com/content-independence-day-no-ai-crawl-without-compensation/"><u>first Content Independence Day</u></a>, we drew a line to defend that bargain in the AI era. But a line in the sand was only a first step. Since then, the prevalence of AI search in consumers’ lives has only accelerated as <a href="https://radar.cloudflare.com/"><u>more than 50% of traffic online is non-human</u></a>. The threat is no longer a handful of training crawlers you can block; it's search itself being rebuilt around AI answers.</p><p>Today's answer engines read your page and hand the user a summary, so the visit — and the revenue that depended on it — isn’t needed. We see it firsthand, and independent research backs it up: a <a href="https://www.pewresearch.org/short-reads/2025/07/22/google-users-are-less-likely-to-click-on-links-when-an-ai-summary-appears-in-the-results/"><u>2025 Pew Research Center study</u></a> found that when Google shows an AI summary, users clicked on a traditional search result link just 8% of the time (about half as often as when there's no summary) and clicked a link inside the summary only 1% of the time. That leaves our customers in a bind: opt out of AI and be hard to find, or opt in and deliver significant value to users while seeing increasingly little in return. Our customers want to be found and compensated for the value they provide, and right now they're forced to choose.</p><p>Today, <a href="http://blog.cloudflare.com/content-independence-day-ai-options"><u>we’ve announced new bot options</u></a> to help our customers better control who can access their site and what they can do with it. But blocking was only step one: saying "no" protects content without rebuilding the business models that sustain it. So, it’s time to start building the new economic model of the Internet, starting with search.</p>
    <div>
      <h3>Rebuilding the bargain</h3>
      <a href="#rebuilding-the-bargain">
        
      </a>
    </div>
    <p>Transparency and control are the foundation, but more is needed. In 2025, we laid out our foundation via a set of <a href="https://blog.cloudflare.com/building-a-better-internet-with-responsible-ai-bot-principles/"><u>responsible AI bot principles</u></a>: bots should be transparent about who they are and what they're for, respect site owners' choices, and act in good faith. Our tools hold bots to that bar. But enforcing good bot behavior doesn't make AI search any better for the people relying on it, and it doesn't send a dollar back to the creator whose work made the answer possible. We can do more than help the web say "no"; we can help rebuild what it says "yes" to.</p><p>So today, we're announcing two initiatives that move from defense to offense and start putting both halves of that old bargain back together.</p><p><b>Make AI search smarter: </b>By<b> </b>using the signals we see across our global network, like what's fresh, what's high quality, and what's actually changed, we can help answer engines surface the most relevant content and reduce unwanted crawling. People searching get better answers, while costs are reduced for both AI companies and site owners if webpages are only recrawled when they’ve changed.</p><p><b>Pay creators for the value they provide:</b> When your work is used to answer someone's question, you should be rewarded instead of just being scraped for free. And you should be able to see what's being used and what people are asking. This should be a real revenue stream, and an incentive to keep producing original content worth finding.</p>
    <div>
      <h3>Making search smarter</h3>
      <a href="#making-search-smarter">
        
      </a>
    </div>
    <p>Today we're launching a research program to make AI search smarter and stop our customers footing the bill for crawls that produce nothing new.</p><p>More than 20% of the web sits behind Cloudflare’s network, which gives us a unique perspective. We can tell which pages have genuinely changed and which ones people and agents are flocking to. Through this program, we will explore using signals our customers have chosen to share about the freshness of their content, and we will combine those with our own insight into traffic flows, both human and bot. For answer engines, that's a roadmap to high-quality content. For our customers, it provides a view of what users are actually asking, and how their content shows up in AI results. The aim is to measure two things: how much these signals help answer engines to surface fresher, higher-quality content, and how much unnecessary crawling they cut out.</p><p>That second benefit, cutting unnecessary crawling, is bigger than it sounds. Cloudflare data suggests that more than 50% of crawl traffic from good bots goes to re-fetching pages that haven't changed — and that number is likely to climb as crawl volumes do. A signal that just says "nothing's changed here" lets a crawler skip the trip. That saves the answer engine compute. More importantly, it saves site owners from serving and paying for requests they never needed to. </p><p>The program is neutral by design: our goal is to make it work for every answer engine willing to play fair. It's limited to search. We aren't sharing any content, and nothing is used to train foundation models. We intend to publish what we learn, including the benefits to site owners such as better content discoverability and reduced server strain. We plan to make the capability broadly available later this year and reduce unnecessary crawling across our network.</p>
    <div>
      <h3>From Pay Per Crawl to Pay Per Use</h3>
      <a href="#from-pay-per-crawl-to-pay-per-use">
        
      </a>
    </div>
    <p>Last year we <a href="https://blog.cloudflare.com/introducing-pay-per-crawl/"><u>launched Pay Per Crawl </u></a>so publishers could charge AI companies for crawling their content. It was a real start, but crawling is a crude measure of value. A single page might be crawled once and then cited in thousands of answers, or crawled over and over and never used at all. Creators want to be paid fairly for the value they provide.</p><p>So we're starting to shape Pay Per Crawl into Pay Per Use. We're running experiments with top AI companies, like <a href="http://ceramic.ai"><u>Ceramic.ai</u></a> and <a href="http://you.com"><u>You.com</u></a>, and the arrangement is straightforward: organizations can bring their payment models and easily scale them to content owners across the Cloudflare network.</p><p>Ceramic has built what it calls a "pay-per-query" model, so publishers who opt in can be paid when their content appears in Ceramic's search results. This means payment is designed to follow the value the work delivers rather than the number of times a crawler happens to fetch it.</p><p>"To scale the future of AI search, we need a partner with massive reach and a shared commitment to transparency and fair compensation,” says<i> </i>Anna Patterson, founder and CEO of Ceramic.ai<i>.</i> “Cloudflare allows us to easily and programmatically scale our operations. By bringing our pay-per-query model to their network, we ensure millions of content owners can seamlessly opt in to be compensated every single time their content appears in our search results."</p><p>In addition to compensation, content owners participating in the Cloudflare/Ceramic program will unlock new reporting to help with answer engine optimization (AEO). Customers can finally see the top queries leading to their content appearing in search results, the specific webpage and snippet, their average search result ranking position, and more. This is the first of many products we’ll be launching to help our customers with discoverability.</p><p>This is just one emerging approach. Another comes from You.com: agents can pay on demand for a specific piece of premium content they need, without any upfront commitment. New payment models from AI providers are being tested (e.g., Pay per Query, Pay per Result, etc.) and we have the infrastructure to support them all. </p><p>We want to be honest that this is an experiment. There’s a lot to learn, including exactly how this holds up at the scale of the Internet. We'll work that out with our partners and our customers as we go, and share what we learn. But the goal is clear: AI search companies get fresher, better-grounded answers, and the customers whose work makes the answers possible get paid when they help. Cloudflare's job in all of this is to provide the infrastructure layer that makes this market flourish. </p><p>We think this is a more natural fit for where the economics of search are heading. The old, human web optimized search to save time — providing excerpts, ten blue links, and a click. The agentic Internet is different: an agent can read fast and search continuously. Search is becoming something an agent does dozens of times to answer a single question, closer to a utility than a destination. In that world, the unit that matters isn't the crawl or the click. It's the outcome. Pricing the outcome, and paying the people who made it possible, is how the web continues to thrive.</p>
    <div>
      <h3>The headline we want to earn</h3>
      <a href="#the-headline-we-want-to-earn">
        
      </a>
    </div>
    <p>A year ago on Content Independence Day, the headline was a default ‘no’: AI can’t crawl without compensation. This year, our focus is on giving our users more products and controls to say ‘yes’ and bring more benefits with it.</p><p>Today's announcements are just the beginning. Cloudflare’s research project is designed to see if our signals produce better results with less crawling. Pay Per Use is a promising direction we’ll experiment with alongside partners who believe that content creators deserve fair compensation for their work. This is how the last 30 years of the web got built too: somebody runs the pilot that turns "the model is broken" into "here's the new model," one experiment at a time. We believe there’s value to our customers to be discoverable in this new agentic era, and to optimize their content for maximum discovery. But they should be able to do this without giving away their most valuable creative assets for free.</p><p>The web is changing, and the business models it’s relied on are changing with it. The old Internet was open, neutral, and worth contributing to. We have a rare chance to keep it that way, and to build the business models that fund it in the future. Smarter answers for humans and agents asking the questions. A fair deal for the people whose skill, creativity, and commitment makes the answers worthwhile. That’s how we pursue Cloudflare’s mission: to help build a better Internet.</p><p>Happy Content Independence Day!</p><p><i>Building on the open, agent-ready web? If you are interested in learning more about the Ceramic and You programs, please fill out </i><a href="https://forms.gle/ZWxi1pnHoFFZZBDC8"><i><u>this form</u></i></a><i>. If you're building an answer engine and want to crawl smarter, we’d love to hear from you too: aeo@cloudflare.com.</i></p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3zED8SPiCSPFBL13KA1ifg/0cbe54a3c863e365318ccb9e33cfad11/BLOG-3339_2.png" />
          </figure><p></p> ]]></content:encoded>
            <category><![CDATA[Content Independence Day]]></category>
            <category><![CDATA[Pay Per Crawl]]></category>
            <category><![CDATA[AI]]></category>
            <category><![CDATA[AI Search]]></category>
            <category><![CDATA[AI Bots]]></category>
            <guid isPermaLink="false">YqZRSH26JlDBUNvwASOr2</guid>
            <dc:creator>Matthew Conroy</dc:creator>
        </item>
        <item>
            <title><![CDATA[Your site, your rules: new AI traffic options for all customers]]></title>
            <link>https://blog.cloudflare.com/content-independence-day-ai-options/</link>
            <pubDate>Wed, 01 Jul 2026 13:00:00 GMT</pubDate>
            <description><![CDATA[ For our second Content Independence Day, we’re giving website owners finer options to manage AI traffic. Instead of a one-size-fits-all block, all customers can now easily distinguish and manage Search, Agent, and Training bots, alongside the new ability to protect ad-monetized pages. ]]></description>
            <content:encoded><![CDATA[ <p>One year ago, we declared the first <a href="https://blog.cloudflare.com/content-independence-day-no-ai-crawl-without-compensation/"><u>Content Independence Day</u></a>, and we gave website owners the means to take back control of their content. The deal between crawlers and website owners that had held up for 30 years — we crawl you, and you get referrals — was no longer true. AI was taking everything and sending back nothing, presenting an existential threat to website owners. And so we launched a one-click "Block AI Bots" option, along with a <a href="https://blog.cloudflare.com/introducing-pay-per-crawl/"><u>Pay-Per-Crawl marketplace</u></a>.</p><p>A lot has changed in a year. Last July, conversations around “AI bots” centered around blocking AI training without compensation, pointing to the win–lose deal where content was used for model training with no value driven back to the website owner. But a desire for more nuance has emerged: Content owners still want to be able to protect their content, and they should be compensated for the original content that they work hard to create, curate, and share. We also know that locking down content isn’t a one-size-fits-all solution; website owners want more options than resorting to “block all automation, every time.”</p><p>If you run a small site, the problem isn’t <i>just</i> that someone could train models on your content — it's that nobody can find you in the first place. So you have to make a Faustian bargain: either show up in search and let AI train on you, or risk losing discoverability. This unfairly advantages incumbent search providers if they use the same bots for both search and training; and this unfair advantage incentivizes new players to be evasive as they try to close the competitive gap.</p>
    <div>
      <h3>Now, AI can be anything</h3>
      <a href="#now-ai-can-be-anything">
        
      </a>
    </div>
    <p>Today, AI can be in anything. Google search has changed from being sorted by AI to being a <a href="https://blog.google/products-and-platforms/products/search/search-io-2026/"><u>full answer engine</u></a> that answers your question directly on the results page. And Google is not unique in this position — this is the direction in which “search” is moving.</p><p>We could debate the cutoff for what qualifies as “AI” today, just to find that the standard changes tomorrow. So, instead of defining a bot primarily as “AI” or not, our updated approach to classification will ask deeper questions about bot or agent behavior: What are they doing on my site? What are they storing? And how will they reshare my content?</p>
    <div>
      <h3>A pragmatic taxonomy</h3>
      <a href="#a-pragmatic-taxonomy">
        
      </a>
    </div>
    <p>To address these questions, we need a more nuanced view — a pragmatic taxonomy that aligns with the AI use cases our customers care about. So we are opening the discussion beyond AI training alone and focusing on three AI use cases that we want all customers to be able to manage:</p><ul><li><p><b>Search:</b> any behavior that collects or indexes your content, so it can answer questions about it later. The key is that Search is proactively building a database of your site to later respond to queries with. Site owners should expect to get referral traffic or other equitable compensation as a result.</p></li><li><p><b>Agent: </b>automated<b> </b>behavior that is acting, usually in real time, on a person's behalf, to get something done right now. This includes chat fetch bots (e.g., ChatGPT-User) and browser-use agents (e.g., Gemini or Claude driving Chrome). The key is that it visits your web application in order to complete a job, and often there's a human waiting on the other end.</p></li><li><p><b>Training</b>: a crawler taking your content to train or fine-tune a model. The key is that your data is permanently absorbed into the underlying architecture of the AI to improve its capabilities.</p></li></ul><p>Many popular crawlers on the web fall into one of the classifications above; some fall into multiple. We classify plenty of other behaviors beyond the three above — including ads verification, feed fetching, and agentic transactions (more on this below). But we believe it should be simple for all website owners to manage access for these three AI-centered use cases. We believe that bot operators should separate their crawlers because that creates more transparency for website owners: allowing them to better understand why a given crawler is visiting them, as well as to better manage the access they extend to that crawler. If a company runs automation that builds <b>Search</b> indexes, acts as an <b>Agent</b>, and collects data to <b>Train</b> their models, then we strongly encourage that company to separate the automation into three separate crawlers.</p><p>We want a classification system that is scalable and representative of the world of automated traffic as it evolves. Tracking a bot’s purposes is nothing new, but our new taxonomy involves a few updates that better represent the state of bot traffic today. Most notably, we want to recognize that bots that have multiple purposes should be tracked with all purposes, not just one of them.</p>
    <div>
      <h3>New options to manage AI traffic</h3>
      <a href="#new-options-to-manage-ai-traffic">
        
      </a>
    </div>
    <p><b>We want to provide more options for managing different kinds of AI traffic, to </b><b><i>all</i></b><b> website owners on the Cloudflare network.</b></p><p>The managed preset to “Block AI bots” that we’ve announced in the past included single-purpose bots that crawled data for model training, as shown below: </p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3XlnMWyLXLpLgWLP7hgRGP/d01b9b60c513a7904558fdc674fb74b3/BLOG-3337_2.png" />
          </figure><p><sup><i>Screenshot of the existing setting to manage AI bot traffic on July 1, 2025.</i></sup></p><p>But not all AI use is the same, and we want our customers to have the controls they need. So, we’re launching the ability to <b>manage AI traffic based on </b><b><i>three</i></b><b> major use cases: Search, Agent, and Training</b> crawlers. With these new options, our customers can more finely tune how they manage AI bot traffic — including customers on our Free tier.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4ffejfK0AQNX7vPro0cwhK/7cc9eafa05975001fa2f614a725aeb7f/BLOG-3337_3.png" />
          </figure><p><sup><i>Screenshot of the new options to manage AI bot traffic on July 1, 2026.</i></sup></p>
    <div>
      <h3>Setting new defaults</h3>
      <a href="#setting-new-defaults">
        
      </a>
    </div>
    <p><b>On September 15, 2026, we’ll be setting new defaults</b> <b>for each of these three classifications.</b> For all new domains onboarding to Cloudflare, the categories of <b>Training</b> and <b>Agent</b> will be blocked by default <b>on the pages that display ads, </b>while <b>Search</b> will remain allowed by default. </p><p>An ad is a signal that a website owner meant for a person to land there and see it — something monetizable that fuels the business. So, on those pages, we treat human attention as the end goal, and keep away the bots that may prevent this attention (i.e., Training and Agent bots). On the other hand, Search is the behavior that most naturally funnels back visitors, and we believe it’s in the interest of most site owners to allow this.</p><p>Another change that will apply on September 15 is that multi-purpose crawlers (specifically those that combine Search with Training) will be allowed/blocked according to <i>all</i> of their behaviors, in line with our call for transparency for website owners. Since the defaults will be enforced by the most restrictive applicable rules, multi-purpose crawlers such as Googlebot, Applebot, and BingBot will be blocked by customers who have selected to block Training (either through the new options to <a href="https://developers.cloudflare.com/bots/additional-configurations/block-ai-bots/"><u>manage AI traffic</u></a>, or through the legacy Block AI bots service).</p><p>Of course, customer choice is paramount: if a website owner wants to opt out of these new default configurations, they can <a href="https://dash.cloudflare.com/?to=/:account/:zone/security/settings"><u>easily mark this in their Security settings</u></a> any time leading up to September 15, which will confirm that they want <i>no changes</i> on Training crawlers that also crawl for Search purposes. We’ll also continue to notify customers of the upcoming change to defaults as we approach September 15 to ensure that customers who want to choose settings different from the defaults have the opportunity to do so.</p>
    <div>
      <h3>BotBase: a new visibility plane for Enterprise customers</h3>
      <a href="#botbase-a-new-visibility-plane-for-enterprise-customers">
        
      </a>
    </div>
    <p>We’re also excited to launch a major visibility update as a new feature of Enterprise Bot Management. As Cloudflare’s directory of tracked bots has grown, so has the desire to manage these bots in sensible groupings and to understand more detail about a particular bot. </p><p>Introducing <a href="https://developers.cloudflare.com/bots/botbase/"><b><u>BotBase</u></b></a>. BotBase is our new database tracking all known bots, including Verified bots and agents. This database provides a comprehensive, searchable view of our entire directory of bots, directly on the Cloudflare dashboard. We’re tackling <i>visibility first</i>, but, later this year, we’ll expand BotBase to provide a direct control center for known automated content on your website.</p><p>With this new view, Enterprise Bot Management customers can see the full catalogue of all Verified bots/agents and where they are classified in this updated taxonomy — a view we’ve never shown dynamically on the Cloudflare dashboard before. Customers who want to precisely target a specific bot can also easily filter for all traffic from this bot, plus copy the detection ID to use in Security rules. All of this is now live within a dedicated page, which can be accessed through the <a href="https://dash.cloudflare.com/?to=/:account/:zone/security/settings/bot-traffic/bot-base"><u>Bot Management configuration card</u></a>. </p><p>As we built BotBase, we wanted to account for all of the pieces of information that would allow us to build scalable, powerful insights from bot to bot. One of these pieces is a cornerstone for our updated taxonomy, which is <b>based on what a bot may do on your site — its behavior.</b> We separate these classifications as shared below, and each bot is classified with one or more of these behaviors.</p><table><tr><td><p><b>Bot classification</b></p></td><td><p><b>Behaviors and uses</b></p></td></tr><tr><td><p><b><i>Search</i></b></p></td><td><p><b><i>Crawling to scan your site to help it appear in search engine results</i></b></p></td></tr><tr><td><p><b><i>Agent</i></b></p></td><td><p><b><i>User-directed agents visiting a page on behalf of a human</i></b></p></td></tr><tr><td><p><b><i>Training</i></b></p></td><td><p><b><i>Crawling to train or fine-tune models</i></b></p></td></tr><tr><td><p>Transact</p></td><td><p>Checkout actions on behalf of users</p></td></tr><tr><td><p>Data Collection</p></td><td><p>Includes price scraping, competitive intelligence gathering, and third-party analytics</p></td></tr><tr><td><p>Security Testing</p></td><td><p>Includes vulnerability scanning and penetration testing</p></td></tr><tr><td><p>SEO</p></td><td><p>SEO crawling, site auditing, accessibility checks</p></td></tr><tr><td><p>Ads Verification</p></td><td><p>Ad placement verification, ad fraud detection</p></td></tr><tr><td><p>Social / Link Preview</p></td><td><p>Link previews for social platforms and messaging apps</p></td></tr><tr><td><p>Feed Fetching</p></td><td><p>Includes RSS readers, podcast aggregators, and news feed bots</p></td></tr><tr><td><p>Monitoring &amp; Operations</p></td><td><p>Includes uptime monitoring, webhooks, and health checks</p></td></tr></table><p><sup><i>Bold italicized rows indicate the new configurable options that are available to all customers.</i></sup></p>
    <div>
      <h3>How does a crawler use my content?</h3>
      <a href="#how-does-a-crawler-use-my-content">
        
      </a>
    </div>
    <p>Another piece of information we’ve heard is important to our customers is a bot’s<b> content use — what a bot may keep and reshare after it has crawled your content.</b> To address this, we are building capabilities for Bot Management customers to select and block based on the “content use.” This setting can be set to one of three levels, from least to most permissive:</p><ul><li><p><code>immediate</code> — interact, but store and reuse nothing</p></li><li><p><code>reference</code> (default) — index, excerpt, and link back</p></li><li><p><code>full</code> — summarize and reproduce</p></li></ul><p>These values can be combined with bot classifications to express nuanced rules, such as “allow all bots that are used for <b>Search</b>, <b>SEO</b>, and <b>Ads Verification</b>, but only up to the <code>reference</code> use level.” This allows website owners to make decisions in sensible groupings rather than manage individual bot-by-bot rules<b>.</b></p><p>To further support this, starting today, we're testing a new signal, <code>use</code>, that extends <a href="https://contentsignals.org/"><u>Content Signals</u></a> and lives in your robots.txt. This extends the three fields of the first version of Content Signals with a fourth, optional field that expresses the same preference as above:</p><ul><li><p><code>use=immediate</code></p></li><li><p><code>use=reference</code></p></li><li><p><code>use=full</code></p></li></ul><p>As with all other items listed in the robots.txt file, the values of content use signal a website owner’s <i>preference</i>, rather than issuing blocks directly. We’re now adding support for this extension: all customers who have already enabled managed robots.txt — which prepends the preference to robots.txt that crawling for search is okay, but that crawling for training is not — will now have the additional preference of <code>use=reference</code> added to their robots.txt.</p>
            <pre><code># Cloudflare Managed content with original Content Signals

User-agent: *
Content-Signal: search=yes,ai-train=no
Allow: /</code></pre>
            <p><sup><i>The contents of Cloudflare managed robots.txt with the original Content Signals values. </i></sup></p>
            <pre><code># Cloudflare Managed content with the new content-use signal

User-agent: *
Content-Signal: search=yes,ai-train=no,use=reference
Allow: /</code></pre>
            <p><sup><i>The contents of Cloudflare managed robots.txt with the added parameter.</i></sup></p><p>We’re also starting to track content uses for every bot in BotBase, and when we discover a bot abusing these signals, it will lose the “Verified” status, resulting in it no longer being allowed. Today, bots that reproduce in full cannot have the Verified status.</p>
    <div>
      <h3>What does it mean for a bot to be Verified?</h3>
      <a href="#what-does-it-mean-for-a-bot-to-be-verified">
        
      </a>
    </div>
    <p>Speaking of “Verified,” the definition of <a href="https://developers.cloudflare.com/bots/concepts/bot/verified-bots/"><u>Verified</u></a> is being updated to reflect the upcoming changes to default allow and block baselines. Previously, <i>all</i> Verified bots were allowed by default, which was reflected in our basic <a href="https://developers.cloudflare.com/bots/get-started/bot-fight-mode/"><u>Bot Fight Mode</u></a> offering to block unwanted automatic traffic and in our rule templates for Enterprise Bot Management customers. </p><p>Starting today, we’re adjusting this to add nuance: non-verified bots are still default blocked, but we are no longer viewing Verified as “default allowed.” Now, the Verified label makes a bot allowable with its relevant category, meaning the <i>allowed category</i> (e.g., allowing Search) will determine what is allowed to access a website.</p><p>To balance this change, we’re opening up the process of becoming a Verified bot, and making it more transparent, too. To "Verify" a bot, a bot operator needs to show two things: that you represent yourself honestly, <i>and</i> you don't abuse the access that honesty earns. And to make this easier on bot operators, we’re currently building management tools for bot operators to better ensure they are accurately represented by Cloudflare’s classification system (to be announced in the near future). </p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4QMZhQvcXGxpLnazN2qwgW/d00f7e8176e8471fa94725379737259b/BLOG-3337_4.png" />
          </figure><p><sup><i>A preview screenshot of the upcoming platform built directly for bot operators who are part of or want to be a part of BotBase, the next generation of the Cloudflare Bots Directory.</i></sup></p>
    <div>
      <h3>Experimenting with transitive trust</h3>
      <a href="#experimenting-with-transitive-trust">
        
      </a>
    </div>
    <p>One more piece: The bot (or agent) at your door increasingly isn't run by the company that built it. A platform like Cloudflare’s Developer Platform runs automations for thousands of different operators at once, ranging from enterprises to a developer you've never heard of. You might trust Stripe, but you don't necessarily trust everyone who wired Stripe's tools into a weekend project.</p><p>We call the case of (site owner → bot owning company → end user) a matter of <b>transitive trust</b>, and we're proposing to utilize the existing Forwarded header as defined in <a href="https://www.rfc-editor.org/info/rfc7239"><u>RFC 7239</u></a> that rides along with the request and allows “proxy components to disclose information lost in the proxying process.” </p><p>This is similar to what <code>X-Forwarded-For</code> does for IP addresses, or <code>X-Forwarded-Host</code> does to preserve the original Host header. So when a website owner says, "Allow this operator," that preference will hold, whether the operator comes to you directly or through three layers of intermediaries that are trusted. More details can be found in <a href="https://developers.cloudflare.com/bots/reference/bot-verification/web-bot-auth/"><u>our documentation</u></a>, with a brief example to show the format below.</p><p><code>Forwarded: for="openai"</code></p><p>Adding the extension with content-use discussed above, the header addition would look something like the below, specifying how the operator says they will use the content they access:</p><p><code>Forwarded: for="openai";use="reference"</code></p><p>This also lines up the incentive model we want to foster. Losing trusted status across the more than 20% of web domains that sit behind Cloudflare is a deterrent with teeth. Trust becomes something you can carry with you, and something you can lose.</p><p>However, as <a href="https://blog.cloudflare.com/past-bots-and-humans/"><u>bot traffic blends with human traffic</u></a>, it’s possible that this system of transitive trust doesn’t carry beyond the users who can afford to be identifiable. The measures we are proposing today help to convey trust, but they won’t fit the entire web for all time. Small sources of traffic <a href="https://blog.cloudflare.com/internet-privacy/"><u>need privacy</u></a>, and companies that want to preserve their own privacy commitments should be able to explore fair building blocks for the future of an agentic Internet, such as <a href="https://blog.cloudflare.com/private-rate-limiting/"><u>private rate limiting</u></a>.</p>
    <div>
      <h3>Set your terms today</h3>
      <a href="#set-your-terms-today">
        
      </a>
    </div>
    <p>These are small changes that move in the same direction: site owners get more control over who uses their content, and how. We believe the new defaults we discussed today and will soon implement are ones that encourage transparency and are more reflective of where the world is going.</p><p>Of course, the ebbs and flows of the web will continue shifting under us, and we'll keep adjusting with it. But the direction won't change, because it's the one Cloudflare started with: a web ecosystem built around trust. Where the people who make things can decide how they're used — and one where being honest about what you do earns you more access, not less.</p><p>These new options to manage AI traffic are live now, and can be configured by all existing customers in their <a href="https://dash.cloudflare.com/?to=/:account/:zone/security/settings"><u>zone Settings</u></a>. Not on Cloudflare yet? <a href="https://www.cloudflare.com/lp/pg-one-platform/"><u>Start for free</u></a> to set the traffic controls that you want today.</p><p>Happy Content Independence Day.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/2rbGT0BkPYbCvRni7qscHD/b6c935d685738b14a16493b73fb0e650/BLOG-3337_5.png" />
          </figure><p></p> ]]></content:encoded>
            <category><![CDATA[Content Independence Day]]></category>
            <category><![CDATA[AI Bots]]></category>
            <category><![CDATA[AI]]></category>
            <category><![CDATA[Crawler Hints]]></category>
            <category><![CDATA[Bot Management]]></category>
            <guid isPermaLink="false">FWKHybUFEZFSsFCrbEwAd</guid>
            <dc:creator>Jin-Hee Lee</dc:creator>
            <dc:creator>Bryan Becker</dc:creator>
        </item>
        <item>
            <title><![CDATA[Unmasking the crawls with Attribution Business Insights]]></title>
            <link>https://blog.cloudflare.com/attribution-business-insights/</link>
            <pubDate>Wed, 01 Jul 2026 06:00:00 GMT</pubDate>
            <description><![CDATA[ Cloudflare’s new Attribution Business Insights dashboard helps website owners understand crawler behavior, appetite, and potential value, fueling business-level conversations around crawl compensation. ]]></description>
            <content:encoded><![CDATA[ <p>Original content is the lifeblood of conversations and curiosities. Imagine a world without it: we could find a thousand ways to regurgitate the same material that’s already been created, but we would witness the decline of fresh ideas and arguments.</p><p>Website owners fuel the ecosystem of ideas, news, and interesting tidbits, but they face the increasingly complex challenge of managing traffic to their websites and being paid for their content. While some bot traffic is clearly malicious, it isn’t always obvious when a particular AI crawler is helping or harming your business. To answer this, site owners need granular, reliable data to differentiate between traffic that provides value, and traffic that strains resources while eroding the foundation of their business model: actual humans consuming their content. </p><p>At Cloudflare, we hold a core belief: website owners have the right to <a href="https://blog.cloudflare.com/content-independence-day-no-ai-crawl-without-compensation/"><u>control access to their content</u></a>. We want to help website owners maintain their high-quality content and regulate AI traffic.</p><p>To provide much-needed clarity and help website owners take control, we’re excited to announce the new <a href="https://developers.cloudflare.com/bots/attribution-business-insights/"><b><u>Attribution Business Insights</u></b><u> dashboard</u></a> — designed with business decision-makers and publishers in mind.</p>
    <div>
      <h3>The new economics of the Internet</h3>
      <a href="#the-new-economics-of-the-internet">
        
      </a>
    </div>
    <p>For decades, the business model of the Internet relied on a straightforward, unspoken agreement: website owners allowed search engines to crawl their content and, in return, search engines sent readers back to their pages. This symbiotic relationship, where traditional search engines operated with a balanced "crawl-to-referral" ratio, generated the pageviews needed to sustain advertising, affiliate revenue, and subscriptions. Search index crawlers would scan your content <a href="https://blog.cloudflare.com/ai-search-crawl-refer-ratio-on-radar/"><u>a couple of times for each referral sent,</u></a> so making your website available to crawlers had a clear pipeline to additional revenue. We can think of this as the SEO (Search Engine Optimization) era.</p><p>Today, the explosive rise of AI crawlers and agents has broken this contract, plunging the digital publishing industry into an unprecedented crisis. The Internet is risking a transition into a "zero-click" ecosystem where AI chatbots scrape original content to synthesize instant answers — completely bypassing the original sources. We’ve already seen a marked shift from the SEO-only world into an AEO (Answer Engine Optimization) world, and now conversations around GEO (Generative Engine Optimization) are taking center stage.</p><p>The imbalance of this new reality is made clear by the crawl-to-referral ratios we see across the Internet today. While traditional search engines had a more balanced ratio of crawls to legitimate visitors referred, major AI crawlers operate on a drastically different, extractive scale. Bots from leading AI companies have been observed with a range of crawl-to-referral ratios: we noted ratios of 118:1 up to nearly 50,000:1 around the time of <a href="https://blog.cloudflare.com/ai-crawler-traffic-by-purpose-and-industry/"><u>our Content Independence Day in 2025</u></a>. In other words, an AI crawler might have crawled your premium content tens of thousands of times just to send back a single visitor. This ratio is fundamentally unfair.</p><p>For publishers, this creates a double hit: first, they’re losing out on the crucial referral traffic, ad impressions, and direct audience relationships that fund content creation and journalism. Second, they’re forced to bear the rising infrastructure costs of hosting and serving content to automated bots that offer no commercial value in return. The era in which it makes sense to allow <b>all</b> crawlers in the hopes of being discovered is over.</p>
    <div>
      <h2>Introducing Attribution Business Insights</h2>
      <a href="#introducing-attribution-business-insights">
        
      </a>
    </div>
    <p>We want website owners to have the facts — the cold, hard numbers to understand which bots are helping their business and which bots are harming it. We also want to make this analysis easier than ever, which is why we’ve designed Attribution Business Insights to cut the noise, focusing on the details that our customers have told us are most important. </p><p>Today, the <a href="https://dash.cloudflare.com/?to=/:account/:zone/analytics/attribution-business-insights"><b><u>Attribution Business Insights dashboard</u></b></a><b> is available to all Cloudflare Bot Management customers</b>. The new dashboard is designed to deliver a <i>targeted</i> view of bot traffic flowing to your website; unlike traditional analytics tools that may require extensive manual filtering, this dashboard provides you with key insights right away.</p><p>We set out to answer the most pressing questions for site owners today: <b>How should you think about AI traffic on your websites?</b> What is the value of different audiences — including humans, non-AI bots, and AI bots? And most importantly, what is your data being used for? </p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/44iTYHoY6xZ0tmWlxmVg4k/e4defd336a295f2887ec41bb1ca5a629/image4.png" />
          </figure><p><sup><i>The new Attribution Business Insights dashboard view, which includes insights about bot traffic overall, a site-wide crawl-to-referral ratio, and the distribution of AI bot traffic vs. organic traffic. </i></sup></p><p>To answer these questions, the dashboard displays a powerful array of data and insights:</p><ul><li><p><b>Bot traffic to content pages:</b> View your overall bot vs. human traffic, as well as the volume of all bots successfully accessing content.</p></li><li><p><b>Crawl-to-referral ratios:</b> See your site-wide crawl-to-referral ratio on the scale of 24 hours, seven days, or 30 days. You can also see crawl-to-referral ratios <i>per bot operator</i> (per company that owns one or more bots).</p></li><li><p><b>Top bots breakdown:</b> A list of top bots by volume, including their country of origin, bandwidth they take up on your website, and whether you’re currently blocking or allowing them.</p></li><li><p><b>Updated classification based on crawler behavior:</b> We go beyond a generic label of “AI Crawler” by classifying crawlers with our updated taxonomy, whether it’s <b>Training</b> (i.e., training the <a href="https://www.cloudflare.com/learning/ai/what-is-large-language-model/"><u>next version of an LLM chatbot</u></a>), <b>Search</b> (i.e., refreshing databases for <a href="https://www.cloudflare.com/learning/ai/retrieval-augmented-generation-rag/"><u>Retrieval-Augmented Generation</u></a>), or <b>Agent</b> (i.e., used in <a href="https://www.cloudflare.com/learning/ai/inference-vs-training/"><u>agentic interaction to return answers</u></a> to an end user).  </p></li></ul>
    <div>
      <h3>From data to business strategy</h3>
      <a href="#from-data-to-business-strategy">
        
      </a>
    </div>
    <p>You shouldn’t have to be a security expert to understand how AI crawlers affect your business. If website owners want to spend just a few minutes ingesting the high-level insights, they can walk away with a clear temperature check of the effectiveness of their content security policy.</p><p>For those who want to do a little more digging to understand how AI companies are making use of their content — or collect information to guide how they want their relationships with AI companies to develop — we show a more granular view organized by bot operator.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/7fXdFBu4d7cU3hNsm7Zch6/cf79d307a4de695f7f90badd205cc42d/image3.png" />
          </figure><p><sup><i>Breakdown of bot activity on a website, with important details for each bot such as type, crawl-to-referral ratio, and current action. </i></sup></p><p>By having a consolidated view of companies seeking to access content on your website, you can develop a better baseline of crawler activity. We want this data to equip our customers to step into any business conversation with the facts on their side. Tell Company1 that their crawl volume is twenty times that of Company4’s, and that Company4 is already compensating you for content. Revisit the way that Company2 licenses your content based on their recent activity. This new dashboard propels business conversations to move forward. </p><p>How does this new layer of visibility tie into the existing tools you have to protect your website from abuse? In line with other features of <a href="https://developers.cloudflare.com/bots/get-started/bot-management/"><u>Bot Management</u></a>, the <i>action</i> step still happens in Security rules. To avoid adding noise to the control plane, Attribution Business Insights is intended to be a hub for <i>thoughtful, filtered analytics</i>, rather than another place to take action. This dashboard serves as a central source of information, allowing you to investigate before then taking an action in the same rule engine that governs other abuse mitigations. We also want to be loud and clear about inviting business decision-makers into this dashboard, acknowledging that conversations around AI traffic have a wider set of stakeholders than only security-specialized users.</p>
    <div>
      <h3>What’s next</h3>
      <a href="#whats-next">
        
      </a>
    </div>
    <p>The Attribution Business Insights dashboard is the next critical step in providing website owners with the transparency and control they need to manage evolving AI bot threats, and more broadly, shape the new dynamics of the Internet. We’re already investigating the next iteration with close publishing partners to create a visibility plane that covers security from the perspective of the website owner with valuable, original content to share. </p><p>A sneak preview below includes a new view to dissect crawler activity <i>per-article</i> to reveal the appetite that AI companies have for different pieces of content, different campaigns, and so on.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1FzovRKJbdgEyYjvI3h3C7/f035ee40595d41024dc0ab8fb2222bda/image1.png" />
          </figure><p><sup><i>Breakdown of most popular articles, according to traffic volume. Shows key metrics such as AI bot traffic vs. other bot traffic vs. human traffic, both direct and from a referral.  </i></sup></p><p>Visibility is the first piece, and there’s more to come to empower website owners to take control of their content in this new age. We encourage all customers of <a href="https://www.cloudflare.com/application-services/products/bot-management/"><u>Cloudflare Bot Management</u></a> — especially those driving business conversations — to access this today for a fresh take on analytics. </p> ]]></content:encoded>
            <category><![CDATA[Content Independence Day]]></category>
            <category><![CDATA[AI]]></category>
            <category><![CDATA[Bots]]></category>
            <category><![CDATA[Bot Management]]></category>
            <category><![CDATA[Security]]></category>
            <guid isPermaLink="false">3wrqj94tEFsKCZ8OBUE52R</guid>
            <dc:creator>Jin-Hee Lee</dc:creator>
            <dc:creator>Oliver Payne</dc:creator>
        </item>
        <item>
            <title><![CDATA[How we built saga rollbacks for Cloudflare Workflows]]></title>
            <link>https://blog.cloudflare.com/rollbacks-for-workflows/</link>
            <pubDate>Thu, 25 Jun 2026 13:00:00 GMT</pubDate>
            <description><![CDATA[ Cloudflare Workflows, our durable execution engine for multi-step applications, now supports saga-style rollbacks, allowing developers to specify a compensating action for each step.do().  ]]></description>
            <content:encoded><![CDATA[ <p>Cloudflare Workflows allows you to build durable, multi-step applications with built-in retries and state persistence across long-running processes. When a <a href="https://developers.cloudflare.com/workflows/"><u>Workflow</u></a> executes, each step can call external systems, retry failures, and persist state across restarts. But if one step fails, it may leave earlier work from completed steps in an inconsistent or partial state.</p><p>Today we’re shipping saga rollbacks for Workflows, allowing you to declare rollback logic within the step itself, in case of failure.</p><p>For example, consider a workflow for transferring funds between accounts at two different banks:</p><ol><li><p>Debit from account at Bank A</p></li><li><p>Credit to account at Bank B</p></li><li><p>Send email confirmation to both account owners</p></li></ol><p>What happens if Step 2, the credit to account at Bank B, fails? Once the debit succeeds at Bank A, the transaction is committed and the money has left its system. As the orchestrator of the transaction, you cannot simply “undo” the operation in Bank A's system. Instead, the money must be credited back to the account at Bank A through a new operation that semantically reverses the first one.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1j8xfDeKb3FCgE2Ktxf4fq/723e2b9e34189747d3c8eb65f906fb41/BLOG-3317_image6.png" />
          </figure><p>
This pairing of an operation and its compensation logic is called the <a href="https://www.youtube.com/watch?v=xDuwrtwYHu8"><u>saga pattern</u></a>.</p><p>Before today, developers had to implement their own compensation logic to track what succeeded, what failed, and what actions should be taken upon failure, outside of the steps’ direct definitions. Now, you can define compensation logic for each <code>step.do()</code> as an argument within the steps themselves, maintaining your workflow’s durability for the rollback as well.</p>
            <pre><code>// track what completed so we know what to undo
let debitA;
let creditB;
try {
  debitA = await step.do("debit-bank-a", () =&gt; bankA.debit(from, amount));
  creditB = await step.do("credit-bank-b", () =&gt; bankB.credit(to, amount));
  await step.do("notify", () =&gt; notifyBoth(from, to, amount));
} catch (error) {
  // unwind in reverse. each undo is its own durable step,
  // must be idempotent, and must keep going if one fails.
  if (creditB) {
    try {
      await step.do("reverse-credit-b", () =&gt; bankB.debit(to, amount, creditB.id));
    } catch (e) {
      await alertOnCall("reverse-credit-b failed", e);
    }
  }
  if (debitA) {
    try {
      await step.do("refund-debit-a", () =&gt; bankA.credit(from, amount, debitA.id));
    } catch (e) {
      await alertOnCall("refund-debit-a failed", e);
    }
  }
  throw error;
}</code></pre>
            <p><i><sup>Without rollbacks</sup></i></p>
            <pre><code>// each step ships with its own undo. add a step,
// add its rollback right here. no growing catch
// block, no manual ordering, no replay logic.
await step.do("debit-bank-a", () =&gt; bankA.debit(from, amount), {
  rollback: async ({ output }) =&gt; bankA.credit(from, amount, output.id),
});
await step.do("credit-bank-b", () =&gt; bankB.credit(to, amount), {
  rollback: async ({ output }) =&gt; bankB.debit(to, amount, output.id),
});
await step.do("notify", () =&gt; notifyBoth(from, to, amount));</code></pre>
            <p><i><sup>With rollbacks</sup></i></p>
    <div>
      <h2>Try it out</h2>
      <a href="#try-it-out">
        
      </a>
    </div>
    <p>To use rollbacks, just pass an options object containing a <code>rollback</code> function as the last argument to <code>step.do()</code>.</p>
            <pre><code>const debit = await step.do(
  "debit-account-a",
  async () =&gt; {
    return await bankA.debit({
      accountId: fromAccountId,
      amount,
      idempotencyKey: `${transferId}:debit-account-a`,
    });
  },
  {
    rollback: async () =&gt; {
      await bankA.credit({
        accountId: fromAccountId,
        amount,
        idempotencyKey: `${transferId}:rollback-debit-account-a`,
      });
    },
  }
);

// The idempotency keys make both the forward operations and rollback operations safe to retry without duplicating the transfer

const credit = await step.do(
  "credit-account-b",
  async () =&gt; {
    return await bankB.credit({
      accountId: toAccountId,
      amount,
      idempotencyKey: `${transferId}:credit-account-b`,
    });
  },
  {
    rollback: async ({ output }) =&gt; {
      if (output === undefined) {
        return;
      }

      await bankB.debit({
        accountId: toAccountId,
        amount,
        idempotencyKey: `${transferId}:rollback-credit-account-b`,
      });
    },
  }
);


// If we fail here, we may want to revert all previous payments. Users should not have to wrap their code in complex try-catch logic just to revert two small payments (see below)

await step.do("send-confirmation", async () =&gt; {
  await sendTransferConfirmation({ ... });
});</code></pre>
            <p>Rollback functions should be idempotent, just like regular Workflow steps. If you refund a charge, use the payment provider's idempotency key. If you release inventory, make the release safe to call more than once.</p><p>If any step fails, the rollback handlers will execute in reverse <code>step-start</code> order. It sounds simple: run the undo steps when something fails. In practice, there are a few details that make the API and execution model important.</p><p>1. <b>The failed step may still need rollback. </b>A failed <code>step.do()</code> can still be rollback-eligible if it registered a rollback handler.</p><p>The rollback will not start if user code catches an error and the Workflow continues, but if a step error is caught and the Workflow later fails for another reason, rollback can still run for previously registered handlers, which execute in reverse <code>step-start</code> order.</p><p>Why? The step may have partially interacted with an external system before failing. For example, a payment provider may capture a charge, but the step may fail before returning the <code>chargeId</code> to Workflows. That is why rollback handlers receive <code>output</code>, but must handle <code>output === undefined</code>.</p><p>2. <b>Rollback only starts when the Workflow fails. </b>Adding a rollback handler does not mean every step error triggers rollback. If user code catches an error and continues, the Workflow continues. Rollback starts when the Workflow itself is about to fail terminally.</p><p>When rollback starts, Workflows finds eligible <code>step.do()</code> calls, runs their rollback handlers, then records the final Workflow failure.</p><p>3. <b>Ordering has to be predictable. </b>For sequential Workflows, rollback order feels obvious:</p><ol><li><p>Reserve inventory.</p></li><li><p>Charge card.</p></li><li><p>Create shipment.</p></li><li><p>If shipment fails, refund the card and release the inventory.</p></li></ol><p>Parallel steps make this more subtle. Completion order can differ from start order, so Workflows uses reverse step-start order instead of reverse completion order.</p><p>The practical rules are:</p><ol><li><p>Any started or completed steps with rollback handlers are eligible.</p></li><li><p>The failing <code>step.do()</code> is also eligible if it registered a rollback handler.</p></li><li><p>Handlers run in reverse step-start order, not completion order.</p></li></ol>
    <div>
      <h2>How we designed the API</h2>
      <a href="#how-we-designed-the-api">
        
      </a>
    </div>
    <p>Once we had the expected behavior in mind, we had to add this new pattern into the Workflows API. Rollbacks went through a few iterations before we landed on <code>rollback options</code>. </p>
    <div>
      <h3>Why not a fluent or builder API?</h3>
      <a href="#why-not-a-fluent-or-builder-api">
        
      </a>
    </div>
    <p>The first approach was a fluent form: <code>step.do(...).rollback(...)</code> It reads well. The forward action and the compensation sit next to each other, and the call site looks like ordinary JavaScript chaining.</p><p>The problem is that <code>step.do()</code> already has an important meaning: it starts a durable step and returns a Promise for the step output. In Workers, promise-like values are especially meaningful because Workers RPC supports <a href="https://blog.cloudflare.com/capnweb-javascript-rpc-library/#chained-calls-promise-pipelining"><u>promise pipelining</u></a>, a pattern inherited from systems like <a href="https://capnproto.org/rpc.html#time-travel-promise-pipelining"><u>Cap'n Proto</u></a>.</p><p>Promise pipelining lets code call a method on a future value before that value has fully returned to the caller. For example:</p>
            <pre><code>const session = api.authenticate(apiKey);
const name = await session.whoami();</code></pre>
            <p>Here, <code>session</code> is not the real session object yet. It is more like a handle to the session that will exist soon. When you call <code>session.whoami()</code>, Workers can send that call to the remote side early and say: “once authentication creates the session, call <code>whoami()</code> on it.”</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/cgBccGGKzjrx2gnnyAUvL/f0470a7a40ef05027e952d42abfa592c/BLOG-3317_image4.png" />
          </figure><p>That saves a round trip. The caller does not need to wait for <code>authenticate()</code> to fully finish before asking for <code>whoami()</code>.</p><p>We considered a fluent API:</p>
            <pre><code>step.do("charge-card", chargeCard).rollback(refundCharge);</code></pre>
            <p>
To a reader, that can look like “call <code>.rollback()</code> on the result of <code>charge-card</code>.”   But rollback is not part of the step’s output. It is part of the <code>step.do()</code> options, registered before the step starts, so Workflows knows how to compensate the step if a later step fails.</p><p>A fluent API also makes step timing harder to reason about. Today, <code>step.do()</code> starts the step when it is called, so developers can start a step, do other work, and await the first step later:</p>
            <pre><code>const first = step.do("first", () =&gt; serviceA.call());

await step.do("second", () =&gt; serviceB.call());

await first;</code></pre>
            <p>With today’s execution model, <code>first</code> starts immediately, before <code>second</code>. A fluent API would complicate that. Workflows would need to wait and see whether <code>.rollback()</code> gets attached before it knows the full step definition. That could delay when the step is sent to the engine.</p><p>In the earlier example, <code>first</code> could start at <code>await first</code> instead of at <code>step.do("first", ...)</code>, after <code>second</code> has already completed.</p><p>That makes concurrent Workflows harder to reason about: step timing would depend on when the returned <code>Promise</code> is consumed, not just where <code>step.do()</code> is called.</p><p>We also considered a builder-style API:</p>
            <pre><code>const charge = await step
	.saga("charge")
	.do(() =&gt; chargeCard())
	.rollback(() =&gt; refundCharge())
	.run();</code></pre>
            <p>A builder API avoids the <code>Promise</code> ambiguity. It also gives us an obvious place for future step-level options, and makes it clear that the forward action and rollback action belong to the same saga step.</p><p>But it adds ceremony. Every step needs a final <code>.run()</code>, forgetting <code>.run()</code> would be easy and hard to spot without tooling, and simple one-step cases start to look like configuration chains. It also introduces a new <code>step.saga()</code> builder, breaking from the existing <code>step.&lt;action&gt;</code> pattern. Most importantly, it makes <code>step.do()</code> feel like an older API rather than the primary Workflows primitive. The goal of rollback was to extend <code>step.do()</code>, not replace it.</p>
    <div>
      <h3>Rollback as step metadata</h3>
      <a href="#rollback-as-step-metadata">
        
      </a>
    </div>
    
            <pre><code>step.do(..., { rollback })</code></pre>
            <p>Ultimately, we chose the explicit form where rollback is metadata on the step.</p><p>This way, each rollback is defined within the forward step itself. Each handler receives the error that caused the rollback to start, the <a href="https://developers.cloudflare.com/workflows/build/step-context/"><u>step context</u></a>, and the output, which is either the persisted value returned by the forward step (which can be undefined) or undefined if the step failed before persisting a value.</p><p>Rollbacks emit lifecycle events, so you can tell whether compensation started, which rollback handler failed, and whether rollback completed successfully.</p><p>Crucially, the original Workflow failure remains separate: rollback is what Workflows does after the failure, not the reason the Workflow failed.</p><p>Just as you can define custom retry and timeout behavior in the<a href="https://developers.cloudflare.com/workflows/build/workers-api/#workflowstepconfig"> <u>step configuration</u></a> via <code>WorkflowStepConfig</code>, you add rollback-specific values in <code>rollbackConfig</code>.</p>
            <pre><code>{
  rollback: async ({ output }) =&gt; {
    await bankA.credit({ accountId: fromAccountId, amount, transferId: `${transferId}-reversal` });
  },
  rollbackConfig: {
    retries: { limit: 10, delay: '30 seconds', backoff: 'exponential' },
    timeout: '2 minutes',
  },
}</code></pre>
            <p>This matches the lifecycle-event mental model we wanted. A <code>step.do()</code> already describes a durable unit of work that Workflows records, retries, and later shows in logs. Rollback is another lifecycle behavior for that same unit of work. It should travel with the step definition, not live in a separate wrapper or builder.</p><ul><li><p>The step still starts when <code>step.do()</code> normally starts.</p></li><li><p>The returned promise still represents the step output.</p></li><li><p>Concurrent Workflow code keeps the same execution model.</p></li><li><p>Retry and timeout options for rollback live next to the rollback handler.</p></li><li><p>Existing <code>step.do()</code> calls keep working exactly as they do today.</p></li></ul><p>This shape is slightly more explicit than the fluent API, but that explicitness is useful. The operation and its compensation are still in one place, and the API does not introduce a new step builder or a new kind of promise. Developers who already understand <code>step.do()</code> only need to learn one additional <code>options</code> object.</p><p>This is less magical, but it is simpler to adopt, and clearer to understand.</p>
    <div>
      <h2>How it works under the hood</h2>
      <a href="#how-it-works-under-the-hood">
        
      </a>
    </div>
    <p>Rollback feels like a small API addition, but it changes what Workflows needs to record about each step.</p><p>A regular <code>step.do()</code> already has a durable record. Workflows records that the step started, whether it completed, what it returned, and whether it should be skipped instead of repeated if the Workflow resumes later.</p><p>Rollbacks add one more thing to that record: whether the step registered compensation logic.</p><p>This means Workflows has two pieces of information to bring together if the Workflow fails.</p><p>The first is <b>durable step history</b>. The Workflow engine stores data to know what ran, what completed, what output was saved, and whether rollback was registered.</p><p>The second is the <b>rollback handler</b> itself, which is the function written to compensate for that step. Workflows does not save the text of that function as data. Instead, it keeps a callable reference to the handler while the Workflow is running.</p><p>In Workers RPC, this kind of callable reference is called a <a href="https://developers.cloudflare.com/workers/runtime-apis/rpc/lifecycle"><b><u>stub</u></b></a>. A stub lets one part of the system call code that is running somewhere else. Stubs also have lifetimes such that they can be disposed when a call or execution context ends. If you need to keep a stub past that point, Workers RPC provides a <a href="https://developers.cloudflare.com/workers/runtime-apis/rpc/lifecycle/#the-dup-method"><code><u>dup()</u></code></a> method, which creates another handle to the same target.</p><p>For rollback, that model is useful. The durable step history records what needs compensation. The rollback stub gives Workflows a way to invoke the compensation code. And because rollback handlers may need to outlive the immediate <code>step.do()</code> call that registered them, Workflows keeps its own callable reference to the handler for the rollback phase.</p><p>In the common case, when a Workflow enters rollback in the same engine lifetime, Workflows already has the rollback stubs it needs. It can use the durable step history to find eligible steps, then invoke the rollback stubs that were registered during forward execution.</p><p>This gets more subtle when Workflows has to <b>recover</b> after a restart.</p><p>If the engine is evicted, crashes, or restarts while rollback is needed, Workflows still has the durable step history, but it may no longer have the in-memory rollback stubs. To recover, Workflows uses <b>replay</b>: a recovery mode where it can re-run the Workflow code without re-executing completed forward step bodies.</p><p>When replay reaches a completed <code>step.do()</code>, Workflows reads the persisted result instead of running the step body again. For rollback recovery, Workflows only needs to rebuild handlers for steps that had rollback attached and are eligible for rollback. As those <code>step.do() </code>calls are encountered, their rollback options can register the callable stubs again</p><p>That lets Workflows recover the rollback handlers it needs without duplicating the original external side effects.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/6F0SOtk10x2op5YxnKKnXM/54f7e763f4ada07e353e8bcac5549833/BLOG-3317_image5.png" />
          </figure><p>With those pieces in place, rollback can work whether the handler is still available in memory or has to be rebuilt during recovery.</p><p>When the workflow is about to fail, Workflows does not ask your application to reconstruct what happened. It already has the step history. It can look at the persisted record and answer the important questions:</p><ul><li><p>Which steps started?</p></li><li><p>Which steps finished?</p></li><li><p>Which failed step may still need cleanup?</p></li><li><p>Which steps registered rollback handlers?</p></li><li><p>What output should each rollback handler receive?</p></li><li><p>What order should compensation run in?</p></li></ul><p>Then Workflows invokes each rollback stub with a rollback context: the original error, the step context, and the step output, if one was persisted.</p><p>The ordering detail matters. In normal JavaScript, especially with <code>Promise.all()</code>, completion order is not always the same as start order. If step A starts first and step B starts second, step B might finish first. For rollback, Workflows uses the persisted start order as the stable source of truth, then unwinds it in reverse.</p><p>Rollback handlers also run through Workflows' normal step machinery. That means compensation gets the same operational properties you expect from Workflows: retries, timeouts, lifecycle events, logs, and a final recorded outcome. If a rollback handler keeps failing after its configured retries, Workflows records the rollback outcome as failed, stops running the remaining rollback handlers, and the Workflow instance ultimately ends in the <code>Errored</code> state.</p><p>This is the main difference between saga rollbacks and a <code>catch</code> block. A <code>catch</code> block only knows what is still in memory at its exact point in your JavaScript execution. Workflows rollback uses persisted step history to decide what already happened, invokes the stubs it already has in the common case, and safely rebuilds missing stubs during recovery when it needs to.</p><p>That is also why the API puts rollback on <code>step.do()</code> itself. Rollback is not a separate global error handler — it is metadata attached to the durable unit of work Workflows already understands.</p>
    <div>
      <h2>What’s next</h2>
      <a href="#whats-next">
        
      </a>
    </div>
    <p>Our first iteration of rollbacks includes: </p><ul><li><p>Explicit per-step rollback handlers for <code>step.do()</code></p></li><li><p>Sequential rollback execution</p></li><li><p>Retry and timeout configuration for compensation</p></li></ul><p>Next, we want to explore:</p><ul><li><p>Rollback support for <a href="https://developers.cloudflare.com/workflows/build/events-and-parameters/#wait-for-events"><code><u>waitForEvent</u></code></a></p></li><li><p>Support for parallel rollback execution</p></li><li><p>Rollback support for <a href="https://developers.cloudflare.com/workflows/python/"><u>Python Workflows</u></a></p></li></ul><p>When a multi-step application fails halfway through, the hardest part is often not knowing <i>that</i> it failed. It is knowing <i>what</i> already happened, and what needs to happen next.</p><p>Saga rollbacks let you put that answer directly beside each step. If you are building multi-step applications with Workflows, try saga rollbacks and tell us what compensation patterns you want next. Get started with the <a href="https://developers.cloudflare.com/workflows/"><u>Workflows documentation</u></a> and share feedback in the <a href="https://community.cloudflare.com/"><u>Cloudflare Community</u></a>.</p> ]]></content:encoded>
            <category><![CDATA[Workflows]]></category>
            <category><![CDATA[Cloudflare Workers]]></category>
            <category><![CDATA[Developers]]></category>
            <guid isPermaLink="false">6BmERiKIIt4pIJoFmNy7Jn</guid>
            <dc:creator>Vaishnav Kavitha</dc:creator>
            <dc:creator>Mia Malden</dc:creator>
            <dc:creator>André Venceslau</dc:creator>
        </item>
        <item>
            <title><![CDATA[Unlocking the Cloudflare app ecosystem with OAuth for all]]></title>
            <link>https://blog.cloudflare.com/oauth-for-all/</link>
            <pubDate>Wed, 24 Jun 2026 06:00:00 GMT</pubDate>
            <description><![CDATA[ Self-Managed OAuth is now available to all developers on Cloudflare. Here's how we executed a zero-downtime migration of our core OAuth engine to make it happen. ]]></description>
            <content:encoded><![CDATA[ <p>Cloudflare provides services that help run 20% of the web, but we don’t do it alone. Developers on our platform use a myriad of tools and services from other companies too. Cloudflare provides a rich API for our platform that enables developers to create automations, CI/CD, and integrations that glue together the various parts of their infrastructure. Earlier this month, we announced <a href="https://developers.cloudflare.com/changelog/post/2026-06-03-public-oauth-clients/"><u>self-managed OAuth</u></a>, making it easier for customers to create and manage their own OAuth clients for delegated access to the Cloudflare API.</p><p>Cloudflare isn’t new to OAuth. If you’ve used Wrangler, or used integrations from partners like PlanetScale, then you’ve already used it. However, until now, third-party OAuth was only available through a small number of manually onboarded integrations, and was not available to developers more broadly. That meant developers building their own integrations had to rely on API tokens, which are harder to manage and a poor fit for many delegated application flows. </p><p>Over the last year, we onboarded a growing number of early partners while improving the consent, revocation, and security model behind Cloudflare OAuth. But as our Developer Platform grew and agentic tools drove demand for delegated access, it became clear that opening up OAuth to all customers was critical to the success of our platform. </p><p>With self-managed OAuth, developers can now offer a standard OAuth flow where customers grant scoped access directly, making it easier to build SaaS integrations, internal developer platforms, and agentic tools while giving users clearer consent, easier revocation, and more control over what an application can do.</p>
    <div>
      <h2>Scaling the ecosystem securely</h2>
      <a href="#scaling-the-ecosystem-securely">
        
      </a>
    </div>
    <p>While our earlier OAuth solution was sufficient for a small number of carefully managed partners, we realized that our permissions model, our consent experience, and our ways of mitigating potential abuse vectors were not mature enough. </p><p>Earlier this year we <a href="https://blog.cloudflare.com/improved-developer-security/#improving-the-oauth-consent-experience"><u>updated our consent experience</u></a> to make it clearer which application is requesting access, and what permissions it will receive. We also added revocation to the dashboard so developers can easily control which applications have access to their data, and made app ownership more visible to prevent OAuth phishing attacks. </p><p>Opening self-managed OAuth to all customers also required major upgrades to our underlying OAuth engine. This process required a large amount of planning to do with minimal user interruption, while also ensuring data stability and security.</p>
    <div>
      <h2>Planning the upgrade to our OAuth engine</h2>
      <a href="#planning-the-upgrade-to-our-oauth-engine">
        
      </a>
    </div>
    <p>Years ago, we deployed <a href="https://github.com/ory/hydra"><u>Hydra</u></a>, an open-source OAuth engine, to power Cloudflare OAuth under the hood. That deployment served us well when usage was limited, but as the developer platform grew and agentic workflows became more common, it became clear that we needed a major upgrade to unlock new capabilities and improve performance. </p><p>As we planned the upgrade, we decided to do two smaller sequential upgrades rather than doing one large upgrade.  First, we would move to the latest 1.X release, evaluate any behavior or performance changes, and then proceed with the 2.X upgrade.</p><p>During our upgrade planning, it became clear that even the 1.X upgrade would<i> </i>still impact customers because the Hydra database required extensive schema migrations that:</p><ol><li><p>Created indexes in a manner that would claim an exclusive lock on critical tables, preventing active users from performing important OAuth operations </p></li><li><p>Added columns to critical tables, and moved other columns to new tables</p></li></ol><p>There was also a quirk in the version of Hydra we were using in which the SDK would perform SELECT * operations, causing deserialization issues with the schema changes.</p><p>To prevent user impact, we rewrote the SQL migrations to use features such as CREATE INDEX CONCURRENTLY, and built a custom version of Hydra which selected explicit columns rather than SELECT *.</p><p>With the latest 1.X upgrade planned out, we now needed to create a plan for the even larger 2.X upgrade. We identified three potential options, and weighed the benefits and drawbacks of each one. Doing an in-place upgrade was not going to work for us, due to the sheer amount of schema changes the major version bump brought with it. We decided that a blue-green strategy would work, but there was more that needed to be done than simply flipping a switch to start using the new version. The upgrade and migration process would take multiple hours, and we needed the system to continue functioning correctly in that time window.</p><p>The first blue-green option would involve disabling writes to the database, preventing any new authorizations from occurring. This means they would not be lost in the transition, but it also meant that nobody would be able to use existing OAuth apps unless they already had a valid credential. It also presented another large problem: if users needed to revoke access from an application for any reason, it would not be possible while the upgrade was being performed.</p><p>To combat these issues, we came up with a way to leave writes to the database enabled, at the cost of losing some of them in the switch to the green version. The first thing to solve was minimizing the number of writes for new tokens. There was an operational lever we pulled: increasing the expiry time of tokens to multiple hours. This would allow apps that received new tokens before the upgrade to continue using them without needing to refresh.</p><p>With reducing writes solved, we needed to come up with a way to not lose any revocations our users performed during the upgrade window. To do this, we created a queue system (using <a href="https://developers.cloudflare.com/queues/"><u>Cloudflare Queues</u></a>!) which, after a revocation event, would have a record written into the queue with information about that revocation. This would allow us to drain the queue with the database flipped to the green version, replaying all revocation events that took place in the time window in which they would have been lost. This was critical to get right, otherwise applications that users had revoked would inadvertently have their access restored.</p>
    <div>
      <h2>Executing the upgrade</h2>
      <a href="#executing-the-upgrade">
        
      </a>
    </div>
    
    <div>
      <h3>Upgrading to 1.X</h3>
      <a href="#upgrading-to-1-x">
        
      </a>
    </div>
    <p>From an operational point of view, our first upgrade to the last 1.X release went off without any hitches. Our custom database migrations ran faster than we expected, with no user impact. We had to do a hard cutover to the new version because the old version was unable to introspect tokens that were created by the newer version.</p><p>After the cutover, we saw an increase in refresh token errors that we had not seen before. This ended up being due to stricter refresh invalidation behaviors in the new version; if a refresh token was reused, Hydra would invalidate the whole access and refresh token chain. This is problematic for Wrangler and MCP clients. These clients both have a high request volume, and a single reused refresh token would invalidate the entire session.</p><p>We mitigated this by adding refresh token coalescing behavior to our Worker which routes OAuth traffic to the correct destination. This allowed us to briefly cache the refresh token request before it reached Hydra, so that if we detected a retry we could short-circuit the request and respond without invalidating the tokens. Fortunately, 2.X versions of Hydra have a configurable “refresh token grace period”, which resolves this by allowing a refresh token to be retried for a period of time without invalidating the whole chain.</p>
    <div>
      <h3>Upgrading to 2.X</h3>
      <a href="#upgrading-to-2-x">
        
      </a>
    </div>
    <p>Since multiple hours of high user-facing impact would not be acceptable, we had our blue-green upgrade strategy set. At a high level, this sounds simple; the migrations would run on a copy of our production database, and then cut over along with the new Hydra version after they complete. In reality, there were a <i>lot </i>more moving parts:</p><ul><li><p>Enable revocation replay capture queue</p></li><li><p>Copy and restore our database to the new target</p></li><li><p>Targeted data cleanup — existing data violated some new constraints introduced in the newer versions, which could prevent migrations from succeeding</p></li><li><p>Perform cutovers on the Hydra service along with two additional critical internal systems simultaneously to prevent any errors</p></li><li><p>Post-cutover monitoring and validation</p></li></ul>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/tbiQb2wX9zyyC2n6cOMmv/706bacb728d5abef09117c3893ec288d/hydra_upgrade_diagram.png" />
          </figure><p>We chose an upgrade window when Hydra had the lowest request volume per second to minimize lost token writes. Other than some timeout tuning, our production migrations ran well against the new database: the net runtime in production was approximately three hours. After the migrations completed, we carefully rolled out the new version of the Hydra service, along with two additional system configs to flip our systems to use the new SDK version.</p><p>Shortly after cutting traffic over, we observed that a data cleanup job in our authorization service (which relies on the Hydra consent session API) was being overeager in its purging of OAuth policy data. After investigation, we discovered that there was an issue in one of the Hydra migrations that corrupted the state of certain valid OAuth sessions, which resulted in the migration marking them as invalid. The valid sessions being corrupted caused a disagreement between Hydra and our authorization service, manifesting as an increase in 403s. To mitigate this, we did data restorations and began work on improvements for OAuth authorization behaviors to remove reliance on static policy data.</p><p>Beyond the data cleanup issue, there were some additional small fixes more driven by specific client behaviors which we landed quickly. </p><p>With the Hydra version upgrade complete, OAuth traffic has remained stable with improved system performance and reliability for our customers. It also brought production onto the same foundation our newer OAuth APIs had already been validated against in staging, clearing the way for our <a href="https://developers.cloudflare.com/changelog/post/2026-06-03-public-oauth-clients/"><u>self-managed OAuth release on June 3</u></a>. </p>
    <div>
      <h2>Performance improvements</h2>
      <a href="#performance-improvements">
        
      </a>
    </div>
    <p>After completing a large upgrade like this, it is always rewarding and illuminating to look at some broad metrics about the impact. We gathered additional metrics during the database migrations, and observed considerable performance improvements after the upgrade was complete.</p>
    <div>
      <h3>Database</h3>
      <a href="#database">
        
      </a>
    </div>
    
<table><colgroup>
<col></col>
<col></col>
</colgroup>
<thead>
  <tr>
    <th><span>Metric</span></th>
    <th><span>Approx. Value</span></th>
  </tr></thead>
<tbody>
  <tr>
    <td><span>Rows updated</span></td>
    <td><span>132.5M</span></td>
  </tr>
  <tr>
    <td><span>Rows inserted</span></td>
    <td><span>114.7M</span></td>
  </tr>
  <tr>
    <td><span>Temp bytes</span></td>
    <td><span>136.97GB</span></td>
  </tr>
  <tr>
    <td><span>Transaction commits</span></td>
    <td><span>22.2k</span></td>
  </tr>
</tbody></table>
    <div>
      <h3>Hydra performance</h3>
      <a href="#hydra-performance">
        
      </a>
    </div>
    
<table><colgroup>
<col></col>
<col></col>
<col></col>
<col></col>
</colgroup>
<thead>
  <tr>
    <th><span>Metric (avg)</span></th>
    <th><span>Before</span></th>
    <th><span>After</span></th>
    <th><span>Change</span></th>
  </tr></thead>
<tbody>
  <tr>
    <td><span>API P95</span></td>
    <td><span>185ms</span></td>
    <td><span>101ms</span></td>
    <td><span>-45%</span></td>
  </tr>
  <tr>
    <td><span>RSS memory</span></td>
    <td><span>888MB</span></td>
    <td><span>763MB</span></td>
    <td><span>-14%</span></td>
  </tr>
  <tr>
    <td><span>Go heap alloc</span></td>
    <td><span>449MB</span></td>
    <td><span>271MB</span></td>
    <td><span>-40%</span></td>
  </tr>
  <tr>
    <td><span>Goroutines</span></td>
    <td><span>4015</span></td>
    <td><span>3076</span></td>
    <td><span>-23%</span></td>
  </tr>
  <tr>
    <td><span>CPU</span></td>
    <td><span>1.07 cores</span></td>
    <td><span>0.67 cores</span></td>
    <td><span>-37%</span></td>
  </tr>
</tbody></table>
    <div>
      <h2>Self-managed OAuth for all</h2>
      <a href="#self-managed-oauth-for-all">
        
      </a>
    </div>
    <p>Opening up OAuth to all customers is an important step toward a broader Cloudflare app ecosystem. Today, any Cloudflare customer can create their own OAuth applications and build integrations on top of Cloudflare. We’re extremely excited to launch Cloudflare self-managed OAuth for all. </p><p>To get started, take a look at our <a href="https://developers.cloudflare.com/fundamentals/oauth/"><u>documentation</u></a> or jump straight to the OAuth apps page in the <a href="https://dash.cloudflare.com/?to=/:account/oauth-clients"><u>dashboard</u></a> and create your first OAuth app.</p> ]]></content:encoded>
            <category><![CDATA[Developers]]></category>
            <category><![CDATA[API]]></category>
            <category><![CDATA[Security]]></category>
            <category><![CDATA[OAuth]]></category>
            <category><![CDATA[Developer Platform]]></category>
            <category><![CDATA[Agents]]></category>
            <category><![CDATA[Product News]]></category>
            <category><![CDATA[Cloudflare Media Platform]]></category>
            <category><![CDATA[Identity]]></category>
            <guid isPermaLink="false">77AgsHNNnpUDvP0Z6gqgp6</guid>
            <dc:creator>Sam Cabell</dc:creator>
            <dc:creator>Mike Escalante</dc:creator>
            <dc:creator>Adam Bouhmad</dc:creator>
            <dc:creator>Nick Comer</dc:creator>
        </item>
        <item>
            <title><![CDATA[The White House's post-quantum executive order is an important milestone. It’s time to get to work]]></title>
            <link>https://blog.cloudflare.com/post-quantum-eo-2026/</link>
            <pubDate>Tue, 23 Jun 2026 18:25:18 GMT</pubDate>
            <description><![CDATA[ The new executive order sets a 2030 migration deadline and establishes a powerful foundation for post-quantum resilience. We look at what it gets right, where it can go further, and our migration playbook for government and industry. ]]></description>
            <content:encoded><![CDATA[ <p>On June 22, 2026, President Trump signed <a href="https://www.whitehouse.gov/presidential-actions/2026/06/securing-the-nation-against-advanced-cryptographic-attacks/">Executive Order 14412</a>, "Securing the Nation Against Advanced Cryptographic Attacks." The order sets a December 31, 2030, deadline for federal agencies to transition their most sensitive systems to <i>post-quantum encryption</i>, and a December 31, 2031, deadline for <i>post-quantum authentication</i>. The EO also directs federal contractors to comply with post-quantum Federal Information Processing Standards (<a href="https://csrc.nist.gov/projects/post-quantum-cryptography">FIPS</a>) by the end of 2030.</p><p>We welcome this executive order. The U.S. government has a long track record of using federal leadership and procurement to drive adoption of new technologies across the broader industry. We've seen this work with <a href="https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/transition-to-ipv6.pdf">IPv6</a>, with routing security and the Resource Public Key Infrastructure (<a href="https://csrc.nist.gov/pubs/sp/800/189/final">RPKI</a>), and with <a href="https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/fy2008/m08-23.pdf">DNSSEC</a>, and we’re glad to see this tradition continue with post-quantum cryptography.</p><p>The EO is especially important at this moment because the timeline for <i>Q-Day</i>, the day that quantum computers can <a href="https://blog.cloudflare.com/the-quantum-menace/#shors-algorithm">break</a> the public-key cryptography used across the Internet, has been accelerated. In April 2026, Cloudflare <a href="https://blog.cloudflare.com/post-quantum-roadmap/">moved our own target for full post-quantum security to 2029</a>, following research breakthroughs from <a href="https://research.google/blog/safeguarding-cryptocurrency-by-disclosing-quantum-vulnerabilities-responsibly/">Google</a> and <a href="https://arxiv.org/abs/2603.28627">Oratomic</a>. This EO updates guidance from 2024, when the National Institute of Standards and Technology (NIST) <a href="https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf"><u>stated</u></a> that the classical public key cryptography used across the Internet (namely RSA and Elliptic Curve Cryptography, which can be broken once powerful quantum computers become available) should be deprecated by 2030 and disallowed by 2035. </p><p>The Internet’s transition to post-quantum encryption is well underway, while the transition to post-quantum authentication has only just begun. Today, <a href="https://radar.cloudflare.com/post-quantum">over two-thirds</a> of browser traffic to Cloudflare's network is protected with post-quantum encryption, and <a href="https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-cloudflare-products/">most of our products</a> support post-quantum key agreement. Our <a href="https://blog.cloudflare.com/post-quantum-sase/">SASE platform, Cloudflare One</a>, provides post-quantum encryption across all major on-ramps and off-ramps, including <a href="https://blog.cloudflare.com/post-quantum-zero-trust/">TLS</a>, <a href="https://blog.cloudflare.com/post-quantum-warp/">MASQUE</a>, and <a href="https://blog.cloudflare.com/post-quantum-ipsec/">IPsec</a>. We've recently started <a href="https://blog.cloudflare.com/bootstrap-mtc/"><u>deploying</u></a> post-quantum authentication and aim to be fully post-quantum secure by 2029. The EO is an excellent foundation and builds on work from the previous two Administrations. We've been doing the work the EO is asking federal agencies to do <a href="https://blog.cloudflare.com/the-tls-post-quantum-experiment/"><u>since 2019</u></a>, we have some thoughts on what the order gets right, we see opportunities for the Office of Management and Budget (OMB) to strengthen and facilitate cost-effective agency migration, and we provide a roadmap for how organizations and agencies can advance their transition most effectively.</p>
    <div>
      <h2>The EO’s requirements for federal systems</h2>
      <a href="#the-eos-requirements-for-federal-systems">
        
      </a>
    </div>
    <p>The bulk of the EO's binding requirements are aimed at two categories of federal systems: High Value Assets (HVAs) and high impact systems. HVAs are federal information or systems <a href="https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf">designated by OMB</a> as the government's crown jewels: systems whose compromise would significantly affect national security, foreign relations, or public confidence. These include databases that hold millions of federal employee records, systems that process classified intelligence, or platforms that manage federal financial transactions. Meanwhile, high impact systems are those where confidentiality, integrity, or availability is rated "high" under <a href="https://csrc.nist.gov/pubs/fips/199/final">FIPS 199</a>, meaning a breach could cause severe harm including loss of life, major financial damage, or significant degradation of an agency's ability to carry out its mission.</p><p>The EO has the power to bind federal agencies, but not other organizations (i.e., critical infrastructure, state, local, tribal and territorial governments, academia, civil society). That’s why the EO only gives these deadlines to federal agencies:</p><table><tr><td><p><b>Date</b></p></td><td><p><b>Requirement</b></p></td></tr><tr><td><p>July 2026</p></td><td><p>Each federal agency head identifies a PQC migration lead and provides their name and contact details to OMB and the National Cyber Director.</p></td></tr><tr><td><p>September 2026</p></td><td><p>OMB issues guidance requiring each agency to: (1) review their inventory of HVAs and high impact systems; (2) plan for PQC migration; and (3) submit that plan to OMB and the National Cyber Director.</p></td></tr><tr><td><p>December 2030</p></td><td><p>All HVAs and high impact systems must be transitioned to PQC for key establishment.</p></td></tr><tr><td><p>December 2031</p></td><td><p>All HVAs and high impact systems must be transitioned to PQC for digital signatures.</p></td></tr></table><p>National Security Systems are explicitly excluded from these deadlines. They are on a separate, classified track managed by the NSA with deadlines between 2030 and 2033 <a href="https://media.defense.gov/2025/May/30/2003728741/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS.PDF"><u>already set in 2022</u></a>.</p>
    <div>
      <h2>Two migrations: encryption and authentication. Both should begin now.</h2>
      <a href="#two-migrations-encryption-and-authentication-both-should-begin-now">
        
      </a>
    </div>
    <p>The EO splits the PQC migration into two phases: post-quantum key establishment (encryption) by 2030, and post-quantum digital signatures and certificates (authentication) by 2031. This accurately reflects the availability of post-quantum encryption across the Internet today. Our own <a href="https://blog.cloudflare.com/post-quantum-roadmap/"><u>deadline</u></a> for full post-quantum readiness (including authentication) is 2029, but we are amongst the earliest adopters in the industry. </p><p>We are also happy to see the EO focusing on <a href="https://csrc.nist.gov/projects/post-quantum-cryptography">NIST-standardized post-quantum cryptographic algorithms</a> and not Quantum Key Distribution (QKD), since QKD <a href="https://blog.cloudflare.com/you-dont-need-quantum-hardware/">does not operate at Internet scale</a> due to its need for specialized hardware and dedicated physical links between sender and receiver.  </p><p>Now let’s have a deeper look at the two migrations called for and required in the EO: post-quantum encryption and post-quantum authentication.</p><p><b>Post-quantum encryption</b> is needed today to stop <a href="https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later"><u>harvest-now-decrypt-later attacks</u></a>, where an adversary collects encrypted traffic today and decrypts it later once quantum computers are powerful enough. Post-quantum encryption is especially valuable for organizations handling data that will still have value to adversaries 3-10 years from now, like government agencies, banks, healthcare organizations, defense contractors, and telecom providers.</p><p><b>Post-quantum authentication </b>stops an adversary that has a quantum computer from forging certificates to impersonate servers, generating malicious code signatures, or gaining unauthorized access to systems.  Post-quantum authentication is needed only after Q-Day risk materializes, because it stops attacks that are possible only once a cryptographically-relevant quantum computer (CRQC) exists. </p><p>It’s important to put the migration timelines in context with advancements in quantum computing. In addition to yesterday’s EO on post-quantum security, President Trump also signed an <a href="https://www.whitehouse.gov/presidential-actions/2026/06/ushering-in-the-next-frontier-of-quantum-innovation/"><u>EO</u></a> to accelerate deployment and commercialization of quantum computing, sensing, and networking. The fact that the EO sets a 2031 deadline for post-quantum authentication tells us something important: the U.S. government believes there is a non-negligible chance that a CRQC could be operational around that time.  </p>
    <div>
      <h4>Road to Quantum Safety</h4>
      <a href="#road-to-quantum-safety">
        
      </a>
    </div>
    
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4ZPdZZj0jIz2ZFsgOdTLnW/b3633cb8438622a4af0bba1ad63c799d/Screenshot_2026-06-29_at_12.23.04.png" />
          </figure><p>What about the state of these two technologies? The migration to post-quantum authentication is a bigger challenge than post-quantum encryption for a few reasons, including:</p><ul><li><p>Post-quantum <a href="https://csrc.nist.gov/pubs/fips/204/final">ML-DSA</a> digital signatures are larger than classic digital signatures, which could have an impact on performance of some systems, for instance in short-lived TLS connections. That’s why we are working with Google Chrome on <a href="https://blog.cloudflare.com/bootstrap-mtc/">Merkle Tree Certificates</a> to solve the performance problem for TLS. </p></li><li><p>The dependency chain for post-quantum authentication is longer, requiring coordinated upgrades across clients, servers, <a href="https://letsencrypt.org/2026/06/03/pq-certs">certificate authorities</a>, <a href="https://blog.cloudflare.com/azul-certificate-transparency-log/">certificate transparency logs</a>, root stores, and browsers. </p></li><li><p>There is only limited ecosystem deployment of post-quantum authentication so far, as compared to the <a href="https://radar.cloudflare.com/post-quantum"><u>much broader deployment</u></a> of post-quantum encryption.</p></li></ul><p>It is interesting that the EO sets a one-year gap between the encryption and authentication deadlines. One extra year of calendar time is tight, so this work cannot proceed sequentially. The ecosystem needs to start working on both of these targets concurrently, or we will miss this 2031 deadline. </p><p>Cryptographic deployment across the Internet cannot happen without standards developed by the <a href="https://www.ietf.org/"><u>Internet Engineering Task Force</u></a> (IETF). They are working to transition their protocols to post-quantum cryptography.  The TLS community is ahead, with the <a href="https://datatracker.ietf.org/group/plants/about/">IETF PLANTS working group</a> making good progress on post-quantum certificates for TLS. There is much work to do here, and we look forward to supporting the IETF in its efforts. </p>
    <div>
      <h2>Supply chain pressure that helps everyone</h2>
      <a href="#supply-chain-pressure-that-helps-everyone">
        
      </a>
    </div>
    <p>The EO includes requirements for federal contractors, which may turn out to be the most impactful part of the EO. </p><p>Namely, the <a href="https://www.acquisition.gov/far-council-members">FAR Council</a> must publish proposed rules requiring "covered contractors" to comply with NIST FIPS incorporating PQC algorithms by December 31, 2030 (<a href="https://www.whitehouse.gov/presidential-actions/2026/06/securing-the-nation-against-advanced-cryptographic-attacks/">Sec. 6(c)</a>). The FAR Council must also publish proposed rules requiring contractors to implement vulnerability disclosure programs that cover cryptographic vulnerabilities (<a href="https://www.whitehouse.gov/presidential-actions/2026/06/securing-the-nation-against-advanced-cryptographic-attacks/">Sec. 6(d)</a>). These proposed rules need to go through notice-and-comment rulemaking, but the EO has a December 31, 2030, target which is still important. This deadline is one year earlier than federal agencies are required to complete their post-quantum authentication migration, so that federal contractors will be ready before agencies hit their own deadlines.</p><p>Federal agencies can only migrate to PQC if the products they buy support PQC. To put this into practice, CISA <a href="https://www.cisa.gov/resources-tools/resources/product-categories-technologies-use-post-quantum-cryptography-standards"><u>released</u></a> its <i>Product Categories for Technologies That Use Post-Quantum Cryptography Standards</i>, drawing a clear line between technologies where PQC is already "widely available" versus those still "transitioning." The "widely available" list includes cloud platforms (IaaS, PaaS), web browsers and servers, chat and messaging software, and endpoint security products like full disk encryption. For these categories, CISA's guidance is clear: organizations should procure only PQC-capable products. The "transitioning" list, where PQC is not yet widely available, includes networking hardware (routers, firewalls, switches), identity and access management systems (HSMs, certificate authorities, identity providers), email servers and clients, and database systems.</p><p>By telling contractors their products must be PQC-compliant by 2030, and directing agencies to immediately favor PQC-capable vendors in mature markets, the federal framework forces the vendor ecosystem to ship PQC-capable products on a fixed timeline. Products that vendors build to federal requirements will end up used by hospitals, banks, universities, and small businesses, which makes PQC support more broadly available. Cloudflare is among the many vendors subject to these requirements, and because networking software and cloud services are already designated by CISA as widely available PQC categories, we've already shipped post-quantum encryption across <a href="https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-cloudflare-products/">most of our products</a> at <a href="https://blog.cloudflare.com/post-quantum-crypto-should-be-free/">no extra cost</a>. </p>
    <div>
      <h2>Critical infrastructure and PQ for everyone</h2>
      <a href="#critical-infrastructure-and-pq-for-everyone">
        
      </a>
    </div>
    <p>The EO also speaks to <a href="https://www.law.cornell.edu/uscode/text/42/5195c">critical infrastructure</a>: energy, financial services, water, transportation, telecommunications, healthcare, and other systems whose failure would have a serious or significant impact on the country. While the EO has no hard migration deadline for critical infrastructure owners and operators, the EO directs certain federal agencies to "assist" critical infrastructure owners and operators with their PQC migration plans (<a href="https://www.whitehouse.gov/presidential-actions/2026/06/securing-the-nation-against-advanced-cryptographic-attacks/">Sec. 5(a)</a>).</p><p>While the EO focuses mostly on federal agencies and critical infrastructure in the U.S., post-quantum cryptography is important to every Internet-connected individual and organization. Harvest-now-decrypt-later attacks are a risk today. And after Q-Day, the risk of unauthorized access by an adversary armed with a quantum computer will impact any organization, big or small. When we <a href="https://blog.cloudflare.com/introducing-universal-ssl/">launched free universal SSL in 2014</a>, our CEO Matthew Prince wrote:</p><blockquote><p>Having cutting-edge encryption may not seem important to a small blog, but it is critical to advancing the encrypted-by-default future of the Internet. Every byte, however seemingly mundane, that flows encrypted across the Internet makes it more difficult for those who wish to intercept, throttle, or censor the web.</p></blockquote><p>We feel the same way about post-quantum cryptography. That’s why every post-quantum upgrade we build is available to all customers, on every plan, at no additional cost.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/399EKuhN38jLx1pAGEgx3z/1f93784f4c98df9a108b5c8d1803218b/BLOG-3360_3.png" />
          </figure>
    <div>
      <h2>Opportunities for OMB’s implementation guidance</h2>
      <a href="#opportunities-for-ombs-implementation-guidance">
        
      </a>
    </div>
    <p>The EO sets the direction, and now OMB has 90 days to provide important clarifications and operational guidance to achieve the most effective PQC migration across federal agencies (<a href="https://www.whitehouse.gov/presidential-actions/2026/06/securing-the-nation-against-advanced-cryptographic-attacks/">Sec. 4(b)</a>). Based on what we've learned from our own PQC migration, here are a few elements that we suggest that guidance should include:</p><p><b>Define what it means to “transition.” </b>The EO requires agencies to "transition" their systems to PQC, but it never defines what "transition" means. Does it mean the system supports PQC algorithms? That it prefers them? Or that classical cryptography has been disabled entirely?</p><p>These are very different security postures. A system that supports ML-KEM but still allows a classical-only TLS handshake is vulnerable to <a href="https://en.wikipedia.org/wiki/Downgrade_attack">downgrade attacks</a>. An adversary capable of intercepting traffic could force the connection back to classical key exchange. The system would have "transitioned" to PQC in name, but still be vulnerable to the same quantum attacks the order is trying to prevent.</p><p>History is instructive. When SSLv3 was deprecated after the <a href="https://blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites/"><u>POODLE attack</u></a> in 2014, servers kept SSLv3 enabled for backwards compatibility, allowing attackers to force connections to downgrade and then exploit SSLv3's weaknesses. It took years for the ecosystem to actually turn SSLv3 off. To avoid repeating this pattern, we need a clear definition of “done” that includes disabling quantum-vulnerable cryptography to prevent downgrades.</p><p><b>Crypto agility</b>: <a href="https://en.wikipedia.org/wiki/Cryptographic_agility"><u>Crypto agility</u></a> is the ability to swap cryptographic algorithms without re-architecting your systems. The EO mandates migrating to specific NIST crypto standards, but says nothing about building systems that can swap cryptographic algorithms if these algorithms need to change in the future. Crypto agility doesn't mean supporting every algorithm at once. It means building systems so that when the community converges on a better algorithm in the future, the upgrade is a configuration change, not a re-architecture. The OMB should include this in its guidance.</p><p><b>CBOM or quantum impact inventory? </b>The EO directs CISA and NIST to publish guidance on the minimum elements for a cryptographic bill of materials (CBOM) within 270 days (<a href="https://www.whitehouse.gov/presidential-actions/2026/06/securing-the-nation-against-advanced-cryptographic-attacks/">Sec. 5(d)</a>). A CBOM is an inventory of the cryptographic algorithms, protocols, and implementations used in a given hardware or software product, similar to a <a href="https://www.cisa.gov/sbom">software bill of materials (SBOM)</a>.</p><p>In theory, CBOMs are a good idea. In practice, we'd caution against treating exhaustive cryptographic inventories as a prerequisite for action. A detailed CBOM of every algorithm in every library in every product takes a long time to produce, it can take federal agencies an entire procurement cycle of discovery tooling and consulting, and it potentially becomes stale by the time the inventory is complete. Also, a CBOM doesn’t list systems that should be using cryptography but are not. And a CBOM lists keys without an <a href="https://arxiv.org/abs/2603.22442"><u>understanding of their purpose</u></a>, making them less useful for organizations trying to understand the risk associated with a quantum-vulnerable key. </p><p>We think that a quantum impact inventory is a more productive framing. What would be the impact if the system or its data is compromised? How likely is that to happen? What measures can be taken to mitigate the risk, whether a drop-in replacement, a software update, or a compensating control like tunneling traffic over bulk post-quantum connection or isolating it from the Internet? How feasible is each option and what dependency chain does it create? Identifying these informs where to take action first. You can fill in the details of a full CBOM over time if that makes sense for your organization, but you should start by discovering your most exposed and impactful systems.</p><p><b>Making post-quantum cryptography affordable to all.</b> True national resilience fails if post-quantum cryptography is treated as a gated luxury rather than a universal baseline. OMB policy must resist vendor lock-in or toll booths that leave underfunded critical infrastructure behind or increase technical debt at federal agencies. </p>
    <div>
      <h2>What to do now: don't wait for 2030</h2>
      <a href="#what-to-do-now-dont-wait-for-2030">
        
      </a>
    </div>
    <p>You do not have to wait for 2030 or an exhaustive cryptographic inventory to start your migration. History has shown that updating cryptography is <a href="https://blog.cloudflare.com/sha-1-deprecation-no-browser-left-behind/"><u>hard</u></a> and can take a <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf"><u>long</u></a> <a href="https://blog.cloudflare.com/radius-udp-vulnerable-md5-attack/"><u>time</u></a>; other organizations should start sorting out their migrations as well. So as we wait for OMB guidance for federal agencies, here’s what we recommend for all organizations:</p><p><b>Protect your Internet traffic now.</b> Start with traffic that crosses the public Internet, because that is the easiest for adversaries to harvest now and the most immediately at risk. If your web traffic flows through Cloudflare, your connections are largely protected with post-quantum encryption. If your enterprise network uses <a href="https://blog.cloudflare.com/post-quantum-sase/">Cloudflare One</a>, your private network traffic is also protected. If your provider doesn't support post-quantum encryption, switch to one that does. Even if the individual applications running inside your network haven't been upgraded yet, start <a href="https://blog.cloudflare.com/post-quantum-warp/">tunneling your traffic</a> through post-quantum encrypted infrastructure to protect it in bulk, even if individual systems are not yet inventoried and upgraded.</p><p><b>Update procurement.</b> Make "post-quantum encryption by default, at no additional cost, with a clear roadmap for post-quantum authentication and crypto agility" a requirement in every technology procurement. If your vendor charges extra for post-quantum security or doesn't have a roadmap or plan, ask why or find another vendor.</p><p><b>Quantum impact inventory.</b> For traffic that stays inside your private network perimeter and is not exposed to the public Internet, the harvest-now-decrypt-later risk is lower because an adversary would need to be on your network to capture it. But you still need to know what cryptography your internal systems use, so you can plan your migration. Use a <i>quantum impact inventory </i>as a tool to prioritize your efforts, for example focusing on systems or connections that handle sensitive data or are exposed on the public Internet. </p><p><b>Plan for authentication now.</b> The 2031 deadline for post-quantum authentication will come faster than you think. Start identifying your long-lived keys, root certificates, and code-signing infrastructure. These are the highest-priority targets for a quantum attacker, and they have the longest dependency chains to upgrade. Now is a great time to update your software libraries and automate certificate provisioning even if post-quantum certificates are not yet available in your ecosystem. And make sure your vendors are planning to be ready for the looming post-quantum authentication deadline.</p>
    <div>
      <h2>Aligning policy and international standards</h2>
      <a href="#aligning-policy-and-international-standards">
        
      </a>
    </div>
    <p>At the same time, work should also start now on aligning global government policy with international standards. We were glad to see that Section 5(b) directs the State Department to engage foreign governments and industry groups to encourage adoption of NIST-standardized PQC algorithms. </p><p>Here’s why this matters. Cryptography migrations cannot be run in a vacuum, with each country operating within its own borders. A TLS connection between a U.S. person and a server abroad only works if both ends negotiate the same cryptography. NIST has been running open international cryptographic competitions for decades. The <a href="https://csrc.nist.gov/projects/cryptographic-standards-and-guidelines/archived-crypto-projects/aes-development">AES competition</a> (1997-2001) produced the encryption standard used across the Internet today, selecting a cipher designed by Belgian cryptographers. The <a href="https://csrc.nist.gov/projects/hash-functions/sha-3-project">SHA-3 competition</a> (2007-2012) produced the latest hash standard, selecting an algorithm designed by a Belgian-Italian team. The <a href="https://csrc.nist.gov/projects/post-quantum-cryptography">PQC competition</a> (2016-2024) followed the same open model: anyone could submit, anyone could analyze, and the winning algorithms were designed by international teams. ML-KEM, the key agreement standard now being deployed across the Internet, was created largely by European cryptographers. These are open, internationally vetted algorithms. NIST organized the competitions, but the results belong to the global cryptographic community. </p><p>The risk ahead is fragmentation. If different jurisdictions mandate different algorithms, the result is cipher bloat and increased attack surface: more code to write, test, and audit, more surface for <a href="https://en.wikipedia.org/wiki/Downgrade_attack">downgrade attacks</a>, and slower deployment for everyone. We've <a href="https://blog.cloudflare.com/post-quantum-sase/#but-what-about-interoperability">seen this happen</a> firsthand in IPsec, where the lack of an interoperable standard led vendors to ship proprietary PQ key agreement algorithms that couldn’t interoperate, delaying the migration by years. The TLS community went the opposite way, converging on a single hybrid key agreement (<a href="https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/">X25519MLKEM768</a>), and deployment followed quickly.</p><p>We are big fans of <a href="https://www.nist.gov/"><u>NIST</u></a>, and especially its leadership in vetting standards globally and standardizing cryptography worldwide. We encourage the Trump Administration to work with Congress to ensure that NIST has appropriate resources, staffing, and tooling to meet current and emerging deliverables in this EO and others, like America's <a href="https://www.whitehouse.gov/wp-content/uploads/2025/07/Americas-AI-Action-Plan.pdf"><u>AI Action Plan</u></a>.</p><p>We'd like to see State Department-led engagement drive real alignment: adoption of the same NIST algorithms across allied nations, alignment on timelines, and mutual recognition of cryptographic algorithms and modules. The Internet is one network, and its cryptography should be one standard.</p>
    <div>
      <h2>Speeding up CMVP</h2>
      <a href="#speeding-up-cmvp">
        
      </a>
    </div>
    <p>As a final note, the EO directs NIST to revise the processes used by the <a href="https://csrc.nist.gov/Projects/cryptographic-module-validation-program">Cryptographic Module Validation Program (CMVP)</a> to accelerate validations of cryptographic modules (<a href="https://www.whitehouse.gov/presidential-actions/2026/06/securing-the-nation-against-advanced-cryptographic-attacks/">Sec. 6(b)</a>). Having bumped up against the CMVP program for years, we are extremely happy to see this in the order.</p><p>CMVP exists for a good reason. Federal agencies and their contractors need a way to verify that the cryptography inside a product actually does what it claims: that AES is implemented correctly or that random number generators have enough entropy. CMVP has been tuned for a steady state where cryptography doesn’t change much.</p><p>Going forward, CMVP needs to be adjusted to accept the realities of the impending migration. We welcome the <i>FedRAMP update stream</i> that allows updated modules to be used immediately before final validation. This allows faster adoption of post-quantum cryptography, and correction of implementation errors that were missed in validation. Similar allowances for CMVP are essential.</p>
    <div>
      <h2>Go forth and PQ all the things</h2>
      <a href="#go-forth-and-pq-all-the-things">
        
      </a>
    </div>
    <p>This post-quantum EO is a meaningful step. It sets real deadlines and creates supply chain pressure that will accelerate adoption across the industry. </p><p>For organizations starting their own migration, we suggest you start by protecting your public Internet traffic along with updates to your procurement requirements, followed by a quantum impact inventory to figure out where to focus next. Do not let cryptography inventory slow you down from deploying post-quantum encryption across your most sensitive systems immediately. </p><p>Cryptographic deployment across the Internet depends on standards developed by the <a href="https://www.ietf.org/"><u>IETF</u></a>. The TLS community <a href="https://datatracker.ietf.org/wg/lamps/about/"><u>is</u></a> <a href="https://datatracker.ietf.org/group/plants/about/"><u>further along</u></a>, but there is lots more work to do across other protocol communities, and we look forward to supporting those efforts.</p><p>Let us go forth and PQ all the things, quickly and together. Free TLS helped encrypt the web. Free post-quantum cryptography will help secure it for what comes next.</p><p>You can get started now on Cloudflare by visiting our <a href="https://www.cloudflare.com/pqc/">PQC page</a>. </p> ]]></content:encoded>
            <category><![CDATA[Post-Quantum]]></category>
            <category><![CDATA[Security]]></category>
            <category><![CDATA[Cryptography]]></category>
            <category><![CDATA[Policy & Legal]]></category>
            <category><![CDATA[Government Innovation]]></category>
            <category><![CDATA[Impact]]></category>
            <guid isPermaLink="false">6ecffq4Al52D0ka1U4p2OR</guid>
            <dc:creator>Sharon Goldberg</dc:creator>
            <dc:creator>Vincent Voci</dc:creator>
        </item>
        <item>
            <title><![CDATA[How we found a bug in the hyper HTTP library]]></title>
            <link>https://blog.cloudflare.com/hyper-bug/</link>
            <pubDate>Mon, 22 Jun 2026 18:00:00 GMT</pubDate>
            <description><![CDATA[ By rearchitecting the Images binding, we accidentally uncovered a bug that existed in the open-source hyper library across multiple major versions. ]]></description>
            <content:encoded><![CDATA[ <p></p><p>The <a href="https://developers.cloudflare.com/images/"><u>Images</u></a> service, built in Rust on <a href="https://developers.cloudflare.com/workers/"><u>Workers</u></a>, runs on every machine in Cloudflare’s edge network. To handle client connections, we use <a href="https://github.com/hyperium/hyper"><u>hyper</u></a>, an open-source HTTP library for Rust.</p><p>Last year, we <a href="https://blog.cloudflare.com/improve-your-media-pipelines-with-the-images-binding-for-cloudflare-workers/"><u>introduced the Images binding</u></a> to enable custom, programmatic workflows for processing remote images in Workers. At the end of 2025, we rearchitected the binding to provide a more direct, local connection between the Workers runtime and the Images service.</p><p>Shortly after rollout, we received reports that transformation requests from the binding were failing — but only intermittently and only for larger images. Even stranger, the responses for these requests returned a <code>200</code> status without any errors logged. The image data was simply cut short: A response that should have been two megabytes might arrive with a few hundred kilobytes instead.</p><p>We spent six weeks chasing a nearly invisible bug — a race condition that occurred only under specific conditions — in the hyper library that impacted how the Images binding returned processed image data back to the client. In the end, it took four lines of code to fix it.</p>
    <div>
      <h3>Hops, handoffs, and hyper</h3>
      <a href="#hops-handoffs-and-hyper">
        
      </a>
    </div>
    <p>When developers build on Cloudflare, they compose full-stack applications from a set of platform services that are accessible to Workers through bindings. <a href="https://developers.cloudflare.com/workers/runtime-apis/bindings/"><u>Bindings</u></a> provide direct APIs to resources on the Developer Platform like <a href="https://www.cloudflare.com/products/#compute"><u>compute</u></a>, <a href="https://www.cloudflare.com/products/#storage"><u>storage</u></a>, <a href="https://www.cloudflare.com/products/#ai"><u>AI inference</u></a>, and <a href="https://www.cloudflare.com/products/#media"><u>media processing</u></a>.</p><p>The Images binding decouples image optimization from delivery; you can transcode, composite, or manipulate images without needing to return the output as an HTTP response. It also lets you apply <a href="https://developers.cloudflare.com/images/optimization/features/"><u>optimization parameters</u></a> in any order, rather than following the fixed sequence imposed by the <a href="https://developers.cloudflare.com/images/optimization/features/#url-interface"><u>URL interface</u></a>. Here, a worker can pass image data directly to the Images API, chain operations together, and get the processed result back as a stream:</p>
            <pre><code>const result = await env.IMAGES
  .input(image)
  .transform({ width: 800, rotate: 90 })
  .output({ format: "image/avif" });
return result.response();</code></pre>
            <p>At a high level, this is how image data moves through our various services:</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/25KzBWgTy4UfdPbzJOg1lO/9c179230f783e9012624a8a9d99b7dac/image4.png" />
          </figure><p><sup><i>The pipe represents a socket connection between the intermediary and Images, where data is handed off from one process to the next through the kernel’s buffer.</i></sup></p><p>The binding communicates with Images through a socket connection managed by the Workers runtime. A socket connection is a communication channel between two processes. Each end of the socket has buffers that are managed by the operating system’s kernel; these buffers are temporary holding areas where data sits after one side writes it but before the other side reads it.</p><p>Hyper manages the connection on the Images service’s side, reading incoming requests from the socket and writing responses back to it.</p><p>When a request uses the Images binding, the Images service reads the input, performs the requested optimization operations, and encodes the result. It then passes the entire encoded image to hyper as a single in-memory block. </p><p>Hyper writes this response data into its own internal buffer. At this point, hyper considers the encoding work as complete, since it has all the bytes that it needs to send. The next step is to flush its internal buffer to the socket’s outbound buffer, moving the data from the Images service to the intermediary on the other end.</p><p>If the reader on the other end is fast, then hyper can flush everything in one pass — the outbound buffer will have room because the reader is consuming data as quickly as it arrives. Once all data is sent, hyper issues a <code>shutdown</code> on the socket, signaling that the connection is finished and no more data will be written. But if the reader is slower (even by a few milliseconds), then the outbound buffer fills up, and hyper needs to wait until there’s room to continue writing.</p>
    <div>
      <h3>Taking the local</h3>
      <a href="#taking-the-local">
        
      </a>
    </div>
    <p>All incoming traffic on Cloudflare's network passes through FL, an internal intermediary service that runs security and performance features and routes requests to the appropriate backend. When we first launched the binding, image data flowed from the Workers runtime, through FL, to the Images service.</p><p>This path was a natural fit for our initial release and follows the same architecture as our URL interface. Over time, though, this coupling with FL became a constraint: Every change to the binding had to follow FL’s release cycle.</p><p>In December 2025, the Images team replaced FL with a new intermediary service, an internal worker binding that runs on the same machine. In the original architecture, data moved through FL over network sockets; this path carried the overhead of FL’s full processing pipeline, such as DNS lookups and routing.</p><p>The internal binding replaced these with Unix sockets to directly connect the services on the same machine, bypassing FL and the overhead of the network stack. This made the request path to Images faster and gave the team independent control over binding releases.</p><p>Within days of the rollout, we received our first customer report.</p>
    <div>
      <h3>200 OK (not OK)</h3>
      <a href="#200-ok-not-ok">
        
      </a>
    </div>
    <p>The first sign of trouble came from a customer with a non-standard setup: two layers of image processing, where one pipeline was nested inside another.</p><p>First, their worker used the Images binding to composite multiple large source images from R2 — a JPEG background plus PNG overlay layers — into a single combined JPEG. Second, they further compressed, transcoded, and resized the result through the URL interface.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/2K8AiqgOV7Ka7uUUAnk5x0/ca1cc575e08b103ebb677ef66df7e87b/image2.png" />
          </figure><p><sup><i>The bug originated in the inner pipeline’s return path, where the response was truncated before reaching the outer pipeline.</i></sup></p><p>The inner pipeline (transformation binding) handled compositing. The outer pipeline (transformation URL) handled delivery optimizations like scaling and format conversion. This layered approach meant that when the inner pipeline silently returned a truncated response, the only visible error appeared one level up:</p>
            <pre><code>error reading a body from connection: end of file before message length reached</code></pre>
            <p>The outer pipeline received HTTP <code>200</code> from the inner one, with a <code>Content-Length</code> header that promised several megabytes. The actual body was only a fraction of that: In one request, only ~200 KB arrived out of an expected 3.3 MB. The error surfaced in the outer pipeline, but the truncation could have originated in the binding, the intermediary service, the Images service, or somewhere in between.</p><p>When a browser receives a truncated image, the result is visible. Depending on the format, the image either renders partially (e.g., with the bottom half missing or gray) or fails to decode entirely, instead displaying a broken image.</p>
    <div>
      <h3>Debugging in the dark</h3>
      <a href="#debugging-in-the-dark">
        
      </a>
    </div>
    <p>From here, we worked inward through the request path, testing each layer to isolate where the truncation was happening. Some of these efforts hit dead ends; others left breadcrumbs that narrowed the search:</p><ul><li><p><b>Building a reproduction.</b> We built a worker that mimicked the customer’s nested setup, then stripped away layers until we could trigger the bug with the binding alone. A small script let us fire requests in batches. In one early run, 19 out of 25 requests failed. The amount of data that did arrive — roughly 200 KB — was suspiciously close to the size of the socket buffer in production. This confirmed that the problem wasn’t tied to the customer’s configuration and gave us a reliable way to trigger the bug on demand.</p></li><li><p><b>Investigating timeouts.</b> Early on, we suspected the truncation might be related to timeout behavior (i.e., the connection was being closed after a time limit). This theory didn’t hold, as the truncation wasn’t correlated with request duration.</p></li><li><p><b>Updating hyper version.</b> When the bug was first reported, we were running 0.14.x, while the latest hyper version was around 1.8.x. We tested across hyper versions 0.14, 1.7, and 1.8, just in case the most obvious answer was the correct (and easiest) one. But the bug appeared in each version, which meant that there wasn’t an upstream fix.</p></li><li><p><b>Reproducing locally.</b> We ran local integration tests on macOS and a Debian VM. Even under considerable load, our local requests never triggered any failure. Making direct curl requests to the binding socket and replaying captured requests always seemed to work. The bug only appeared on the full production path when there was real concurrency and a real Workers runtime client on the other end of the socket. This led us to suspect the runtime itself.</p></li><li><p><b>Ruling out the Workers runtime.</b> We examined the HTTP client that the Workers runtime uses to communicate with Images through the binding socket. None of the traces from either side of the connection showed any syscalls that indicated an unexpected close or early termination. We observed that the client behaved correctly and multiple other services used the same client without issues.</p></li><li><p><b>Distributed tracing.</b> By inspecting request traces end-to-end, we confirmed that the truncated body was already present before it reached the outer transformation layer in the customer’s setup. That narrowed the problem to the inner pipeline — the binding path through the Images service.</p></li><li><p><b>Instrumenting the intermediary service.</b> We added instrumentation to the intermediary service to measure body sizes before forwarding the response data. The bodies were already truncated by the time they left the Images service, so the intermediary was ruled out.</p></li><li><p><b>Deeper tracing within the Images service.</b> At the service level, the request was processed, the image was properly encoded, and the response was sent with HTTP <code>200</code>.</p></li></ul><p>The only consistent signal was that the bug was timing-dependent: It appeared only on the production path, with real concurrency, and only for larger images.</p>
    <div>
      <h3>A kernel of truth</h3>
      <a href="#a-kernel-of-truth">
        
      </a>
    </div>
    <p>Tools for application-level debugging told only what the system thought it was doing. But according to the system, everything was fine: Tracing said the response was sent; logging reported no errors, and the Images service returned <code>200</code> on every request.</p><p>To see what the system was actually doing, we attached <code>strace</code> to the Images service. <code>strace</code> records the syscalls that a process makes to the kernel, which could show us exactly which bytes were written, when a shutdown was called, and whether the client sent any termination signal.</p><p>Setting up the trace was delicate. <code>strace</code> works by intercepting syscalls as they happen, which adds a small amount of timing overhead to each one. Filtering for a narrow set of syscalls kept that overhead minimal. Broadening the filter, however, slowed the process just enough to shift the timing between the flush and the shutdown check — and make the bug disappear entirely. That alone reinforced our theory that the issue was timing-sensitive.</p><p>Using a reproduction worker, we triggered the bug and compared the syscall output between successful and failing requests.</p><p>In a successful request, the response is written in chunks as the socket buffer allows, with shutdown called only after all the data is sent. For example, this may look like:</p>
            <pre><code>sendto(42, "HTTP/1.1 200 OK\r\nContent-Length: 14991808\r\n...", ...) = 219264
sendto(42, "\xff\xd8\xff\xe0...", 292352) = 292352
// ... keeps writing until buffer drains ...
sendto(42, "...", 292352) = 292352
shutdown(42, SHUT_WR) = 0</code></pre>
            <p>When we reproduced the bug, a failing request looked like:</p>
            <pre><code>sendto(42, "HTTP/1.1 200 OK\r\nContent-Length: 14991808\r\n...", ...) = 219264
shutdown(42, SHUT_WR) = 0</code></pre>
            <p>Here, there is only one write — just enough for the headers and a sliver of the body — before the shutdown is immediately called. Out of a 14.9 MB response, only about 219 KB was sent. The remaining ~14.8 MB of image data never left hyper’s internal buffer, nor was there any termination signal from the client between the write and the shutdown. Instead, the Images service prematurely shut down the connection on its own, genuinely believing it was finished.</p><p>The failing requests confirmed that the bug was a race condition that triggered intermittently. Whether a request succeeded or failed depended on whether the flush and shutdown operations overlapped, which changed from request to request. When the buffer was still full at the exact moment that hyper decided the connection was finished, data was lost.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/7IaYVui9xakhcroOBifwmO/c22c004bcb85c7efe38f318b9db92a3f/image3.png" />
          </figure><p><sup><i>When the reader consumes slower than hyper writes, the outbound buffer fills up. If hyper shuts down the connection before the buffer drains, then only a fraction of the response makes it to the intermediary; this incomplete data gets forwarded back to the Workers runtime and the client.</i></sup></p><p>The December rearchitecture didn't introduce this bug, which had been present in hyper for years across multiple major versions. But the new intermediary changed who was reading on the response side of the socket. Our working theory is that FL, the previous intermediary, consumed data fast enough that the socket buffer rarely filled during a response. The new reader read at a pace that occasionally let the buffer fill during larger responses.</p><p>These few milliseconds of backpressure, introduced by an improvement that made everything else faster, were all it took to surface a flaw that had been hiding in plain sight.</p>
    <div>
      <h3>Inside the dispatch loop</h3>
      <a href="#inside-the-dispatch-loop">
        
      </a>
    </div>
    <p>Hyper's HTTP/1 connection lifecycle is driven by a state machine in a file called <code>dispatch.rs</code>. It runs a loop that reads requests, writes responses, flushes the write buffer to the socket, and decides when to shut down. In simplified form:</p>
            <pre><code>fn poll_loop(&amp;mut self, cx: &amp;mut Context&lt;'_&gt;) -&gt; Poll&lt;Result&lt;(), Error&gt;&gt; {
    loop {
        let _ = self.poll_read(cx)?;
        let _ = self.poll_write(cx)?;
        let _ = self.poll_flush(cx)?;

        if !self.conn.wants_read_again() {
            return Poll::Ready(Ok(()));
        }
    }
}</code></pre>
            <p>More precisely, the <code>let _</code> before <code>poll_flush</code> is where the bug lives.</p><p>In Rust, <code>let _ = expr</code> discards the expression's result, including <code>Poll::Pending</code>, the signal that the flush isn’t done yet. The flush might still have megabytes sitting in its buffer, but the loop never finds out.</p><p>When a request fails, this is the exact sequence of events:</p><ol><li><p>The Images service finishes encoding the image and hands the entire response to hyper as a single in-memory block.</p></li><li><p>Hyper writes the block into its internal buffer and marks its write state as <code>Writing::Closed</code>. From an encoding standpoint, the work is done — there is nothing left to encode.</p></li><li><p>Hyper calls <code>poll_flush</code> to move the buffered data to the socket. In our previous example, the socket accepted about 219 KB. The remaining ~14.8 MB stays in hyper's buffer. The socket is full, so the kernel returns <code>Poll::Pending</code>.</p></li><li><p><code>poll_loop</code> discards the <code>Poll::Pending</code> with <code>let _</code>.</p></li><li><p>It checks <code>wants_read_again()</code>. The full request was already received, so this returns <code>false</code>.</p></li><li><p><code>poll_loop</code> returns <code>Poll::Ready(Ok(()))</code>, signaling that the loop is finished, even though the flush is not.</p></li><li><p><code>poll_shutdown()</code> fires. The <code>SHUT_WR</code> syscall is issued.</p></li><li><p>The client receives 219 KB and an EOF (end-of-file) indicating that the connection is closed, even though it expects 14.9 MB.</p></li></ol><p>In the second step, hyper marks the write operation as complete as soon as the response body is buffered (i.e., when encoding is finished), rather than when it has actually been flushed. Most of the time, the flush completes in a single pass and this distinction is invisible. On the rare occasions when the socket buffer is full, the flush has to wait — even though hyper doesn't. The bytes are still sitting in hyper’s buffer, waiting to be flushed to the socket. Hyper proceeds to shut down the connection with this data still in the buffer.</p><p>This also explains why curl never triggered the bug. Curl reads data as fast as it arrives: The socket buffer never fills, the flush always completes immediately, and the discarded return value is harmless. The production path, with a reader that occasionally paused for a few milliseconds, was the only configuration where the buffer filled at exactly the wrong moment.</p>
    <div>
      <h3>Don’t forget to flush</h3>
      <a href="#dont-forget-to-flush">
        
      </a>
    </div>
    <p>After weeks of investigation, the fix itself was conceptually simple. Hyper needed to check whether the flush was actually done before moving on.</p><p>Our reproduction worker confirmed that the bug existed, but it couldn't tell us why a given request failed. Before writing the fix, we needed a test that could trigger the exact socket conditions inside hyper.</p><p>We knew the conditions that triggered the bug: a socket that accepts one chunk of data and then blocks. To test with a controlled scenario, we built a custom wrapper around a TCP stream that simulated a full socket buffer. The wrapper accepted 8 KB on the first write, then returned <code>Poll::Pending</code> on every subsequent write, mimicking a reader that stopped draining the buffer.</p><p>The test sent a 500 KB response through this constrained socket and checked whether hyper called shutdown while 492 KB was still buffered. Without a fix, it did. With the fix, it waited.</p><p>Initially, we applied the fix in hyper’s dispatch loop. Instead of discarding the result of <code>poll_flush</code>, we checked to see whether the flush was actually done:</p>
            <pre><code>let flush_result = self.poll_flush(cx)?;

if flush_result.is_pending() {
    return Poll::Pending;
}

if !self.conn.wants_read_again() {
    return Poll::Ready(Ok(()));
}</code></pre>
            <p>If the flush hasn't completed, then the loop returns <code>Poll::Pending</code> to the asynchronous runtime. The runtime waits for the socket to become writable, then wakes the task back up to continue the flush. The connection shuts down only after all data has been sent.</p><p>When we deployed this fix, we observed that every byte was written and the shutdown was called only after the buffer was actually empty. The customer who made the first report also confirmed that the issue disappeared.</p><p>While our initial solution worked, the dispatch loop wasn’t the right place for the fix. Returning <code>Poll::Pending</code> early could slow down other operations on the same connection by reducing how frequently reads are polled, causing unintended backpressure. It also doesn't correctly handle keepalive connections, where a single connection handles multiple requests in sequence — these should remain reusable even while the previous response is still being flushed. Neither issue affected our particular service (where keepalive is disabled), but both could affect other hyper users if the fix were contributed upstream.</p><p>We traced through hyper's connection lifecycle and found a more targeted approach. Rather than changing how the dispatch loop behaves, we applied the fix at the point where shutdown is actually called. Before shutting down the socket, hyper should first flush any remaining data in its buffer:</p>
            <pre><code>pub(crate) fn poll_shutdown(
    &amp;mut self,
    cx: &amp;mut Context&lt;'_&gt;,
) -&gt; Poll&lt;io::Result&lt;()&gt;&gt; {
    ready!(self.poll_flush(cx)?);
    Pin::new(&amp;mut self.io).poll_shutdown(cx)
}</code></pre>
            <p>This leaves the dispatch loop unchanged. It adds a flush only at the exact point where data loss would otherwise occur — the moment before shutdown.</p>
    <div>
      <h3>What stayed with us</h3>
      <a href="#what-stayed-with-us">
        
      </a>
    </div>
    <p>None of the tools at the application level surfaced any errors, crashes, or log entries that provided useful clues. Application-level observability can have a blind spot for bugs that live below its awareness.</p><p>The failure occurred intermittently, scaled with response size, couldn’t be reproduced with simple tools like curl, and disappeared when we observed the system more closely. These signals pointed to a timing-dependent bug in the connection layer, not in the application logic.</p><p>Our breakthrough came from using kernel-level tooling with <code>strace</code>, the one layer that records what actually happened on the socket. The underlying bug lived in the few milliseconds between a partial flush and a premature shutdown — a window that opened only after we made the system faster.</p><p>We merged our fix and the deterministic test into <code>hyperium/hyper</code> via <a href="https://github.com/hyperium/hyper/pull/4018"><u>PR #4018</u></a>. It will be available in a future hyper release, ensuring that any service using hyper’s HTTP/1 implementation won’t lose response data to the same race condition.</p><p>In the meantime, we’re running an internal fork with the patch applied. This fix stabilized the binding’s architecture, creating a reliable foundation to expand its functionality.</p><p>The Images binding initially covered only transformations of remote images. Earlier this month, we announced that <a href="https://developers.cloudflare.com/changelog/post/2026-06-10-hosted-images-binding/"><u>the Images binding now supports operations for hosted images</u></a>, giving developers a unified way to build media-rich applications on Cloudflare.</p><p>Read more about how the binding works in <a href="https://developers.cloudflare.com/images/storage/binding/"><u>our documentation</u></a>.</p><p>
</p> ]]></content:encoded>
            <category><![CDATA[Image Optimization]]></category>
            <category><![CDATA[Cloudflare Images]]></category>
            <category><![CDATA[Developers]]></category>
            <category><![CDATA[Developer Platform]]></category>
            <category><![CDATA[Cloudflare Workers]]></category>
            <category><![CDATA[Open Source]]></category>
            <guid isPermaLink="false">5X4Vz9KDcjIBXgHIFSuJFZ</guid>
            <dc:creator>Deanna Lam</dc:creator>
            <dc:creator>Diretnan Domnan</dc:creator>
            <dc:creator>Matt Lewis</dc:creator>
        </item>
        <item>
            <title><![CDATA[Temporary Cloudflare Accounts for AI agents]]></title>
            <link>https://blog.cloudflare.com/temporary-accounts/</link>
            <pubDate>Fri, 19 Jun 2026 13:00:00 GMT</pubDate>
            <description><![CDATA[ The moment an agent needs to deploy something, it slams face-first into a wall built for humans. Today we're rolling out Temporary Accounts on Cloudflare Workers. Any agent can now run wrangler deploy — temporary and get a live Worker in seconds. ]]></description>
            <content:encoded><![CDATA[ <p>Everyone's writing code with AI agents today. But the moment an agent needs to deploy something — and needs to sign up and create an account — it slams face-first into a wall built for humans: a browser-based OAuth flow, a dashboard to click through, an API token to copy-paste, a multi-factor authentication prompt to satisfy. For an interactive copilot sitting next to a developer, that's annoying. For a background agent, it's a hard stop.</p><p>Today we're rolling out Temporary Cloudflare Accounts for Agents.</p><p>Agents can now deploy <a href="https://www.cloudflare.com/solutions/frontends/"><u>websites</u></a>, <a href="https://www.cloudflare.com/products/workers/"><u>APIs</u></a>, and <a href="https://www.cloudflare.com/products/agents/"><u>agents</u></a> right away, without first needing to sign up for an account.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/6joSXmAJAARgyGphPhXGla/9c3e8cef6f269df6a9c458495c5fe40b/image2.png" />
          </figure><p>Any agent can now run <code>wrangler deploy --temporary </code>and deploy a Worker to Cloudflare. This temporary deployment stays live for 60 minutes, during which time you can claim the temporary account, making it permanently your own. If you don't, it expires on its own.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/7IKqILTXCvDH4QjNFtx2pp/798c00b190c9b9909a4501f29b8c18bb/image4.png" />
          </figure><p>Our goal? Let your agent code and ship.</p>
    <div>
      <h2>Why frictionless deployments matter for AI agents</h2>
      <a href="#why-frictionless-deployments-matter-for-ai-agents">
        
      </a>
    </div>
    <p>Frictionless temporary accounts matter more than it might first seem:</p><ul><li><p><b>Background AI sessions have no human in the loop, and are becoming the norm</b>. Any auth step that needs a browser, a copy-paste, or "click here in 60 seconds" means an agent gets stuck and may choose to deploy elsewhere.</p></li><li><p><b>Trial-and-error is the agent's superpower</b>. Agents need a tight write → deploy → verify loop. They need cheap, throwaway deployment targets, so they can curl their own output and decide whether they got it right.</p></li><li><p><b>Agent platforms are building their own ways for deploying code to "just work" without extra steps or credentials</b>. People are starting to expect that this process just works, without the need to sign up for other services that they've not used before or heard of.</p></li></ul>
    <div>
      <h2>How it works</h2>
      <a href="#how-it-works">
        
      </a>
    </div>
    <p>Temporary accounts are built around <a href="https://developers.cloudflare.com/workers/wrangler/"><u>Wrangler</u></a>, our Developer Platform command-line interface (CLI) tool that lets developers bootstrap new projects, manage their configurations and resources, and deploy and update them.</p><p>Wrangler usage is widely <a href="https://developers.cloudflare.com/workers/examples/"><u>documented</u></a> online and agents know how to use it very well. But if you hadn’t yet signed in and granted Wrangler permission to your Cloudflare account, when the agent tried to deploy, it would get stuck at the sign-up and authentication step. And you might rightly ask: How do agents and LLMs know that this new <code>--temporary</code> flag in Wrangler exists, so that they actually use it without a human explicitly telling them to do so?</p><p>To solve this, we updated Wrangler to prompt the agent with a message that tells it about the <code>--temporary</code> flag:</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4pF05TQ9S8HXvOmwD1zoG0/d99ae0ec7d82f26f85dbd5957759697e/image3.png" />
          </figure><p>When the agent discovers this, and then runs <code><b>wrangler deploy</b></code> again with the <code>--temporary</code> flag, Cloudflare provisions a temporary account for the agent to use, gives Wrangler an API token to work with, and provides a claim URL that the agent can give back to the human.</p>
    <div>
      <h2>Let’s go over every step of the flow</h2>
      <a href="#lets-go-over-every-step-of-the-flow">
        
      </a>
    </div>
    
    <div>
      <h3>Deploying and iterating on a new project</h3>
      <a href="#deploying-and-iterating-on-a-new-project">
        
      </a>
    </div>
    <p>Make sure you’re using the latest <a href="https://github.com/cloudflare/workers-sdk/releases"><u>Wrangler release</u></a>, fire up your favorite coding agent, and write a prompt to deploy a "hello world" app in build mode:</p><blockquote><p><code>Make a very simple hello world Cloudflare Worker in TypeScript and deploy it using wrangler, don't ask me questions, do the best you can</code></p></blockquote><p>The agent will run wrangler, pick up the <code>--temporary</code> flag from the output messages, build your script, and deploy it instantly, no human in the loop required:</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1Okmqkf7nBH7Hu2wsKWmnc/879cb6025e630bbd8a99b546de935828/image7.png" />
          </figure><p>As you can see, the agent wrote the script, deployed it using the <code>--temporary</code> flag, curled the preview link it got from the output, and verified that the result matches the code.</p><p>This is great, but agentic coding is often not about one single deployment. A session can go through a cycle of multiple code changes. This is not a problem: the agent can iterate on the Worker script and redeploy the changes as many times as it wants (within the 60-minute claim window). Type this prompt:</p><blockquote><p><code>Now change hello world to "hello cloudflare" and redeploy</code></p></blockquote><p>Look at the agent changing the source code, reusing the previously created temporary account, redeploying a new version and rechecking the result:</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3W86UmPyW5oQxpGkmEEJzL/6168e21df00111aedab481fee5b0a313/image5.png" />
          </figure>
    <div>
      <h3>Claiming the account</h3>
      <a href="#claiming-the-account">
        
      </a>
    </div>
    <p>At any point, you can claim the temporary account and make it yours permanently. When you click the claim link you will be taken to a page where you can either sign up for or sign in to Cloudflare, and then claim the temporary account that your Worker was deployed to. This includes claiming not just Workers, but resources like databases and other bindings, too.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3rrCw7HiJJxy6k3eyipWLR/5aca8cdcb2fc391ea27bab5f335449b0/image6.png" />
          </figure><p>If you do not claim these temporary accounts within 60 minutes, they will be automatically deleted.</p>
    <div>
      <h2>The road to frictionless agentic deployments </h2>
      <a href="#the-road-to-frictionless-agentic-deployments">
        
      </a>
    </div>
    <p>This is just one way we’re eliminating the signup barrier for agents. We recently <a href="https://blog.cloudflare.com/agents-stripe-projects/"><u>announced a partnership with Stripe</u></a> and a new protocol we co-designed that lets agents provision Cloudflare on behalf of their users — creating an account, starting a subscription, registering a domain, and getting an API token to deploy code, with no copy-pasting tokens or entering credit card details. Last month, we collaborated with WorkOS on the launch of <a href="https://workos.com/auth-md"><u>auth.md</u></a>, which anyone can adopt, to let agents provision new accounts using well-established, existing OAuth standards. </p><p>There’s a ton going on in this space, and we’re excited to keep making it easier for agents to use Cloudflare, and for developers to make their own apps <a href="https://isitagentready.com/"><u>agent-ready</u></a>. Temporary accounts are one more step toward frictionless agentic deployments — stay tuned for more. </p><p>Temporary accounts have some limitations, and their capabilities may change over time; check the <a href="https://developers.cloudflare.com/workers/platform/claim-deployments/"><u>developer documentation</u></a> for more information and then go build something. Point your agent at Cloudflare, see how far it gets, and tell us what we can improve or what delights you — share what you’ve built on <a href="https://x.com/CloudflareDev"><u>X</u></a> or hop into the <a href="https://community.cloudflare.com/"><u>Cloudflare Community</u></a>.</p> ]]></content:encoded>
            <category><![CDATA[Agents]]></category>
            <category><![CDATA[Wrangler]]></category>
            <category><![CDATA[AI]]></category>
            <category><![CDATA[Cloudflare Workers]]></category>
            <guid isPermaLink="false">2EKaG8rvH4FLnpEQVgvJ4I</guid>
            <dc:creator>Sid Chatterjee</dc:creator>
            <dc:creator>Celso Martinho</dc:creator>
            <dc:creator>Brendan Irvine-Broque</dc:creator>
        </item>
        <item>
            <title><![CDATA[Build your own vulnerability harness]]></title>
            <link>https://blog.cloudflare.com/build-your-own-vulnerability-harness/</link>
            <pubDate>Thu, 18 Jun 2026 17:59:40 GMT</pubDate>
            <description><![CDATA[ We break down the technical architecture behind our multi-stage vulnerability discovery harness and automated triage loop. Learn how we manage state controls, squash false positives through adversarial review, and route around LLM context limits. ]]></description>
            <content:encoded><![CDATA[ <p></p><p>A few weeks ago, we published our initial findings from <a href="https://blog.cloudflare.com/cyber-frontier-models/"><u>Project Glasswing</u></a>, looking at what happens when you point frontier security models at an enterprise codebase. We also explored how our defensive structures adapt to protect our infrastructure and customers <a href="https://blog.cloudflare.com/frontier-model-defense/"><u>from threats posed by frontier AI</u></a>. Since then, the AI ecosystem has continued to shift rapidly — developers who've built tightly around a single model have already experienced what happens when that model is no longer available or gets superseded by a more capable one. These market shifts only reinforce our core thesis: no matter which underlying model is leading the pack on any given day, the future of agentic workflows will not be found in standalone models, prompts, or single-agent sessions. </p><p>Moving from a localized security "skill" to a continuous, fleet-wide scanning pipeline requires an architecture where models are treated as interchangeable components. Relying on a single model inherently limits defensive coverage, as the same system will tend to look at code paths through the exact same lens. To counter this, models should be frequently interchanged and cross-tested. By varying the models across the pipeline — such as using one model for initial discovery and an entirely different one for validation — we can ensure that vulnerabilities are cross-checked by distinct sets of logic. Furthermore, a true enterprise-scale harness must look beyond isolated repositories to trace vulnerabilities across cross-repo dependencies, ultimately filtering thousands of raw candidates down to a trusted, triaged queue of actionable fixes. </p><p>This post serves as a practical look at how to build that model-agnostic layer, focusing on how we manage state controls, eliminate false positives, and coordinate end-to-end triage at scale.</p>
    <div>
      <h2>Two objections, up front</h2>
      <a href="#two-objections-up-front">
        
      </a>
    </div>
    <p>The first post made the case for why generic coding agents can't do this job. The main issue is that agents only hold one hypothesis at a time, fill their context window after covering a sliver of a real repo, and then lose information during context compaction. For more details, <a href="https://blog.cloudflare.com/cyber-frontier-models/"><u>read that post</u></a>.</p><p>Before we move forward, we would like to answer two likely questions.</p><p><b>"Why not use subagents instead of a harness?" </b>Subagents are useful, and they are a good starting point. But security analysis needs hundreds of separate investigations that survive across runs, don't share a context window, and can be re-scoped and cross-referenced later. It needs persistence, deduplication, resumability, and eventually fleet-wide dependency tracing. That's an orchestration problem, and a prompt can't get you there.</p><p><b>"Is this blog post just an ad for frontier models?" </b>No. Our approach centers on the harness, not the model. When it comes to vulnerability discovery, we run it with whatever frontier model is currently best at what we need. When we point different models at the same target, they each turn up a different share of the bugs. The harness is the bit that lasts. If you build your own system, design it to be model-agnostic from day one. This will allow you the freedom to use any model of choice without constraints. </p>
    <div>
      <h2>It all starts with a skill</h2>
      <a href="#it-all-starts-with-a-skill">
        
      </a>
    </div>
    <p>We started with a ~450-line <code>security-audit</code> skill that we ran on a single repository, and adjusted the prompts until we surfaced real bugs. Later, we added the orchestration that became the plumbing of the entire system. The real value lives in the prompts themselves, and our prompts continue to carry the initial skill's attacker scenarios, bug classes, and anti-pattern detections nearly unchanged.</p><p>The skill was written to run a 7-phase audit in one session:</p><ul><li><p>Three parallel research agents do recon and write an <code>architecture.md</code>.</p></li><li><p>One <b>Hunter </b>agent runs per class attack, trying to break the code rather than review it.</p></li><li><p>Adversarial validators try to disprove each finding.</p></li><li><p>The survivors are written up as a human-readable vulnerability report.</p></li><li><p>They're also emitted as <code>findings.json</code> against a schema, and a mechanical check validates that file.</p></li><li><p>Finally, a fresh agent independently re-verifies every finding against the source.</p></li><li><p>The surviving, re-verified findings are submitted to the ingest API.</p></li></ul><p>That first skill maps almost directly onto the later harness:</p><table><tr><th><p><b>Skill phase</b></p></th><th><p><b>Harness stage</b></p></th></tr><tr><td><p>Recon agents write <code>architecture.md</code></p></td><td><p>Recon</p></td></tr><tr><td><p>Hunters run per attack class</p></td><td><p>Hunt</p></td></tr><tr><td><p>Validators disprove findings</p></td><td><p>Validate</p></td></tr><tr><td><p>Surviving findings become a report</p></td><td><p>Report</p></td></tr><tr><td><p><code>findings.json</code> is checked mechanically for schema adherence, not correctness</p></td><td><p>Mechanical validation of line numbers and functions in findings</p></td></tr><tr><td><p>Fresh agent re-verifies findings</p></td><td><p>Independent validation</p></td></tr></table><p>The skill worked, but it quickly revealed its limits. Looking at the coverage metrics, a single run finds only about half the bugs you'd catch across multiple runs. In our experience the ones it did find skewed toward the simpler and less subtle. Once your process is basically "run it ten times and diff by hand," you probably need to start looking at a real harness.</p><p>While running and fine-tuning the skill, we ran into three walls: </p><ul><li><p><b>Context exhaustion</b>: An hour in, the context window fills up and the model will cannibalize its own memory, instantly forgetting the bugs it spent all morning tracking down. We broke this bottleneck by externalizing the state entirely, treating the LLM as a stateless compute engine. </p></li></ul><ul><li><p><b>Persistence</b>: A crash mid-run means starting over. Losing hours of work to one AI rate-limit error or connection flakiness is an incredibly expensive way to realize you need a better architecture. </p></li></ul><ul><li><p><b>Cross-repo reasoning</b>: A single repo session is completely blind to the relationships between applications that consume it, and the number of bugs that surface when you inspect the interface between components is probably more than one might expect.</p></li></ul><div>
    <p><strong>ADVICE:</strong> A real but minimal harness consists of just Recon, Hunt, and Validate stages kept in a database, alongside a separate <strong>Validator</strong> that can't file its own findings. You should skip cross-repo tracing entirely until you have more than one repository that matters. Skip a dedicated Deduplication agent until you are actively drowning in noise. Start with a skill in your development environment, get your prompts working well, and only build the next architectural stage when not having it is the specific thing slowing you down.</p>
</div>
    <div>
      <h2>Codifying the skill into a pipeline</h2>
      <a href="#codifying-the-skill-into-a-pipeline">
        
      </a>
    </div>
    <p>Most AI security write-ups in this space are about a single repo or a curated benchmark; running a whole fleet this way, with cross-repo tracing, isn't something we've seen written up elsewhere. Our codebase spans a massive mix of languages — Rust, Go, C, Lua, TypeScript and Python, alongside various configuration management systems, static configs, and all sorts of additional context. So we had to come up with something new that worked for us. Going from that first slash-command run to a fleet scanner that could cover 128 distinct repos, automatically finding and interrogating relevant dependencies, took about six weeks. Codification was mostly mechanical: we lifted each phase of the skill into its own agent, put a database behind it and an orchestrator in front. The mapping was almost one-to-one.</p><p>The entire fleet runs on one unified harness with no per-language tuning and traces the dependencies between repos. While offloading syntax to a model makes the system language-agnostic, the differentiator is its ability to trace dependencies <i>between</i> repos. The harness itself doesn’t care if it’s looking at C pointers or a TypeScript file; it focuses on the higher-level logic of security orchestration. This allows us to scale across hundreds of different codebases, without having to write custom language parsing. </p>
    <div>
      <h2>A two-stage vulnerability research workflow</h2>
      <a href="#a-two-stage-vulnerability-research-workflow">
        
      </a>
    </div>
    <p>Our entire vulnerability research workflow is built on a two-stage operational framework: the <b>Vulnerability Discovery Harness (VDH) </b>and the <b>Vulnerability Validation System (VVS).</b></p><p>The VDH functions as our discovery engine, proactively scanning codebases to surface potential security issues. Once bugs enter the VVS, which allows multiple harnesses to feed into it, they go through stages of Deduplication, Judgment, and finally Fixing, as we’ll talk about later.</p><p>We use one model for VDH, but we use a completely different model for VVS, so the models are effectively double-checking each other. There is an obvious security benefit to this: by forcing Model B (VVS) to judge the output of Model A (VDH), you ensure that the finding is evaluated by an entirely different set of logical weights and training data — one that acts as an unbiased, adversarial third party whose sole job is to ruthlessly stress-test Model A's assumptions.  And operationally, we benefit from treating model providers like interchangeable commodities. Model providers can change temperature, caching, and inference effort budgets over time, even within one model version. Instead of building a system that depends on a model behaving predictably over time, our harness is built to absorb downstream volatility without breaking.</p>
    <div>
      <h2>Stage 1: Vulnerability Discovery Harness (VDH)</h2>
      <a href="#stage-1-vulnerability-discovery-harness-vdh">
        
      </a>
    </div>
    <p>The first post covered what each agent/stage is for, so we'll talk about the parts it didn't: the glue between stages, and the handful of details that decide whether any of it works.</p><table><tr><th><p><b>Agent/stage</b></p></th><th><p><b>Primary Role</b></p></th><th><p><b>Sub-agents / Tooling</b></p></th></tr><tr><td><p><b>Recon</b></p></td><td><p>Maps out the target architecture and maps potential threat vectors</p></td><td><p>3 parallel Recon sub-agents write <code>architecture.md</code></p></td></tr><tr><td><p><b>Hunt</b></p></td><td><p>Runs per-class attacks, compiles fragments, probes binaries</p></td><td><p>It spawns siblings (these handle between 9% and 20% of fleet-wide tasks depending on the model). It reaches out to and writes to the Wishlist tool. </p></td></tr><tr><td><p><b>Validate</b></p></td><td><p>Mechanically checks the finding, then adversarially disproves it</p></td><td><p>Runs in two passes: plain code handles the initial schema/path checks, then a single isolated agent tries to disprove the finding before it can be filed. </p></td></tr><tr><td><p><b>Gapfill</b></p></td><td><p>Generates new hunt tasks for empty coverage cells</p></td><td><p>Enqueues fresh hunt tasks for any under-tested (area × attack-class) cells that still look thin</p></td></tr><tr><td><p><b>Dedup</b></p></td><td><p>Identifies and consolidates overlapping findings</p></td><td><p>Combines deterministic code and agents to cluster findings by root cause, folding them together in real time</p></td></tr><tr><td><p><b>Trace</b></p></td><td><p>Walks dependency graph; spawns consumer-repo tasks</p></td><td><p>Walks the graph to add hunt tasks inside every identified consumer repo to make sure cross-repo bugs are caught</p></td></tr><tr><td><p><b>Feedback</b></p></td><td><p>Learns from pre-existing reports and optimizes future runs</p></td><td><p>Takes validation failures, shallow runs, and repeated misses, and instantly rewrites queued prompts to make future tasks sharper.</p></td></tr><tr><td><p><b>Report</b></p></td><td><p>Renders human-readable report</p></td><td><p>Just a script, no model required</p></td></tr></table><p><sup><i>Table 1: Vulnerability Discovery Harness (VDH)</i></sup></p><p>Stages four through eight run as a continuous producer-consumer loop. As the initial hunt progresses, the <b>Gapfill, Feedback </b>and <b>Trace agents</b> generate new tasks; <b>Dedup</b> folds overlapping findings back together and the rest of the loop keeps consuming the queue. This ensures a vulnerability discovered late in the cycle is still validated, reported and checked against other code to make sure it doesn't contain the same bug, all within the same run.</p><p>Splitting the pipeline this way guarantees strict context controls. If you fill the context window, the model starts hallucinating. We keep each agent’s job hyper-focused, keeping context usage below 25% of the total window. A naive “<i>read all files</i>” approach will blow past this limit every single time.</p><p>One thing that caught us out was that persistence needs to be factored in before parallelism. You do not want to throw away a five-hour run because of an unforeseen error. Every stage writes to one SQLite database keyed by (<code>run_id</code>, <code>repo</code>, <code>stage</code>). Any stage can resume, retry, or get pulled into a later run without redoing work. Findings are streamed and saved as they happen, so a crash costs you the task in flight and nothing else.</p><div>
    <p><strong>ADVICE: </strong>Sometimes a transient API error comes back as text in the (<code>200 OK</code>) response stream instead of throwing a code exception. To the orchestrator, this looks exactly like a task that finished cleanly. You must explicitly classify the response text, not just trust the exception type, or you end up logging empty runs as successes.</p>
</div>
    <div>
      <h3>Dynamic threat modeling</h3>
      <a href="#dynamic-threat-modeling">
        
      </a>
    </div>
    <p>During the <b>Recon</b> stage, the agent writes the threat model instead of being handed one. Beyond about ten built-in attack classes (many forms of injection, memory corruption, protocol parsing, timing side channels, and others), the <b>Recon </b>agent can invent repo-specific classes on the spot, each with its own methodology. It writes a custom taxonomy tailored specifically to that codebase, which is used to more tightly scope the <b>Hunter </b>agents.</p><p>Reading source code isn’t enough to understand how it behaves under stress, especially for subtle undefined-behavior bugs in C and other lower-level languages. The <b>Hunter </b>agents move past code reading and transition into active execution. They compile fragments, build small versions, and attack them. The biggest jump in quality came from giving <b>Hunters</b> a sandbox (built on <code>unshare</code>) to crash binaries.</p><div>
    <p><strong>ADVICE: </strong>If the harness itself runs inside Docker, that sandbox needs <code>seccomp=unconfined</code> and <code>apparmor=unconfined</code> or it will silently fail to start. It’s a one-line fix that saves you a day of head-scratching if you aren't an expert in nested containerization, like us.
</p>
</div>

    <div>
      <h3>Micro-forks and the wishlist</h3>
      <a href="#micro-forks-and-the-wishlist">
        
      </a>
    </div>
    <p>Beyond the core pipeline stages, we added two specialized mechanisms that grant the <b>Hunters</b> significant autonomy to adapt their focus and request external resources without derailing an ongoing analysis:</p><p><b>Sibling Forking</b>: This helps ensure that if a <b>Hunter</b> agent trips over an interesting code path that is outside the current scope, it doesn’t wander off track. It uses a tool call to fork a sibling agent with a precise structural seed. Fleet-wide, this accounts for roughly 9% of tasks, though the rate is highly model-dependent — from near-zero to about a fifth, depending on which model is hunting.</p><p><b>The Wishlist</b>: When an agent needs a tool it doesn't have, often a <b>Validator</b> confirming a Proof of Concept (PoC) or a <b>Hunter </b>wanting to build something (like a specific build environment, a VM, or some prod config files), it writes to a central wishlist. It provides enough context for the system to automatically re-run that exact task once a human provides the dependency. Some of these can be partly self-healing: if the container needs to be rebuilt with some changes, this can autonomously happen after the run by having a generic coding harness monitor the logs.</p><p>The wishlist has been written to 25,472 times across 128 repos since the wishlist was added, and it's the main way the agents talk back to us. One that landed while we were writing this: "<i>I need a FreeBSD VM to confirm this PoC end-to-end.</i>"</p>
    <div>
      <h3>Fleet-wide cross-repo tracing</h3>
      <a href="#fleet-wide-cross-repo-tracing">
        
      </a>
    </div>
    <p>After the initial cleanup, a <b>Tracer</b> agent checks how different software components are connected. It looks for a specific path: can a potential attacker send harmful input from the outside to a vulnerable part of the system? If the answer is yes, the <b>Tracer</b> agent automatically spawns fresh hunt tasks inside the consumer repository. To make this work, you need a unified, cross-repo symbol index and an accurate dependency graph. This allows you to uncover deep, systemic flaws that a standard single-repo scan would miss.</p><p>Running our harness across an entire fleet of repos revealed two lessons that only surfaced when this was done at scale. </p><p>First, deduplication is its own problem, big enough to need its own agents. When you are scanning a handful of repositories, you can manually eyeball overlapping bugs. Simple string matching or file-path checks won't save you here. Determining whether two complex logic flaws are actually the exact same root bug sounds trivial, but it isn't. It requires so much cognitive reasoning that we had to deploy dedicated <b>Dedup</b> agents just to clean up the noise, along with their own heuristics and ways of reducing the work.</p><p>The second is to not wire in static analysis early. We plumbed Semgrep all the way through, and the <b>Hunters</b> invoked it zero times in a month of runs. They would rather read and run the code. The wishlist, by contrast, was the single most-used tool in the system. It's worth paying attention to what the agents actually reach for, rather than what you think they'll want.</p>
    <div>
      <h3>Making findings you can trust</h3>
      <a href="#making-findings-you-can-trust">
        
      </a>
    </div>
    <p>The agent will edit the source code so its own exploit works, then triumphantly report the bug it just created. It will write a test that proves something entirely tautological like “<i>exec() executes things, therefore critical vulnerability</i>”. Or it builds an exploit that runs fine but proves nothing, because the threat model behind it is nonsense. If your harness doesn't actively fight this, all you've built is a faster way to produce junk.</p><p>A <b>Hunter </b>has to state the threat model before it's allowed to file anything. It has to define exactly who the attacker is, and what boundary the vulnerability crosses or what assumption it breaks. The output schema ordering enforces it. This requirement eliminates the vacuous findings, the "<i>if a user has database write access, they can write to the database</i>" kind.</p><p>Every confirmed finding ships with a PoC written as a test that runs against the original, untouched codebase. This prevents the agent from editing the source files to force an exploit to land. If there is no working PoC, we treat the finding as fake. In practice, that's a <b>Hunter</b> compiling a thirty-line parsing loop, running it with memory protection enabled, and demonstrating that the incorrect read stride is originating from a stack address rather than the expected message body. You can re-run it yourself. Furthermore, every confirmed finding must also ship a proposed patch. What actually reaches our review queue is a verified bug, a working test, and a functional git diff, not just a vague text description of a problem.</p><p>Before an exploit path survives, deterministic code (written in plain code, not another model) mechanically verifies that the cited files and paths actually exist, and confirms that both the patch and the test parse correctly. This <b>Validator </b>cannot log findings of its own; its sole job is to aggressively disprove the <b>Hunter</b>'s theory. If a <b>Hunter </b>is allowed to grade its own homework, it will confidently validate everything it outputs.</p><p>We don't claim a false-negative rate for our system. There's no labeled set of every real bug in a codebase, so any claimed recall number is entirely speculative. What we can watch is whether re-runs keep turning up new bugs (they do) and whether coverage is still growing across runs. It’s all a proxy, as you don’t know for sure how many bugs exist in a single codebase, but it’s a good-enough way of measuring effectiveness.</p>
    <div>
      <h2>Stage 2: Vulnerability Validation System (VVS)</h2>
      <a href="#stage-2-vulnerability-validation-system-vvs">
        
      </a>
    </div>
    <p>A finding coming out of the harness is just the start of the triage process, with all discoveries landing in a single, shared VVS that currently holds 13,841 findings across 145 repos in total. Triaging that volume is its own massive engineering problem, and it matters just as much as the hunting. That triage engine runs on a different model from the harness, broken down into three distinct jobs.</p><table><tr><th><p><b>Agent/stage</b></p></th><th><p><b>Primary role</b></p></th><th><p><b>Spawns/ sub-agents/tooling</b></p></th></tr><tr><td><p><b>Dedup</b></p></td><td><p>Identifies if a vulnerability is already in the system, or raised as internal Jira ticket already</p></td><td><p><b>Deterministic:</b> plain code builds inverted indexes over files, functions, trust boundaries, and rare tokens, then hands each finding a short candidate list 

<b>Probabilistic:</b> <b>Dedup</b> agent reasons over that short list, Stable cross-run key reopens existing records</p></td></tr><tr><td><p><b>Judgment</b></p></td><td><p>Production reachability and validation</p></td><td><p>Single agent — builds context about the bug from MCP servers, to get the shape of what the service looks like in production. Searches the wiki, Jira, git, config, and all available other sources to try and understand whether a bug is truly applicable to our production environment, and then score the vulnerability against this. It also validates the bug against source code to understand if the bug still exists on the latest main branch.</p></td></tr><tr><td><p><b>Fixing</b></p></td><td><p>Generates patches, runs regression tests</p></td><td><p>Runs the regression test before and after (filtered to the affected test; full suite only when per-test filtering isn't available). It requires a clean fail→pass flip on the target test to clear the gate. If the post-patch test fails, or if a global run detects downstream regressions, the commit is automatically blocked and flagged for human intervention.</p></td></tr></table><p><sup><i>Table 2: Vulnerability Validation System (VVS)</i></sup></p>
    <div>
      <h3>Deduping</h3>
      <a href="#deduping">
        
      </a>
    </div>
    <p>Comparing every single finding against every other finding using an LLM scales at O(N^2), which falls apart completely at scale. To keep the model off the critical path, deterministic code builds inverted indexes over the structured data (touched files/functions, trust boundary, rare tokens) to generate a short list of real candidates. Only then does an agent look at that short list to see if a single fix would close several of them. Stable cross-run keys ensure re-found bugs reopen existing records rather than spawning new ones.</p>
    <div>
      <h3>Contextual judgment</h3>
      <a href="#contextual-judgment">
        
      </a>
    </div>
    <p>Judgment is a second, independent pass over what survived. The agent rechecks the latest information, pulling from deployment, environment, and config context to determine if the code path is reachable in prod, and identify the repo owner. This process filters "exploitable now" from "real but latent" and from "real but filed against the wrong component." It's moving a pile of chaotic findings into a risk-driven orchestration workflow.</p>
    <div>
      <h3>Automated fixing</h3>
      <a href="#automated-fixing">
        
      </a>
    </div>
    <p>The <b>Fixer </b>takes the proposed patch and unit tests, rewrites them to match the repo’s style, applies the diff, and runs targeted tests. A clean fail→pass flip is the ideal and the only auto-cleanup case; a failing post-patch test blocks the commit. The <b>Fixer</b> never merges code on its own; a human must review the branch. This gate is the non-negotiable, human-in-the-loop safeguard that enables a clean, unbreakable cryptographic trail for change management compliance. Left to patch freely, a model will happily fix a security bug while quietly breaking an unrelated feature or adding dozens of new bugs.</p><p>Across all three triage jobs, each agent is confined to one narrow task wrapped in deterministic bookkeeping code, and nothing writes to production without a human signing off on a dry run. While this pipeline moves the engineering bottleneck from finding bugs to reviewing and landing fixes, the <b>Fixer </b>remains the youngest and slowest part of the system. </p>
    <div>
      <h2>What it costs</h2>
      <a href="#what-it-costs">
        
      </a>
    </div>
    <p>Running hundreds of agents over a fleet of repos is not cheap, but at least the shape of the spend is predictable. Almost all of the compute budget goes directly into the hunt stage. This makes <b>Gapfill</b> our cost-to-coverage lever, as each additional pass costs roughly half as much as the initial hunt.</p><p>Because the cost per repository varies wildly, we budget per repo rather than per run. We enforce a strict task cap per repository and spin up a worker pool of anywhere from 50 to 200 workers. That way you can spend money on the repos that are actually finding things, and not waste it on the ones that aren't.</p><p>It's also why, for us, the big scans are a periodic backlog sweep and not a per-PR check. A full scan of a complex repo can take hours; the worst run took just over 14 hours. Cheaper, smaller harnesses are the right tool for that job.</p>
    <div>
      <h2>How we tell it's working</h2>
      <a href="#how-we-tell-its-working">
        
      </a>
    </div>
    <p>We measure our system’s effectiveness by tracking how efficiently our automated pipeline filters deliberate engineering noise into high-quality, actionable findings. Because we intentionally tune our <b>Hunters</b> to over-report subtle primitives that could be chained into larger attacks, our true indicator of success is how sharply we can refine that initial mountain of raw data, before it ever reaches a human.</p><p>To gauge this, we track exactly how many raw findings survive each validation stage over time. Thanks to better context injection from our Recon phase, our initial validation rejection rate dropped from 40% down to 11%, while the share of high-integrity findings climbed from 35% to 58% (representing ~12,057 lifetime findings).</p><p>Here's the lifetime breakdown from raw candidates to actionable findings, at the point in time this blog post was written.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/65jRLGhBLnc1IvleCfC7rh/7246ae5bb6b63d7e7ee655704f224200/BLOG-3344_2.png" />
          </figure><div>

<p><strong>Vulnerability Discovery Harness (VDH)</strong></p>
<ul>
    <li><strong>Raw candidates:</strong> Everything the discovery harness emitted before independent validation.</li>
    <li><strong>Needs repro:</strong> Findings that appeared plausible but required manual reproduction before being trusted.</li>
    <li><strong>Rejected at validation:</strong> The validator disproved the threat model, exploit path, affected code, or evidence.</li>
    <li><strong>Duplicates:</strong> Candidates collapsed onto another finding from the same harness.</li>
    <li><strong>Survived validation:</strong> Findings that passed the independent validation gate and moved into the VVS.</li>
    <li><strong>Bugs that went elsewhere:</strong> Findings deliberately routed outside this flow.</li>
</ul>


<p><strong>Vulnerability Validation System (VVS)</strong></p>
<ul>
    <li><strong>Another vulnerability harness:</strong> Other automated sources feeding the same validation system.</li>
    <li><strong>Total bugs in system:</strong> The combined pool after ingest.</li>
    <li><strong>Duplicates:</strong> Findings the dedup pass identified as already covered by another canonical finding or ticket.</li>
    <li><strong>Wrong repo / other / not a risk:</strong> The noise bucket: misattributed findings, defense-in-depth, or latent risks.</li>
    <li><strong>Bugs sent to teams:</strong> Finalized, clean findings ready for remediation.</li>
    <li><strong>Judged Internet-exploitable:</strong> High-urgency findings a realistic attacker could trigger in production.</li>
    <li><strong>Not judged Internet-exploitable:</strong> Lower-urgency, actionable bugs (production issues, dependency risks, or config errors).</li>
    <li><strong>Final severity split:</strong> The categorization used to assign priority for the engineering teams.</li>
</ul>
</div><p>The core metric of the harness isn’t a speculative recall score — it’s keeping the number of unconfirmed findings in front of real humans as close to zero as possible. The architecture needs to be a relentless filtering funnel.  </p><ul><li><p>Out of <b>20,799</b> raw candidates generated by VDH, only about 12,057 survived validation. </p></li><li><p>When these were pushed into the VVS, joining findings from another harness, the central pool was brought to <b>13,841</b>. </p></li><li><p>The <b>Dedup</b> agent folded away <b>5,442</b> findings as duplicates. </p></li><li><p><b>1,154</b> were routed to the queue as ‘wrong-repo’ or ‘low-risk’ and were recycled back into the system where appropriate. </p></li><li><p>Ultimately this left <b>7,245</b> actionable findings for engineering teams to act on.</p></li></ul><p>Traditional compliance rules dictate arbitrary remediation windows based entirely on a static CVSS score (e.g., "Fix all Highs in 30 days"). Our contextual judgment layer turns this compliance checkbox into actual risk management. </p><p>The architecture is capable of tracking findings back to their origin, meaning that fixing a single root cause resolves an entire cluster of findings rather than just patching individual issues. VDH system performance is also measured by dividing repos into (area x attack-class) cells and running the <b>Gapfill</b> agent iteratively until it stops producing findings. Whenever we update an underlying prompt, we test it against a held-out repository to see if that total coverage cell number actually moves.</p><p>The harness wires automated health signals to catch system failures early in the pipeline. If a hunt finished suspiciously fast and fails to spawn sub-hunts or gap tasks, it usually indicates a crashed dependency rather than a clean codebase. To remedy this, the system flags any <b>Hunter</b> agent that finishes with zero findings as “shallow” and immediately requeues it for a new run.  </p><p>Finally, our system’s robustness is reinforced by the independent triage pass described earlier. By re-judging all submissions with a different model and separate logical weights, we ensure an unbiased, adversarial verification that is decoupled from the specific model used for discovery, providing a trust layer that persists regardless of which model is in use.</p><p>None of this is finished. We change our system constantly, and it is nowhere near a perfect science. But raw candidate findings are cheap now, and the only work worth doing is turning them into sound, verifiable code fixes.</p><p>Building your own harness means accepting that AI models are volatile, but your orchestration layer doesn't have to be. By decoupling your security logic from any single provider, forcing adversarial verification, and automating your triage pipeline, you can turn a mountain of LLM noise into a reliable, fleet-wide defense engine.</p>
    <div>
      <h3>Our “North Star” metrics: measuring real-world velocity</h3>
      <a href="#our-north-star-metrics-measuring-real-world-velocity">
        
      </a>
    </div>
    <p>Every codebase is a little different, so to show you how this actually works in the real world, we mapped out a realistic benchmark based on a standard repo run. Keep in mind that this represents a single pass on one repo; over time, as the continuous fleet-wide loop deduplicates, filters, and recycles findings, it reduces the volume of lifetime candidates by roughly 65%. </p><p><b>Engineering hours saved via automated patching: </b>Rather than focusing on static baselines, we measure the health of our pipeline by its technical throughput, processing velocity, and its ability to eliminate the manual triage bottleneck:</p><ul><li><p><b>Initial Validation Cut:</b> For a standard repository (~30k lines of code), this yields 100 initial findings, with a full run taking 3-4 hours, maintaining a hyperfocused context window throughout. </p></li><li><p><b>Compression:</b> The Deduplication and Contextual Judgment Layers process these candidates in parallel. Within 3 hours, the system compresses and refines the batch of findings from ~100 raw candidates to 80 distinct, high-fidelity bugs.</p></li><li><p><b>Remediation: </b>The automated Fixer processes these 80 distinct bugs at an average rate of 5 minutes per bug. In total, the system can discover, validate, deduplicate, and open functional pull requests in approximately 14 hours. </p></li></ul><p><b>Shrinking mean-time-to-resolve for critical flaws: </b>Of course, you can’t dump 80 patches into production all at once without breaking things. To keep deployments safe, our system uses a tiered rollout:</p><ul><li><p><b>Critical Exposure Containment</b>: The system isolates the critical, high, and exploitable bugs (avg. 10 out of 80). We fast-track these for a human review and introduce them into release cycles, getting them fully patched in production in 5 days.</p></li><li><p><b>Incremental Hardening: </b>The remaining latent risks, minor config anomalies, and lower-urgency bugs are incrementally rolled into prod over a 15-20 day window to guarantee platform stability.</p></li></ul>
    <div>
      <h3>How we’re handling all of this patching</h3>
      <a href="#how-were-handling-all-of-this-patching">
        
      </a>
    </div>
    <p>These findings are the result of an isolated, ring-fenced research experiment designed to stress-test our code. They do not represent active, unpatched vulnerabilities in our live production environment.</p><p>Because the harness runs constantly in our test environments, these specific numbers are completely out of date by the time you're reading this. Every single bug surfaced by the pipeline came attached to a working test case to demonstrate the bug and a draft patch. Our security teams are systematically processing the reports and applying the necessary fixes, meaning the Cloudflare products you use every day are already actively hardened against these vectors.</p><p>Along with this blog post, we’re releasing the initial skill we used to develop the harness, it’s been slightly cleaned up before release so it’s easier to understand and integrate, but the skill itself remains substantially the same. Hopefully the harness itself will follow shortly. This could be a starting point for your own vulnerability harness, your own skill, or whatever suits your needs best:
<a href="https://github.com/cloudflare/security-audit-skill"><u>github.com/cloudflare/security-audit-skill</u></a></p><p>If your team is working on the same problems and would like to compare notes, reach out to us at <a href="#"><u>security-ai-research@cloudflare.com</u></a>.</p> ]]></content:encoded>
            <category><![CDATA[Security]]></category>
            <category><![CDATA[AI]]></category>
            <category><![CDATA[Engineering]]></category>
            <category><![CDATA[Research]]></category>
            <category><![CDATA[Vulnerabilities]]></category>
            <guid isPermaLink="false">5Ad3Svz0xFxJQNx6eQZjJP</guid>
            <dc:creator>Dan Jones</dc:creator>
            <dc:creator>Alexandra Godoi</dc:creator>
            <dc:creator>Grant Bourzikas</dc:creator>
        </item>
        <item>
            <title><![CDATA[Celebrating 12 years of Project Galileo]]></title>
            <link>https://blog.cloudflare.com/celebrating-12-years-of-project-galileo/</link>
            <pubDate>Thu, 18 Jun 2026 13:00:00 GMT</pubDate>
            <description><![CDATA[ To mark the 12th anniversary of Project Galileo, Cloudflare has released its first comprehensive report analyzing cyberattacks against civil society. ]]></description>
            <content:encoded><![CDATA[ <p></p><p>Twelve years ago this month, Cloudflare launched an ambitious project built on a simple idea: people shouldn’t be knocked offline just because someone more powerful disagrees with them. Today, <a href="https://www.cloudflare.com/galileo/"><u>Project Galileo</u></a> provides free access to cybersecurity services to more than 3,400 websites belonging to journalists, human rights defenders, and other nonprofit organizations in 120 countries. We <a href="https://blog.cloudflare.com/protecting-free-expression-online/"><u>continue</u></a> to believe that a better Internet is one where anyone with an idea can reach a global audience. </p><p>Each year on the anniversary of Project Galileo, we announce new products, programs, and strategic partnerships. To celebrate our 12th anniversary this year, we’re publishing <a href="https://cfl.re/cyberattacks-against-civil-society-project-galileo-anniversary-report"><u>our first comprehensive report</u></a> on cyberattacks targeting civil society, releasing <a href="https://www.cloudflare.com/project-galileo-case-studies/"><u>case studies</u></a> that explore the security needs of 16 Project Galileo participants, and announcing new project partners.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5zpBBx4zy05RzFxIgPaU0e/387446f9439c2d4a5c39a9bb4bf69151/image1.jpg" />
          </figure>
    <div>
      <h3>Introducing a new annual report on cyberattacks against global civil society</h3>
      <a href="#introducing-a-new-annual-report-on-cyberattacks-against-global-civil-society">
        
      </a>
    </div>
    <p>Because Project Galileo now includes 3,400 domains belonging to organizations in over 120 countries, Cloudflare has access to unique data regarding the cyber threats, attacks, and trends targeting civil society — a critical pillar of global democracy. In addition, because the Cloudflare network spans more than 335 cities in 125 countries and more than 20% of the web sits behind it, we were also able to compare attacks targeting civil society with those targeting the Internet more broadly. The full report can be explored <a href="https://cfl.re/cyberattacks-against-civil-society-project-galileo-anniversary-report"><u>here</u></a>.</p><p>This year’s data demonstrates that civil society organizations were targeted more frequently, and often more intensely, than other Internet users. Cyberattacks often coincided with critical moments in civil society’s work, such as publishing investigative reporting or conducting public advocacy. Our key findings include: </p><ul><li><p>DDoS attacks were the most common cyber threat against civil society. Their defining feature was duration, with some spanning days and weeks.</p></li><li><p>Civil society groups faced attempts to exploit website vulnerabilities at a rate more than seven times higher than other Cloudflare customers. Media organizations were disproportionately impacted.</p></li><li><p>Journalists operating in exile faced a rate of malicious traffic that was nearly four times higher than journalism organizations overall. </p></li><li><p>Nearly 10% of all emails Cloudflare processed for civil society included potential phishing material. </p></li></ul><p>We conclude our report with a call to action: ensure simple and affordable cybersecurity for all, expand transparency about cyberattacks and Internet shutdowns, and embed AI and post-quantum protections into security tools by default. We hope this report can serve as a resource for civil society, policymakers, and the broader public seeking to understand and respond to cyberattacks. Moving forward, we plan to produce it annually, allowing us to compare cyber threat trends over time. </p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4R8hMYIay2Pggu4onnFw60/c589c48b148420333a4b0356871cdefd/image3.jpg" />
          </figure><p>In addition to the report, Cloudflare released the following qualitative <a href="https://www.cloudflare.com/project-galileo-case-studies/"><u>case studies</u></a> that add context about each organization’s security needs.</p><table><tr><th><p>Organization</p></th><th><p>Description</p></th><th><p>Country/Region of Operation</p></th></tr><tr><td><p><a href="https://www.cloudflare.com/case-studies/share-foundation/"><u>SHARE Foundation</u></a></p></td><td><p>Nonprofit advocating for privacy, free expression, and other digital rights.</p></td><td><p>Serbia </p></td></tr><tr><td><p><a href="https://www.cloudflare.com/case-studies/hledaczvirat/"><u>Hledaczvirat</u></a></p></td><td><p>Online platform/database for finding lost and found pets, connecting owners with animal shelters.</p></td><td><p>Czech Republic</p></td></tr><tr><td><p><a href="https://www.cloudflare.com/case-studies/the-wisconsin-project/"><u>Iran Watch / The Wisconsin Project</u></a></p></td><td><p>Research project tracking Iran's weapons capabilities and nonproliferation issues, run by the Wisconsin Project on Nuclear Arms Control. </p></td><td><p>United States </p></td></tr><tr><td><p><a href="https://www.cloudflare.com/case-studies/bulletin-of-atomic-scientists/"><u>Bulletin of Atomic Scientists</u></a></p></td><td><p>Nonprofit media organization covering nuclear risk, climate change, and disruptive tech. </p></td><td><p>United States</p></td></tr><tr><td><p><a href="https://www.cloudflare.com/case-studies/the-royal-meteorological-society/"><u>The Royal Meteorological Society</u></a></p></td><td><p>Society for weather and climate science, supporting meteorology research, education, and professional accreditation.</p></td><td><p>United Kingdom</p></td></tr><tr><td><p><a href="https://www.cloudflare.com/case-studies/project-ainita/"><u>Project Ainita</u></a></p></td><td><p>An engineering collective that develops tools and research for human rights organizations, lawyers, and activists operating in high-risk environments.</p></td><td><p>Global</p></td></tr><tr><td><p><a href="https://www.cloudflare.com/case-studies/ukraine-war-archive/"><u>Ukraine War Archive</u></a></p></td><td><p>Digital archive documenting and preserving evidence of war crimes and events from the Russia-Ukraine war. </p></td><td><p>Ukraine</p></td></tr><tr><td><p><a href="https://www.cloudflare.com/case-studies/our-world-in-data/"><u>Our World in Data</u></a></p></td><td><p>Research and data publication on global issues like poverty, health, and climate. </p></td><td><p>United Kingdom </p></td></tr><tr><td><p><a href="https://www.cloudflare.com/case-studies/hiil/"><u>Hague Institute for Innovation of Law</u></a></p></td><td><p>Think-and-do tank focused on user-friendly justice systems and resolving justice problems for people worldwide. </p></td><td><p>Netherlands </p></td></tr><tr><td><p><a href="https://www.cloudflare.com/case-studies/center-for-american-progress/"><u>Center for American Progress</u></a></p></td><td><p>Progressive public policy research and advocacy think tank. </p></td><td><p>United States</p></td></tr><tr><td><p><a href="https://www.cloudflare.com/case-studies/sea-shepherd-brazil/"><u>Sea Shepherd Brazil</u></a></p></td><td><p>Brazilian chapter of Sea Shepherd, marine conservation organization protecting ocean wildlife and ecosystems. </p></td><td><p>Brazil</p></td></tr><tr><td><p><a href="https://www.cloudflare.com/case-studies/eltoque/"><u>elTOQUE</u></a></p></td><td><p>Independent digital media outlet covering Cuba, including news, economics, and exchange rate tracking. </p></td><td><p>Global</p></td></tr><tr><td><p><a href="https://www.cloudflare.com/case-studies/humanitix/"><u>Humanitix</u></a></p></td><td><p>Nonprofit ticketing platform donating booking fees to children's education and health charities. </p></td><td><p>Australia </p></td></tr><tr><td><p><a href="https://www.cloudflare.com/case-studies/the-organized-crime-and-corruption-reporting-project/"><u>Organized Crime and Corruption Reporting Project (OCCRP)</u></a></p></td><td><p>Global investigative journalism network exposing organized crime and corruption. </p></td><td><p>Netherlands</p></td></tr><tr><td><p><a href="https://www.cloudflare.com/case-studies/activist-rights/"><u>Activist Rights</u></a></p></td><td><p>Legal information resource for activists on their rights and legal risks during protest and campaigning. </p></td><td><p>Australia</p></td></tr><tr><td><p><a href="https://www.cloudflare.com/case-studies/china-digital-times/"><u>China Digital Times</u></a></p></td><td><p>Bilingual news website covering censorship, human rights, and politics in China. </p></td><td><p>United States </p></td></tr></table>
    <div>
      <h3>Welcoming new partners </h3>
      <a href="#welcoming-new-partners">
        
      </a>
    </div>
    <p>Project Galileo relies on its 59 civil society partners to be a success. Every single organization that applies to the program is reviewed and approved by one of these partners. These groups volunteer their time and expertise, often reviewing multiple applications per day, to help make sure our services go to deserving organizations. </p><p>Over time, these relationships have not only helped grow Project Galileo into the program it is today, but also launched entirely new initiatives, like our email security partnership with <a href="https://protect.ngo/"><u>Protect.ngo</u></a> (formerly CyberPeace Institute) or our work supporting Internet measurement at public schools through UNICEF's <a href="https://www.cloudflare.com/press/press-releases/2025/cloudflare-partners-with-giga-to-accelerate-school-connectivity-worldwide/"><u>Giga project</u></a>.</p><p>For several years, one of our goals for Project Galileo has been to reach more organizations in regions outside North America and Europe. Part of that effort has been attending regional events like RightsCon in Costa Rica (2023) and Taiwan (2025) to speak directly with local digital rights organizations. We have also welcomed new partners who bring their own active networks and communities into the program. For example, last year we announced two new partners in the Asia-Pacific region: EngageMedia and the OpenCulture Foundation.</p><p>Because of the new services <a href="https://blog.cloudflare.com/ai-crawl-control-for-project-galileo/"><u>we recently added</u></a> to Project Galileo to help local news organizations protect their content from AI crawlers, our partnership focus this year was groups serving journalists. To that end, we are proud to announce three new partners:</p><table><tr><th><p>Organization</p></th><th><p>Description</p></th><th><p>Country/Region of Operation</p></th></tr><tr><td><p><a href="https://www.icfj.org/"><u>International Center for Journalists</u></a></p></td><td><p>Nonprofit focused on promoting high-quality independent journalism. Provides training, fellowships, mentorship, and financial support to journalists, specializing in helping reporters leverage digital technologies. </p></td><td><p>Based in the United States and supporting journalists in 180+ countries.</p></td></tr><tr><td><p><a href="https://medieklyngen.no/"><u>Media Cluster Norway</u></a></p></td><td><p>Innovation hub focused on next-generation media technology. Provides collaborative research spaces, funding opportunities, business incubation, and networking events for 100+ creators and local newsrooms. </p></td><td><p>Norway </p></td></tr><tr><td><p><a href="https://ngoisac.org/"><u>NGO-ISAC</u></a></p></td><td><p>Nonprofit network focused on protecting civil society from cybersecurity threats. Provides threat intelligence, defensive coordination, training, and support to its network of over 1,000 nonprofit organizations.  </p></td><td><p>United States  </p></td></tr></table>
    <div>
      <h3>Continuing to protect civil society around the world </h3>
      <a href="#continuing-to-protect-civil-society-around-the-world">
        
      </a>
    </div>
    <p>Today’s new report, case studies, and new partners are all aimed at working toward Project Galileo’s fundamental goal: ensuring that cyberattacks do not silence organizations working in vulnerable, essential areas like journalism and human rights. </p><p>As we look to the future, we remain committed to finding new ways to expand our protections to at-risk groups worldwide. If your organization is looking for protection under Project Galileo, please visit<a href="https://www.cloudflare.com/galileo/"> <u>cloudflare.com/galileo</u></a>.</p> ]]></content:encoded>
            <category><![CDATA[Impact]]></category>
            <category><![CDATA[Project Galileo]]></category>
            <guid isPermaLink="false">1kBoofDb8dfLiYnekjlUaX</guid>
            <dc:creator>Jocelyn Woolbright</dc:creator>
            <dc:creator>Allie Funk</dc:creator>
            <dc:creator>Grace Bennett</dc:creator>
        </item>
        <item>
            <title><![CDATA[Bringing more agent harnesses and frameworks to Cloudflare, starting with Flue]]></title>
            <link>https://blog.cloudflare.com/agents-platform-flue-sdk/</link>
            <pubDate>Wed, 17 Jun 2026 19:35:00 GMT</pubDate>
            <description><![CDATA[ The Agents SDK is now a runtime any agent framework can build on. Today we're opening up the Agents SDK primitives, with Flue as a first framework targeting Agents SDK, and rolling out agents in the dashboard. ]]></description>
            <content:encoded><![CDATA[ <p></p><p>2026 is the year agent harnesses go to production. The software that controls the model’s access to the outside world — harnesses like Codex, Claude Code, OpenCode, Pi, and Project Think — has matured to the point where teams are deploying agents as real, load-bearing infrastructure, not just prototypes. </p><p>But building agents that survive production is hard.</p><p>We learned this firsthand building <a href="https://blog.cloudflare.com/project-think/"><u>Project Think</u></a> as our first-party agent harness. In working with our customers to run agents in production, we found a common set of distributed systems problems that every agent faces when running in the cloud. When an agent is interrupted, how can it automatically and gracefully resume from where it left off, without losing context or wasting tokens? How can agents run untrusted code securely? How can agents use the tools they were trained for?</p><p>A harness can’t solve these problems on its own. They’re tied to state, storage and compute — which means they’re dependent on the platform the agent runs on. That’s why we’re taking our learnings from hardening <a href="https://blog.cloudflare.com/project-think/"><u>Project Think</u></a> for production and bringing them to the <a href="https://developers.cloudflare.com/agents/"><u>Cloudflare Agents SDK</u></a> as a base layer. Durable execution, dynamic code execution, a durable filesystem and dynamic workflows, now available to any harness building on Agents SDK.</p><p>At the same time, a new layer has emerged above the harness. Frameworks like <a href="https://flueframework.com/">Flue</a> wrap a harness with the project structures, conventions, integrations and developer experience that make agents productive to build. </p><p>To solve these scaling challenges, there’s a new, three-layer stack that is emerging for building production-grade AI. Here is how the pieces fit together, moving from the user-facing developer experience down to the underlying platform primitives: </p><ul><li><p><b>The framework (Flue)</b> — the project structure, the conventions, the integrations, the CLI and the developer experience for building agents.</p></li><li><p><b>The harness</b> <b>(Pi, Project Think)</b> —  the agentic loop that calls tools, reads results, manages context and keeps going until the task is done.</p></li><li><p><b>The runtime/platform</b> <b>(the Cloudflare Agents SDK)</b> — the compute, state, and storage primitives everything above depends on</p></li></ul><p>The Agents SDK is that bottom layer: it makes primitives like durable execution available to any harness and any framework. Flue, our new open-source framework from the team behind <a href="https://astro.build/"><u>Astro</u></a>, is the first to build on it. Here’s how. </p>
    <div>
      <h2>Flue</h2>
      <a href="#flue">
        
      </a>
    </div>
    <p><a href="https://flueframework.com/"><u>Flue</u></a> shipped 1.0 Beta this week, built on the <a href="https://pi.dev/"><u>Pi</u></a> harness, the same harness that <a href="https://openclaw.ai/"><u>OpenClaw</u></a> is built on. What makes it different as an agent framework is the approach: you don’t script what your agent does, you describe what it knows. Define the context an agent needs — its model, skills, sandbox, and instructions — and it solves whatever task you give it, autonomously. There’s no orchestration loop to write.</p><p>This declarative model is what makes writing agents easy: here’s a triage agent that intercepts a bug report, reproduces it in a sandbox, and diagnoses the issue in under 25 lines.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5U50mjNZpg7RD3fb0pOLLs/5e20ad63c1e6ab92cf5d334b79996c1a/image5.png" />
          </figure>
    <div>
      <h3>The Flue developer experience</h3>
      <a href="#the-flue-developer-experience">
        
      </a>
    </div>
    <p>Flue’s power comes from the fact that agents don’t live in isolation. They are built to exist where your users already work, and integrate with your preferred tooling:</p><ul><li><p><b>Anywhere agents</b>: Drop your agents into Slack, GitHub, Linear, or Discord with pre-configured Channels that handle event verification and dispatch boilerplate automatically.</p></li><li><p><b>Headless, but UI-ready</b>: Agents shouldn’t live in a black box. Flue agents can run completely headlessly for background tasks, but <a href="https://flueframework.com/blog/flue-1-0-beta/#introducing-fluereact"><u>@flue/react</u></a> provides native frontend hooks that stream an agent’s state, tool execution, and live messages straight into your frontend application, without you having to build custom real-time plumbing from scratch.</p></li><li><p><b>Ecosystem-ready</b>: Flue makes it easy to add and upgrade integrations with commands like <code>flue add channel slack</code>, generating a Markdown blueprint that your own coding agent can read, modify, and cleanly integrate straight into your codebase.</p></li></ul>
    <div>
      <h3>Designed for production, not just prototypes</h3>
      <a href="#designed-for-production-not-just-prototypes">
        
      </a>
    </div>
    <p>Moving an agent out of a local terminal and into a production ecosystem introduces traditional distributed systems failures. Host crashes, API timeouts from LLM providers, and unexpected restarts threaten to erase the short-term memory of a running agent turn. </p><p>Flue solves this via Durable Streams. Each event in the execution history is added to an append-only log. By processing every prompt, tool response and model choice as an unchangeable ledger, an agent’s state is never volatile. If a process dies, another simply picks up the log and continues from the exact step it left off. </p>
    <div>
      <h3>Deploy anywhere, including Cloudflare</h3>
      <a href="#deploy-anywhere-including-cloudflare">
        
      </a>
    </div>
    <p>Flue is a multi-cloud framework. On <a href="http://node.js"><u>Node.js</u></a>, each agent runs as a long-lived process. You can deploy it to any VM or container, run it in GitHub Actions, or embed it on an existing server. But when you target Cloudflare, each agent becomes a Durable Object.</p><p>By running each Flue agent inside its own Durable Object, Cloudflare can automatically scale to as many agents as you need, each with their own isolated storage and compute. You don’t have to provision servers, manage sticky sessions, or worry about noisy neighbors. And when Flue agents are deployed to Cloudflare, they get durable execution using Agents SDK’s <code>runFiber()</code>, <code>stash()</code>, and <code>onFiberRecovered()</code> methods. Flue also uses <code>@cloudflare/codemode</code> and <code>@cloudflare/shell</code> for sandboxed code execution against a durable workspace. </p>
    <div>
      <h2>What harnesses need out of an agentic platform</h2>
      <a href="#what-harnesses-need-out-of-an-agentic-platform">
        
      </a>
    </div>
    <p>Flue’s Cloudflare target works so effectively because it maps cleanly to the core primitives we built into the Agents SDK. You can even <a href="https://github.com/withastro/flue/blob/0fd59475d303d8e8d5bc184a9d3fc4ed58c0de93/packages/runtime/src/session.ts#L13"><u>dig into the Flue source code</u></a> to understand how Pi, the underlying harness, is adapted to work on Cloudflare Agents SDK.</p><p>Here’s how Flue leverages the Agents SDK under the hood, and what it takes to run any modern agent harness reliably at scale. </p>
    <div>
      <h3>Every agent harness needs durable execution</h3>
      <a href="#every-agent-harness-needs-durable-execution">
        
      </a>
    </div>
    <p>An agent turn is not a single request. The model streams tokens, calls tools, waits for results, maybe asks a human for approval, or delegates work to a subagent. That sequence can take seconds or minutes, and at any point the process can be interrupted or crash. When that happens, all of the agent state that was in memory is gone: the streaming connection, the pending tool calls, where the agent was in its turn. Sure, the conversation history is persisted on disk, but the user sees a spinner that never resolves. That’s a broken user experience.</p><p><a href="https://developers.cloudflare.com/agents/runtime/execution/durable-execution/"><u>Fibers</u></a> solve this problem by providing a native checkpointing mechanism directly inside the Agent’s underlying <a href="https://developers.cloudflare.com/durable-objects/"><u>Durable Object</u></a>. <code>runFiber()</code> records the progress to the Durable Object’s SQLite storage before the work in the Agent turn starts and checkpoints with <code>stash()</code> as the turn advances. When a fresh agent instance boots after an interruption, <code>onFiberRecovered()</code> delivers the last checkpoint, so your agent knows a turn was interrupted, where it got to, and can decide how to continue. </p>
            <pre><code>import { Agent } from "agents";
import type { FiberRecoveryContext } from "agents";

class MyAgent extends Agent {
  async doWork() {
    await this.runFiber("my-task", async (ctx) =&gt; {
      const step1 = await expensiveOperation();
      ctx.stash({ step1 });

      const step2 = await anotherExpensiveOperation(step1);
      this.setState({ ...this.state, result: step2 });
    });
  }

  async onFiberRecovered(ctx: FiberRecoveryContext) {
    if (ctx.name !== "my-task") return;

    const { step1 } = (ctx.snapshot ?? {}) as { step1?: unknown };
    if (step1) {
      const step2 = await anotherExpensiveOperation(step1);
      this.setState({ ...this.state, result: step2 });
    }
  }
}</code></pre>
            <p>Flue uses <code>runFiber()</code> <a href="https://github.com/withastro/flue/blob/cf775a84e7cf1d7037a464b947d8b2f7e9efcfd1/packages/runtime/src/cloudflare/agent-coordinator.ts#L475"><u>on its Cloudflare target</u></a> for exactly this. With the <code>onFiberRecovered()</code> hook, your harness can decide how to resume the execution of the turn, whether it attempts a full reconstruction model like Project Think that repairs turn state or whether it replays certain parts of the turn. </p>
    <div>
      <h3>Executing code is better than overloading agents with tools</h3>
      <a href="#executing-code-is-better-than-overloading-agents-with-tools">
        
      </a>
    </div>
    <p>Agent harnesses give models access to the outside world through tools. But tool surfaces grow fast, and models get worse at selecting the right tool as the list gets longer and the context window fills up with tool definitions. A better pattern: give the model one tool that executes code. The model writes a TypeScript function that calls the APIs it needs, and the harness runs it. We wrote about this when we introduced <a href="https://blog.cloudflare.com/code-mode"><u>Code Mode</u></a>.</p><p>The question is where that code runs. To run LLM-generated code securely, you need a sandbox. But typical sandboxes would be slow, cost-prohibitive and inefficient to run each tool call. That’s why the Agents SDK provides <a href="https://www.npmjs.com/package/@cloudflare/codemode"><code><u>@cloudflare/codemode</u></code></a>, which wraps <a href="https://developers.cloudflare.com/dynamic-workers/"><u>Dynamic Workers</u></a>, to execute LLM-generated code in its own Worker isolate with only the bindings you provide. </p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1NCq9AP9xL1b70WyB0iqE0/7569fc7ee43b6071f0b98945d872e9c7/BLOG-3336_3.png" />
          </figure><p>Code Mode creates a fresh Dynamic Worker for each snippet, runs it, and discards it. Isolates start in under 10ms and $0.002 per load, resulting in drastically faster and cheaper cost of execution than booting a container every time your agent needs to execute a short piece of code. Flue uses <a href="https://www.npmjs.com/package/@cloudflare/codemode"><code><u>@cloudflare/codemode</u></code></a> on its Cloudflare target to power its code tool. The agent writes JavaScript against the workspace and runs it with Code Mode.</p>
    <div>
      <h3>You don’t need a full container for most workspace tasks</h3>
      <a href="#you-dont-need-a-full-container-for-most-workspace-tasks">
        
      </a>
    </div>
    <p>Agent harnesses often need a filesystem, whether it’s to read files, write outputs, search through code and understand diffs. Coding agents in particular live in the filesystem. But if the harness is running in a serverless environment, how can it get a durable filesystem that persists across executions? </p><p>The usual answer is a container. That works, but it’s expensive for what agents mostly do. The majority of filesystem operations in an agent turn are text. Consider a review agent that reads files, greps through source code, or perhaps writes a patch. You don’t need a full Linux boot for that.</p><p><a href="https://github.com/cloudflare/agents/tree/main/packages/shell"><code><u>@cloudflare/shell</u></code></a> gives your agent a durable virtual filesystem inside its Durable Object, backed by SQLite. It provides typed file operations — read, write, edit, search, grep, diff — that agent harnesses can use as tools.</p><p>Instead of calling individual tools, a Flue agent running on the Cloudflare target writes JavaScript against the workspace virtual file state API. By running more operations within the Durable Object, the agent benefits from the isolate model’s more efficient execution process, entirely avoiding container overhead:</p>
            <pre><code>async () =&gt; {
  const files = await state.glob("src/**/*.ts");
  const results = [];
  for (const file of files) {
    const content = await state.readFile(file);
    const todos = content.match(/\/\/ TODO:.*/g);
    if (todos) results.push({ file, todos });
  }
  return results;
}</code></pre>
            <p>This translates into a faster and more cost-efficient sandbox environment for agents that need to run shell and filesystem operations to get their work done. And for agents that need a full OS, to run npm install, git, or compilers, Cloudflare Containers provides that. We’re also building <a href="https://github.com/cloudflare/workspace"><code><u>@cloudflare/workspace</u></code></a>, to keep the virtual file system of a given Durable Object in sync with a container’s, allowing for seamless transition from lightweight Workers to a Linux environment only when it needs one. </p>
    <div>
      <h3>Dynamic Workflows: let agents write their own workflows to repeat tasks consistently</h3>
      <a href="#dynamic-workflows-let-agents-write-their-own-workflows-to-repeat-tasks-consistently">
        
      </a>
    </div>
    <p>But what happens when an agent needs to do more than read files or execute single code snippets? What happens when it needs to orchestrate a massive, multi-step pipeline that must repeat consistently over time, like a code review that successfully resolves bugs or a research workflow that produces good results? A harness can’t provide durable multi-step execution on its own. It needs the platform to persist each step, retry failures, and resume after interruptions. </p><p>This pattern is gaining traction. Claude Code recently shipped <a href="https://code.claude.com/docs/en/workflows"><u>dynamic workflows</u></a>, where Claude writes a JavaScript script at runtime to hand off work to dozens of subagents, and the runtime executes it durably. <a href="https://developers.cloudflare.com/dynamic-workers/usage/dynamic-workflows/"><u>@cloudflare/dynamic-workflows</u></a> provides this for any harness running on the Agents SDK. Your agent generates a workflow at runtime, and the Workflows engine persists each step, retries failures, and can sleep for hours or wait for external events like human approval. </p><p>From the Agent class, <code>runWorkflow()</code> connects your agent to the <a href="https://developers.cloudflare.com/workflows/"><u>Workflows</u></a> engine. The agent kicks off the workflow and can go to sleep. The workflow calls back into the agent via RPC to report progress, update state, or request approval. When the workflow finishes, the agent wakes up with the result. </p>
    <div>
      <h3>Direct access to the Cloudflare ecosystem</h3>
      <a href="#direct-access-to-the-cloudflare-ecosystem">
        
      </a>
    </div>
    <p>Beyond compute and storage, agent harnesses need access to external capabilities: web browsing, email, memory, search, inference. A harness shouldn't have to integrate each of these separately, manage API keys for each, or worry about credentials leaking through agent-generated code.</p><p>The Agent class gives your harness access to the rest of Cloudflare through <a href="https://developers.cloudflare.com/workers/runtime-apis/bindings/"><u>bindings</u></a>: <a href="https://developers.cloudflare.com/ai-gateway/"><u>AI Gateway</u></a> for per-agent spend tracking and limits, <a href="https://developers.cloudflare.com/browser-rendering/"><u>Browser Run</u></a> for web automation, <a href="https://developers.cloudflare.com/email-service/"><u>Email Service</u></a> for inbox workflows, <a href="https://developers.cloudflare.com/agents/api-reference/agent-memory/"><u>Agent Memory</u></a> for persistent recall, <a href="https://developers.cloudflare.com/ai-search/"><u>AI Search</u></a> for retrieval, <a href="https://developers.cloudflare.com/containers/"><u>Containers</u></a> for workloads that need a full OS, and inference across <a href="https://blog.cloudflare.com/ai-platform/"><u>14+ model providers</u></a>. Bindings grant capabilities without exposing credentials: your agent uses them, but the keys never enter agent-generated code.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/7jLx08K0FuCd8mJ4xIjwop/3833967f110d119a260979608cc57fce/BLOG-3336_4.png" />
          </figure>
    <div>
      <h2>Bring your agents to the agentic cloud</h2>
      <a href="#bring-your-agents-to-the-agentic-cloud">
        
      </a>
    </div>
    <p>We know this approach works because it is the exact architectural foundation we used to build <a href="https://blog.cloudflare.com/project-think/"><u>Project Think</u></a>, our first-party agent harness. While Project Think remains our highly optimized, out-of-the-box solution for native Cloudflare agent experiences, the Agents SDK ensures that the broader open-source ecosystem can leverage those exact same battle-tested primitives, including Flue.</p><p>If you're building agents today with Flue, you can deploy in just a few clicks to Cloudflare. And if you're building your own agent harness or you’re building an agent framework, target the Agents SDK and get the platform integration for free.</p><ul><li><p>Agents SDK: <a href="https://developers.cloudflare.com/agents/"><u>developers.cloudflare.com/agents</u></a></p></li><li><p>Flue: <a href="https://flueframework.com/"><u>flueframework.com</u></a>, <a href="https://www.npmjs.com/package/@flue/runtime"><code><u>npm install @flue/runtime</u></code></a></p></li><li><p>Think: <a href="https://github.com/cloudflare/agents/blob/main/docs/think/index.md"><u>docs</u></a></p></li><li><p>Cloudflare Community: <a href="https://community.cloudflare.com/"><u>community.cloudflare.com</u></a></p></li></ul><p></p> ]]></content:encoded>
            <category><![CDATA[AI]]></category>
            <category><![CDATA[Cloudflare Workers]]></category>
            <category><![CDATA[Developers]]></category>
            <category><![CDATA[Developer Platform]]></category>
            <category><![CDATA[Durable Objects]]></category>
            <category><![CDATA[SDK]]></category>
            <category><![CDATA[MCP]]></category>
            <guid isPermaLink="false">48yPgdpb7RGTBdh4DPPCUF</guid>
            <dc:creator>Thomas Gauvin</dc:creator>
        </item>
        <item>
            <title><![CDATA[Introducing the Cloudflare One stack: agent-powered deployment]]></title>
            <link>https://blog.cloudflare.com/cloudflare-one-stack/</link>
            <pubDate>Wed, 17 Jun 2026 13:00:00 GMT</pubDate>
            <description><![CDATA[ The Cloudflare One stack is a library of agent skills that gives any AI agent the knowledge it needs to plan, deploy, and manage a Zero Trust environment — no migration calls required. ]]></description>
            <content:encoded><![CDATA[ <p>Adopting or migrating to a Zero Trust network architecture can be a daunting task. Before a single policy changes, teams have to recall how their network is actually built: which applications exist, their authentication and authorization constructs, how traffic flows between them, and any assumptions the current architecture makes. This hands-on process requires practitioners to decode the intent behind every security and routing policy in place.</p><p>Today, we’re releasing the Cloudflare One stack, a <a href="https://github.com/cloudflare/skills"><u>set of skills</u></a> you give to your agent to configure, deploy, and manage your Zero Trust environment for you. This toolkit is designed to help automate the process of learning an entirely new security suite and mapping your existing one into Cloudflare.</p><p>Cloudflare has worked with thousands of customers through exactly this process. That repetition built expertise on where migrations stall, what questions come up every time, and what it takes to move forward. The Cloudflare One stack packages that expertise and makes it more accessible than ever. </p>
    <div>
      <h3>The agent gap in network security</h3>
      <a href="#the-agent-gap-in-network-security">
        
      </a>
    </div>
    <p>Teams are already using agents to write code, triage alerts, and automate workflows. Organizations are increasingly asking for Cloudflare-provided tooling to help agents execute on security workflows. On their own, agents are not trained on the nuances of an organization's specific network topology or vendor configurations.</p><p>By providing prescriptive and authoritative guidance, organizations can layer this context into their existing toolkit to make better use of the security products they are already deploying.</p><p>Cloudflare has long been the easiest-to-deploy SASE vendor in the market. The stack extends that philosophy to agents: it gives them the context, tools, and structured reasoning they need to operate on your security infrastructure.</p>
    <div>
      <h2>What is the Cloudflare One stack?</h2>
      <a href="#what-is-the-cloudflare-one-stack">
        
      </a>
    </div>
    <p>The Cloudflare One stack is <a href="https://github.com/cloudflare/skills"><u>a collection of skills</u></a> that can be used with any agent. As with <a href="https://www.anthropic.com/engineering/equipping-agents-for-the-real-world-with-agent-skills"><u>any skill</u></a>, you can use them standalone, layer in your own context, or build tooling on top. It was purpose-built to help security practitioners across the entire lifecycle of evaluating, deploying, and managing <a href="https://developers.cloudflare.com/cloudflare-one/"><u>Cloudflare One</u></a>.</p><p>The stack was built by synthesizing hand-curated knowledge from employees with tens of thousands of hours of experience working with customers on Cloudflare One products. It contains tools for planning, managing, and implementing your user and agent security infrastructure on Cloudflare. It also contains handpicked logic for migrating from legacy vendors like <a href="https://blog.cloudflare.com/descaler-program/"><u>Zscaler</u></a> and Palo Alto Networks.</p><p>When used in conjunction with the <a href="https://developers.cloudflare.com/agents/model-context-protocol/mcp-servers-for-cloudflare/"><u>Cloudflare code mode MCP server</u></a>, the stack gives agents a typed interface to the Cloudflare API. Agents can query your live account, inspect configurations, and make changes through a curated set of Cloudflare-recommended workflows rather than ad-hoc API calls.</p>
    <div>
      <h2>What’s in the stack?</h2>
      <a href="#whats-in-the-stack">
        
      </a>
    </div>
    <p>The Cloudflare One stack ships as two lightweight skill files: cloudflare-one and cloudflare-one-migration. Together they cover migrating to, building an implementation for, managing, and troubleshooting your Cloudflare One deployment:</p><ul><li><p><b>Remote access and VPN replacement</b> with Cloudflare Access</p></li><li><p><b>User, network, device, and data security</b> with Cloudflare Gateway</p></li><li><p><b>Connectivity</b> with Cloudflare Tunnel, Cloudflare Mesh, and Cloudflare WAN</p></li><li><p><b>Migration guidance</b> with explicit detail for moving from other SASE vendors</p></li><li><p><b>Network diagram interpretation and generation</b>, so you can visualize proposed changes to your network in a way that is easy for you and your team to understand</p></li><li><p><b>Vendor concept translation</b>, which maps concepts between SASE vendors to reduce the barrier to evaluating and switching providers</p></li><li><p><b>Troubleshooting and operations</b>, with the Digital Experience Monitoring (DEX) toolkit and automated rule recommendations</p></li></ul>
    <div>
      <h2>How it works</h2>
      <a href="#how-it-works">
        
      </a>
    </div>
    <p>The stack is available in the <a href="https://github.com/cloudflare/skills"><u>Cloudflare Skills</u></a> repository. Each skill file contains structured knowledge, decision trees, and tool definitions that agents load automatically when the context matches. Give this to your agent and let it help you set up, configure, and manage your Zero Trust environment:</p><p>The cloudflare-one skill covers general product guidance. For example, if you ask an agent for the best way to replace your VPN infrastructure with Cloudflare Tunnel or Cloudflare Mesh, the skill knows how to:</p><ol><li><p>Inventory your existing VPN applications and identify which connectivity model each requires</p></li><li><p>Map each application to the appropriate Cloudflare primitive — self-hosted Access application, Tunnel-connected service, or Mesh-connected network segment</p></li><li><p>Generate a recommended deployment sequence that minimizes disruption during cutover</p></li><li><p>Produce a configuration summary your team can review before making any changes</p></li></ol><p>The cloudflare-one-migration skill covers vendor-to-vendor translation. For example, if you ask an agent to migrate your Zscaler Private Access applications to Cloudflare Access, the skill knows how to:</p><ol><li><p>Map Zscaler application definitions to Cloudflare Access application definitions</p></li><li><p>Transform Zscaler user groups and policies into Cloudflare Access policies</p></li><li><p>Use the Cloudflare API to create the equivalent resources in your account</p></li><li><p>Generate a summary of what was migrated and what requires manual review</p></li></ol><p>The migration logic in the stack is the same logic used in Cloudflare's <a href="https://blog.cloudflare.com/descaler-program/"><u>Descaler</u></a> and <a href="https://blog.cloudflare.com/deskope-program-and-asdp-for-descaler/"><u>Deskope</u></a> programs. Those programs have already moved enterprise customers from Zscaler and Netskope to Cloudflare One in hours rather than months. The stack makes that capability available to any customer or partner, at any time, without waiting for a scheduled engagement.</p>
    <div>
      <h3>More ways to use the stack</h3>
      <a href="#more-ways-to-use-the-stack">
        
      </a>
    </div>
    <p>The Cloudflare One stack can also:</p><ul><li><p>Recommend security rules based on traffic seen in your live account</p></li><li><p>Automatically migrate your existing Zscaler Private Access applications into self-hosted Cloudflare Access applications</p></li><li><p>Investigate anomalies in your secure web gateway HTTP logs and build rules to resolve issues users are seeing</p></li><li><p>Report on user stability with the DEX toolkit and take actions to improve user latency in key scenarios</p></li></ul><p>Whether you are loading the skill from an agent or building custom tooling on top, the Cloudflare One stack handles all of these use cases and more.</p>
    <div>
      <h2>For partners, too</h2>
      <a href="#for-partners-too">
        
      </a>
    </div>
    <p>While this simplifies ongoing management for customers who have already adopted the Cloudflare One product suite, it is also a tool for the Cloudflare partner network. Partners can use it to help their customers deploy faster, manage more effectively, troubleshoot with increased accuracy, and drive issues to resolution.</p>
    <div>
      <h2>What's next</h2>
      <a href="#whats-next">
        
      </a>
    </div>
    <p>You can start using the Cloudflare One stack today. To get the most out of the stack, pair it with the Cloudflare <a href="https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/#code-mode"><u>code mode MCP server</u></a>. The MCP server gives your agent live access to the Cloudflare API through a single, compressed interface that keeps authentication credentials out of the model context. </p><p>The Cloudflare One stack will continue to expand as Cloudflare One products evolve. New skills for additional migration sources and more advanced troubleshooting workflows are already in development.</p><p>As we learn more about how customers and partners utilize these skills files, we plan to build more robust tooling around these skills. If you are a customer or partner and want to share feedback on what the stack should handle next, reach out through your account team or open an issue in the repository.</p> ]]></content:encoded>
            <category><![CDATA[Cloudflare One]]></category>
            <category><![CDATA[Zero Trust]]></category>
            <category><![CDATA[Agents]]></category>
            <guid isPermaLink="false">1LDBKUul6cfW72f1DQaLyE</guid>
            <dc:creator>AJ Gerstenhaber</dc:creator>
            <dc:creator>Abe Carryl</dc:creator>
        </item>
        <item>
            <title><![CDATA[Cloudflare DMARC Management is now generally available]]></title>
            <link>https://blog.cloudflare.com/dmarc-management-ga/</link>
            <pubDate>Tue, 16 Jun 2026 13:00:00 GMT</pubDate>
            <description><![CDATA[ Get unified visibility into your email authentication posture and reach full DMARC enforcement with deeper reporting, record analysis, and SPF audits free for every Cloudflare customer. ]]></description>
            <content:encoded><![CDATA[ <p>When we first launched <a href="https://blog.cloudflare.com/dmarc-management/"><u>DMARC Management</u></a>, it was driven by a simple belief: every domain on the Internet deserves strong email authentication, and cost should never be the reason it doesn't happen. As part of our mission to help build a better Internet, we made DMARC Management available for free to every Cloudflare customer. We wanted to give everyone the tools to understand and improve their DMARC posture without needing to hire an email security consultant or parse XML report files by hand.</p><p>Today, we are taking that commitment further. Cloudflare DMARC Management is now generally available, with a redesigned experience built to help you reach full DMARC enforcement as easily as possible.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3GpMX09ltKkw9PcTW53xNF/9e862b59311cfdd08bb9b74fbb69bc42/BLOG-3332_image7.png" />
          </figure><p><sup><i>The DMARC Management dashboard offers a unified view of your email authentication posture.</i></sup></p>
    <div>
      <h2>What email authentication actually does for you</h2>
      <a href="#what-email-authentication-actually-does-for-you">
        
      </a>
    </div>
    <p>Every time someone receives an email "from" your domain, their email provider asks a simple question: did the real owner of this domain actually send this? Without a way to answer that question, anyone can send an email pretending to be you and your recipients will have no way to tell the difference.</p><p>Email authentication is the set of DNS records that answers that question. There are four protocols that protect your domain:</p><ul><li><p><b>SPF </b>(Sender Policy Framework) tells receiving mail servers which IP addresses and services are allowed to send email on behalf of your domain.</p></li><li><p><b>DKIM</b> (DomainKeys Identified Mail) attaches a cryptographic signature to every email you send, so receiving servers can verify the message hasn't been tampered with in transit.</p></li><li><p><b>DMARC</b> (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together and tells receiving servers what to do when an email fails authentication: let it through, quarantine it, or reject it outright. It also sends you reports on who is sending email as your domain.</p></li><li><p><b>BIMI </b>(Brand Indicators for Message Identification) lets you display your brand logo next to your emails in supported inboxes, but only if your DMARC policy is strong enough.</p></li></ul><p>When all four are configured correctly, spoofed emails get blocked before they reach anyone's inbox and your legitimate emails are far more likely to be delivered. When they're missing or misconfigured, you're exposed to brand impersonation and deliverability penalties from the large email mailbox providers.</p>
    <div>
      <h2>DMARC is no longer optional</h2>
      <a href="#dmarc-is-no-longer-optional">
        
      </a>
    </div>
    <p>DMARC has always been important. But over the past two years, the stakes have gotten significantly higher. Google, Microsoft, and Yahoo have all announced or implemented stricter email authentication enforcement. Domains that do not have proper <a href="https://www.cloudflare.com/learning/dns/dns-records/dns-dmarc-record/"><u>DMARC</u></a>, <a href="https://www.cloudflare.com/learning/dns/dns-records/dns-spf-record/"><u>SPF</u></a>, and <a href="https://www.cloudflare.com/learning/dns/dns-records/dns-dkim-record/"><u>DKIM</u></a> records configured (or worse, have them configured incorrectly) are increasingly seeing their legitimate emails land in spam folders or get rejected outright. What was once a best practice is now a requirement. Poor email hygiene directly translates to poor deliverability, and for many businesses, that means lost revenue and missed communications.</p><p>The message from the industry is clear: if you send email from your domain, you need these records configured correctly. The grace period is over.</p>
    <div>
      <h2>The problem: DMARC is confusing, and mistakes are costly</h2>
      <a href="#the-problem-dmarc-is-confusing-and-mistakes-are-costly">
        
      </a>
    </div>
    <p>Here is the challenge. The journey from p=none (monitor only, no emails are blocked) to p=quarantine (suspicious emails are sent to spam) to p=reject (unauthenticated emails are blocked outright) is filled with uncertainty. Enable enforcement too early, and you risk breaking legitimate email flows from third-party services you forgot were sending on your behalf. Move too slowly, and you leave your domain exposed to spoofing, and now, to deliverability penalties from the very providers your customers use.</p><p>Most organizations know they need DMARC enforcement. But actually getting there requires understanding aggregate XML reports, identifying every legitimate sending source across your infrastructure, and building enough confidence that tightening your policy will not break anything.</p><p>We built Cloudflare DMARC Management so that any customer can navigate this journey on their own. No need for professional services engagement. No spreadsheet analysis of aggregate reports. No guessing which IP address belongs to which vendor. The goal is to make the path to full DMARC enforcement as self-service as possible, giving you the visibility and confidence to tighten your policy without breaking anything.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1MgXzeTIgQxqJ8coErsj7l/1a265f29547c18a8a3bd5a4c1003b3df/BLOG-3332_image5.png" />
          </figure><p><sup><i>DMARC reports show sending source alignment across your domain.</i></sup></p>
    <div>
      <h2>What we shipped</h2>
      <a href="#what-we-shipped">
        
      </a>
    </div>
    
    <div>
      <h3>Deeper report visibility with source investigation</h3>
      <a href="#deeper-report-visibility-with-source-investigation">
        
      </a>
    </div>
    <p>We redesigned the reporting experience to make it easier to understand what is happening with your email traffic. You can now see at a glance which sending sources are passing or failing DMARC, SPF, and DKIM alignment and drill deeper than ever before.</p><p>Every report now surfaces the source IP address alongside the sending service, giving you the granularity to distinguish between legitimate infrastructure and unauthorized senders. You can now open any IP address directly in our Investigate tab, which surfaces all the threat intelligence Cloudflare has on that address — reputation data, geolocation, autonomous system number (ASN) details, and any known associations with malicious activity.</p><p>This turns your DMARC reports from a passive data feed into an active investigation tool.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1TMDQMQ63fr6yRhqmRa55T/25717a64afb8ac5393056035d9a86047/BLOG-3332_image4.png" />
          </figure>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5j1jXZbpwv1X0Ss0somi2A/4f2dd91ba360f7384e34a613892cfec7/BLOG-3332_image1.png" />
          </figure><p><sup><i>Drilling into a sending source reveals IP-level detail and Cloudflare threat intelligence in the Investigate tab.</i></sup></p><table><tr><td><p><b>What you see</b></p></td><td><p><b>What it tells you</b></p></td></tr><tr><td><p>Source IP address</p></td><td><p>The specific infrastructure sending email on behalf of your domain</p></td></tr><tr><td><p>Sending service name</p></td><td><p>The organization or provider behind the IP</p></td></tr><tr><td><p>DMARC / SPF / DKIM alignment</p></td><td><p>Whether each authentication check passed or failed for that source</p></td></tr><tr><td><p>Investigate tab</p></td><td><p>Cloudflare threat intelligence: reputation, geolocation, ASN, and known threat associations</p></td></tr></table>
    <div>
      <h3>Email authentication record status</h3>
      <a href="#email-authentication-record-status">
        
      </a>
    </div>
    <p>One of the most common questions customers ask is: "Are my records set up correctly?"</p><p>Until now, answering that question required manually inspecting DNS TXT records and understanding what each tag and value means across multiple specifications. With this release, you can see the status of every email authentication record you need: DMARC, DKIM, SPF, and BIMI, in a single view.</p><p>Each record type gets a clear pass, warning, or fail status based on automated analysis. You can drill into any record to see specific findings about what we detected and recommendations for how to fix it. If your DKIM key is malformed, we flag it. If you are missing a <a href="https://www.cloudflare.com/learning/dns/dns-records/dns-bimi-record/"><u>BIMI</u></a> record and your DMARC policy is strong enough to support one, we let you know that too.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/7yp4DWXZS7hd7mDLU6WUVZ/60f625951254c436f07fd0161dbec9f9/BLOG-3332_image2.png" />
          </figure><p><sup><i>Record analysis cards show pass, warning, or fail status for each email authentication record, with actionable recommendations.</i></sup></p><p>The recommendations are written in plain language, not RFC jargon. The goal is to make it obvious what action to take next, regardless of your email security expertise.</p><table><tr><td><p><b>Record</b></p></td><td><p><b>What we check</b></p></td></tr><tr><td><p>SPF</p></td><td><p>Multiple records, lookup limits, permissive +all, missing mechanisms</p></td></tr><tr><td><p>DKIM</p></td><td><p>Key formatting, missing or malformed public keys</p></td></tr><tr><td><p>DMARC</p></td><td><p>Policy strength, monitoring vs. enforcement, reporting configuration</p></td></tr><tr><td><p>BIMI</p></td><td><p>Logo URL format, Verified Mark Certificate (VMC)  presence</p></td></tr></table>
    <div>
      <h3>
SPF lookup audit</h3>
      <a href="#spf-lookup-audit">
        
      </a>
    </div>
    <p>This one addresses a problem that silently breaks email for more organizations than you would expect. The SPF specification (<a href="https://datatracker.ietf.org/doc/html/rfc7208"><u>RFC 7208</u></a>) imposes a hard limit of 10 DNS lookups per SPF evaluation. Every <code><b>include:, a, mx, redirect, and exists</b></code> mechanism in your SPF record counts toward that limit, and so do the nested lookups inside each <code><b>include:</b></code>. Exceed 10 and receiving mail servers return a permerror, which means your SPF check fails entirely.</p><p>Most people have no idea they are over the limit until their email starts getting rejected.</p><p>DMARC Management now lets you audit your SPF record and see exactly how many lookups it incurs. You can drill into every mechanism in the record, see which <b>include:</b>chains are the most expensive, and identify where to consolidate or flatten your record to get back under the limit.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5j1jXZbpwv1X0Ss0somi2A/4f2dd91ba360f7384e34a613892cfec7/BLOG-3332_image1.png" />
          </figure><p><sup><i>The SPF lookup audit traces every DNS lookup in your SPF record, showing exactly where you are against the 10-lookup limit.</i></sup></p>
    <div>
      <h3>Getting started</h3>
      <a href="#getting-started">
        
      </a>
    </div>
    <p>To use DMARC Management, you need to have your domain's DNS on Cloudflare. Then you can turn on DMARC Management under the Email tab for that domain in the Cloudflare dashboard.</p><p>1. Navigate to your domain in the Cloudflare dashboard.</p><p>2. Go to Email &gt; DMARC Management.</p><p>3. Follow the setup wizard to start receiving DMARC reports.</p><p>4. Review your record analysis and recommendations.</p><p>5.  Work toward p=quarantine (suspicious emails go to spam) or p=reject (unauthenticated emails are blocked entirely) at your own pace.</p>
    <div>
      <h2>What's next</h2>
      <a href="#whats-next">
        
      </a>
    </div>
    <p>We are going to continue building on top of DMARC Management, and our goal is to keep it accessible. We have several things planned that we are excited to ship: deeper forensic reporting, smarter recommendations, and tighter integration with the rest of the Cloudflare platform.</p><p>If you are not yet using Cloudflare for your DNS, you can <a href="https://www.cloudflare.com/dns/"><u>get started here</u></a>. Once your domain is on Cloudflare, DMARC Management is available immediately with no additional configuration or cost required.</p><p>Your domain is either protected or it isn't. Head to Email &gt; DMARC Management in your Cloudflare dashboard to get started.</p> ]]></content:encoded>
            <category><![CDATA[Email]]></category>
            <category><![CDATA[Email Security]]></category>
            <category><![CDATA[DMARC]]></category>
            <guid isPermaLink="false">1Ng3fFBbnnbu6qxP1HMqpB</guid>
            <dc:creator>Ayush Kumar</dc:creator>
        </item>
        <item>
            <title><![CDATA[Growing the Cloudflare AI team with talent from Ensemble AI]]></title>
            <link>https://blog.cloudflare.com/ensemble-ai-talent-joins-cloudflare/</link>
            <pubDate>Mon, 15 Jun 2026 13:00:00 GMT</pubDate>
            <description><![CDATA[ Cloudflare is deepening our investment in AI with the addition of team members from Ensemble AI, focusing on machine learning infrastructure and efficiency. ]]></description>
            <content:encoded><![CDATA[ <p>Today, we’re excited to share that key members of the team at Ensemble AI are joining Cloudflare to help accelerate our work in AI infrastructure and make it easier for developers to run powerful AI models efficiently at scale.</p><p>Ensemble AI, founded in 2023 in San Francisco, has spent the last few years focused on one of the most important challenges in AI: making large models faster, smaller, and more cost-effective to serve, without sacrificing quality. The team has developed new approaches to model compression and efficient inference that are designed to reduce the memory, compute, and deployment overhead of large language models and multimodal architectures.</p><p>As AI becomes a core part of how developers build applications, the economics of inference matter more than ever. Models are getting larger; workloads are becoming more dynamic. And customers increasingly expect AI to be available everywhere: globally distributed, fast, reliable, and affordable. Bringing the Ensemble AI team into Cloudflare strengthens our ability to make that possible.</p>
    <div>
      <h3>Incorporating Ensemble’s expertise </h3>
      <a href="#incorporating-ensembles-expertise">
        
      </a>
    </div>
    <p>The team at Ensemble AI has focused on preserving the structure inside modern AI models while reducing the cost of running them. Instead of treating model efficiency as only a <a href="https://www.cloudflare.com/learning/ai/what-is-quantization/"><u>quantization</u></a> or hardware problem, Ensemble has explored new model building blocks that can make neural networks more compact and efficient at the architectural level.</p><p>A core part of this work is <a href="https://github.com/ensemble-core/ndlinear"><u>NdLinear</u></a>, a drop-in replacement for standard linear layers in transformer models that operates directly on multidimensional activations rather than flattening structure away. This enables models to preserve meaningful axes, such as heads, channels, spatial dimensions, or other structured representations, while reducing parameter count and compute. Ensemble has also developed NdLinear-LoRA, an efficient adaptation method designed to reduce the trainable parameters required for fine-tuning large models.</p><p>These approaches complement other efficiency techniques, including quantization and vector quantization. Together, they point toward a future where developers can run capable AI models with substantially lower memory, compute, and cost requirements.</p>
    <div>
      <h3>Making AI inference more efficient</h3>
      <a href="#making-ai-inference-more-efficient">
        
      </a>
    </div>
    <p>Cloudflare Workers AI gives developers access to serverless GPU-powered inference on Cloudflare’s global network. As developers build more AI-native applications, the ability to serve models efficiently becomes a critical part of the platform.</p><p>Inference cost is one of the biggest barriers to scaling AI applications. Every improvement in model size, memory footprint, throughput, and GPU utilization can make AI more accessible to developers and more economical for customers. This is especially important as AI workloads expand beyond simple text generation into agents, multimodal models, personalization, fine-tuning, retrieval, and reinforcement learning.</p><p>We are deepening our investment in the core machine learning capabilities needed to make Workers AI faster, more flexible, and more cost-efficient. This builds on top of our existing work on improving model efficiency, including our inference engine <a href="https://blog.cloudflare.com/cloudflares-most-efficient-ai-inference-engine/"><u>Infire</u></a>, tensor compression techniques like <a href="https://blog.cloudflare.com/unweight-tensor-compression/"><u>Unweight</u></a>, and our <a href="https://blog.cloudflare.com/high-performance-llms/"><u>platform for running extra large language models</u></a>. The team will focus on improving the economics of serving large language models and other advanced AI architectures, with an emphasis on model efficiency, GPU utilization, and scalable deployment.</p>
    <div>
      <h3>Building for the next generation of AI workloads</h3>
      <a href="#building-for-the-next-generation-of-ai-workloads">
        
      </a>
    </div>
    <p>AI infrastructure is entering a new phase. Developers no longer need only access to models; they need infrastructure that can run models reliably, affordably, and close to users. They need the ability to experiment with different model sizes, fine-tuning approaches, and deployment patterns without being blocked by cost or operational complexity.</p><p>Cloudflare is uniquely positioned to help solve this. Our global network, developer platform, and serverless architecture give us the foundation to bring AI closer to where applications already run. The Workers AI Machine Learning Engineering team will help us improve the efficiency layer underneath that experience.</p><p>By combining Cloudflare’s global infrastructure with Ensemble’s work in model compression and efficient architectures, we can continue building a platform where developers can deploy AI applications with lower cost, better performance, and less operational overhead.</p>
    <div>
      <h3>What’s next</h3>
      <a href="#whats-next">
        
      </a>
    </div>
    <p>Together, we will continue building the infrastructure needed to make AI more efficient, accessible, and useful for developers everywhere. Our goal is simple: help developers run powerful AI workloads at global scale while improving the economics of inference across the Cloudflare platform. If you want to join us in our mission, check out <a href="https://www.cloudflare.com/careers/jobs/"><u>our careers page</u></a>.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/IYHFX88nVQ5KvJ2RqEkJW/7bbe337431623665790bda509375b96e/image2.png" />
          </figure><p></p> ]]></content:encoded>
            <category><![CDATA[Workers AI]]></category>
            <category><![CDATA[AI]]></category>
            <guid isPermaLink="false">5MWTPJGehyLgdL2HT49JHB</guid>
            <dc:creator>Alex Reneau</dc:creator>
            <dc:creator>Zach Albertson</dc:creator>
            <dc:creator>Michelle Chen</dc:creator>
        </item>
        <item>
            <title><![CDATA[Scaling Security Insights: how we achieved a 10x increase in global scanning capacity]]></title>
            <link>https://blog.cloudflare.com/scaling-security-scans/</link>
            <pubDate>Fri, 12 Jun 2026 13:00:00 GMT</pubDate>
            <description><![CDATA[ Cloudflare Security Insights system now processes over 120 scans per second, providing frequent insights for all customers. By optimizing Kafka consumers, Postgres queries, and our API, we scaled our throughput 10x without adding hardware. ]]></description>
            <content:encoded><![CDATA[ <p><a href="https://developers.cloudflare.com/security/security-insights/"><u>Security Insights</u></a> provides actionable security recommendations for every Cloudflare account. To find these insights, we perform regular scans for all accounts, zones, and DNS records, looking for potential security risks and misconfigurations.
</p><p>However, two key issues emerged. First, our scans were too infrequent. Scans were only being performed every week or two, and therefore newly introduced security risks could remain undetected for up to two weeks. Second, automatic scanning was opt-in for many free plan accounts – meaning lots of accounts weren’t being scanned at all.</p><p>The risks of infrequent or nonexistent scans are rising: as automated attacks accelerate, the window for detecting security misconfigurations is shrinking. Making sure that we’re finding these issues for <i>all</i> of our customers is crucial to our aim of building a better Internet for everyone.</p><p>We calculated that to increase our scanning frequencies and enable automatic scanning for all accounts, we would need to increase our scanning throughput by around 10x on average – from 10 scans per second to 100 per second. But our system was already struggling with its load: millions of events were filling up our backlog waiting to be processed; our API was frequently timing out; our processes were crashing. We needed to fix our system, and we needed to make it <i>scale</i>.</p><p>This is the story of how we increased scanning throughput for Security Insights by more than 10x, enabled security insights for millions of customers, and doubled our scanning frequency for all customers. Read on to find out how we achieved these improvements.</p>
    <div>
      <h2>How we scan for security insights</h2>
      <a href="#how-we-scan-for-security-insights">
        
      </a>
    </div>
    <p>At a high level, our automatic security scans are triggered by a scheduler. When an account or zone is due for a scan, the scheduler publishes a message (or messages) to <a href="https://blog.cloudflare.com/using-apache-kafka-to-process-1-trillion-messages/"><u>Apache Kafka</u></a>, an open-source distributed event streaming platform. These messages fan out to a number of checkers: specialized Go microservices that scan specific assets or configurations.</p><p>For every message, each checker sends its results (the security insights that it found) to our internal API, which then persists these in a Postgres database.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1vJ2DRjdopX1LgymReyped/dbb20abb364acdd4904aba746d7921a6/BLOG-3307_image2.jpg" />
          </figure>
    <div>
      <h2>Making it scale</h2>
      <a href="#making-it-scale">
        
      </a>
    </div>
    
    <div>
      <h3>Scaling Kafka</h3>
      <a href="#scaling-kafka">
        
      </a>
    </div>
    <p>Apache Kafka is not strictly a <i>queue</i>: it is a partitioned event stream (though recently gained <a href="https://www.confluent.io/blog/kafka-queue-semantics-share-consumer-ga/"><u>queue semantics</u></a>). Within a partition, messages must be consumed and <i>processed</i> in order. This differs from typical queues where messages may be consumed in order but are processed out-of-order. As a result, we can only have one active consumer per partition within a <i>consumer group</i>.</p><p>This has two consequences for us:</p><ul><li><p>Messages that are slow to process block the consumer from progressing to the next message</p></li><li><p>For each checker, we can only have as many consumers as there are partitions (each checker has its own consumer group)</p></li></ul>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1Ml4yjhq4PIuDDNFPfCyKA/e22911321b38e48cd9dabc7fe33dba8c/unnamed.jpg" />
          </figure><p>We could have tried to scale by adding more partitions. However, this would have increased resource usage for the Kafka broker itself, which is shared by many other services. We reserved this as a last resort, aiming to improve our code and architecture first.</p>
    <div>
      <h3>Introducing parallel processing</h3>
      <a href="#introducing-parallel-processing">
        
      </a>
    </div>
    <p>Although we can only consume messages in order, there is nothing stopping us from consuming multiple messages at once.</p><p>We changed our checkers to consume messages in <i>batches</i>, processing each message in a separate goroutine. The trade-offs are that we’d have more work to re-do if our process crashed midway through a batch, and our memory usage would be slightly increased. In our case, these were both acceptable.</p>
    <div>
      <h3>Avoiding head-of-line blocking</h3>
      <a href="#avoiding-head-of-line-blocking">
        
      </a>
    </div>
    <p>Some messages processed by a few of our checkers take much longer to process than others. For example, one account/zone may have far more assets than another. In the worst case, these messages can take minutes or hours to process compared to the average case of seconds or milliseconds.</p><p>We opted for a very simple approach: splitting our consumer groups and checkers in two – the ‘slow lane’ and the ‘fast lane’. We could determine quickly whether a message would be slow or fast to process. If the ‘fast lane’ checker encounters a slow message, it skips it.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3jdSAU8FpBOHMIeWFUoWTP/a77806cbdf564dbe32be617135e8e2e9/BLOG-3307_image9.jpg" />
          </figure><p>This solved the problem: slow messages had the dedicated resources and time to be processed with minimal delay, and fast messages were able to proceed at their regular fast pace.</p>
    <div>
      <h2>Optimizing our database queries</h2>
      <a href="#optimizing-our-database-queries">
        
      </a>
    </div>
    <p>Every insight we find gets written to our Postgres database. This is handled by a single API endpoint that our checkers invoke with a list of insights. The implementation looked like this:</p>
            <pre><code>for _, issue := range issues {
	_, err = tx.Exec(ctx, `INSERT INTO table ... VALUES ($1, $2, ...) ON CONFLICT DO UPDATE ...`, ...)
	if err != nil {
		return err
	}
}</code></pre>
            <p>The astute reader will notice that for large sets of insights, this code makes a round trip to the database per insight. With a maximum observed size of 500,000, this was half a million round trips, queries, and transactions in a single API call.</p><p>We initially tried the gold standard for bulk inserts in Postgres: COPY into a temporary table. However, we found that this approach led to bloat in the Postgres system tables.</p><p>We settled on a hybrid approach:</p><ul><li><p>Using UNNEST when the number of issues was below a threshold</p></li><li><p>Using COPY when the number of issues exceeded this threshold</p></li></ul><p>This provided the best of both worlds: reasonably fast inserts for huge sets of insights (seconds), and even faster inserts (milliseconds) for small sets of insights.</p>
    <div>
      <h2>Investigating our API timeouts</h2>
      <a href="#investigating-our-api-timeouts">
        
      </a>
    </div>
    <p>We noticed several strange behaviours in our internal API as we tried to scale:</p><ul><li><p>A large number of requests were triggering client-side timeouts</p></li><li><p>Many checkers were spending 20-90% of their processing time on a single API call</p></li><li><p>When triggering a large volume of scans, our throughput would start high and deteriorate</p></li></ul><p>All of these problems had the same root cause: <b>latency</b>.</p><p>Our primary database is located in Portland, Oregon. Our API, however, was running active-active in both Portland and Amsterdam. Even at the speed of light, the round-trip latency between Portland and Amsterdam would be 50 milliseconds.</p><p>As a result of this latency, database queries from the Amsterdam API instance took much longer, holding connections from our client-side connection pool open. With the large volume of requests that we were making to the API, the connection pool was quickly becoming exhausted, leading to timeouts waiting for a free connection. Our average API call completed in 10 ms in Portland, but almost 3 seconds in Amsterdam!</p><p>But why the drop in message throughput? Each checker process gets assigned a set of partitions of the Kafka stream to consume. Our API is load-balanced. Since we hold the connection open throughout the life of the process, some processes had a connection to the Amsterdam API, and others had a connection to the Portland API. The partitions linked to Portland were processed quickly, but the ones consumed by the Amsterdam-bound processes were lagging behind:</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4BDdHHlIGPZBTjFRR85tNk/f484c397ed3708395affb6c9f1d68294/BLOG-3307_image7.png" />
          </figure><p><sup><i>Kafka lag (number of messages waiting to be processed within a single consumer group) by partition for one of our checkers. Note that we have 30 partitions in this case. Exactly 15 partitions can be seen lagging behind (the lines that reach or approach zero later than around 03/10 03:00). This is because the load balancer splits traffic evenly between our API endpoints.</i></sup></p><p>This was a simple fix: we switched our API to <a href="https://developers.cloudflare.com/load-balancing/load-balancers/common-configurations/#active---passive-failover"><u>active-passive</u></a>, ensuring the active API followed our primary database. Our latency problems disappeared overnight.</p>
    <div>
      <h2>Rethinking the scheduler</h2>
      <a href="#rethinking-the-scheduler">
        
      </a>
    </div>
    <p>We’d scaled Kafka. We’d optimised our database queries. We’d fixed our API. However, we still had a problem: we needed to be sure our scans would be roughly uniformly distributed in time. It wasn’t feasible to queue all of our scans at the same time, as our Kafka topic uses a time-based retention policy: the scans would pile up in Kafka, and eventually be deleted before they could be processed.</p><p>Our scheduler was not good at uniformly distributing our scans. The number of scans that would be triggered at a given time was spiky and unpredictable. At certain points throughout the week, hundreds of thousands of scans would be triggered within minutes of each other. What was going on?</p><p>The scheduler triggers scans on fixed recurring periods. In pseudocode, the scheduler looked like this:</p>
            <pre><code>Loop forever:
    Find accounts where last_scheduled_at + scanning frequency &lt;= now
    For each account:
        Trigger scan for account
        Trigger scan for all zones in the account
        Update last_scheduled_at = now</code></pre>
            <p>We quickly noticed that last_scheduled_at was similar for a large number of accounts in our database, which was responsible for some of this unevenness.</p><p>However, even with perfectly even distribution, increasing our scanning frequency would have compounded this problem. For example, changing the scanning frequency from every 15 days to every seven days would mean 53% of accounts would suddenly be due for a scan.</p><p>There was a further problem with this logic. Some accounts have a very large number of zones. When these accounts were scheduled, there was a cascade of scans for all of their zones. This was saturating our Kafka partitions and leading to delays for scans of much smaller accounts.</p><p>To fix these problems, we made three key changes:</p><ul><li><p>Schedule zones independently of accounts: each zone gets its own last_scheduled_at field.</p></li><li><p>Randomize the last_scheduled_at time for existing accounts and zones.</p></li><li><p>Introduce adaptive rate limiting for scan scheduling.</p></li></ul><p>Scheduling zones independently was an obvious way to solve the problem of large accounts. Randomizing the last_scheduled_at time (and ensuring that no scans were delayed during this process) allowed us to fix the existing unevenness in our database.</p><p>Adaptive rate limiting is slightly more interesting. Rate limiting would allow us to solve the problem of a spike in scans when we change scanning frequencies. For example, if we wanted to increase our scanning frequency to every 7 days, and we had 50 million accounts, then a rate limit of ~83 scans/second would ensure that they were spread out evenly across 7 days.</p><p>But what if we added 10 million more accounts? Then, this rate limit would force us to take <i>8 days </i>to scan all of these accounts. This is where the <i>adaptive</i> part comes in: the rate limit is asynchronously recalculated every half-hour based on the total number of accounts and zones we have, and our scanning frequencies. This ensures we continue scanning on time even if we onboard thousands or millions more accounts and zones.</p>
            <pre><code>func computeRate(free, pro, biz, ent int64) rate.Limit {
   r := float64(free)/freeScanInterval.Seconds() +
      float64(pro)/proScanInterval.Seconds() +
      float64(biz)/bizScanInterval.Seconds() +
      float64(ent)/entScanInterval.Seconds()


   // Guard against zero counts. We always want to schedule at least one scan per second.
   if r &lt; 1 {
      r = 1
   }


   // Increase rate limit beyond the 'perfect' value, to have a buffer in case of any downtime
   // or spikes in load.
   r *= rateLimitBufferFactor


   return rate.Limit(r)
}</code></pre>
            
    <div>
      <h2>Where we stand today</h2>
      <a href="#where-we-stand-today">
        
      </a>
    </div>
    
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3oPTkpvD7RduPU29VMMdyw/bdbe895a975b7c8184d6031fabe153ed/BLOG-3307_image8.png" />
          </figure><p><sup><i>With these fixes, our 7-day moving average throughput per checker over time rose by more than 10x.</i></sup></p><p>Before these improvements, we were executing around 10 scans per second. The gap between this and our target throughput of 100 scans per second seemed vast. We discussed throwing more resources at the problem, throwing more partitions at our Kafka topic – even throwing out our entire architecture.</p><p>But our fixes made all the difference. Today, Security Insights sustains over 120 scans per second during peak scheduling, exceeding our 10x improvement goal. Our internal API is no longer timing out, and our Kafka lag metrics look much healthier. These scalability improvements have allowed us to turn on automatic scanning for <i>all</i> free accounts and zones and increase the scanning frequency for all customers:</p><ul><li><p>Free: every 7 days</p></li><li><p>Pro and Business: every 3 days</p></li><li><p>Enterprise: daily</p></li></ul><p>The improved system stability has given us confidence to build new features that we were previously constrained from creating. We’ve added the ability to perform granular on-demand scans. You can now manually re-scan a Cloudflare account, zone, insight, or insight type.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/6ZRp56v6QZiTEnNtf6d1Am/27a58f22fb2db0c482664076638386cc/BLOG-3307_image3.png" />
          </figure><p><sup><i>Starting a granular on-demand scan from the </i></sup><a href="https://blog.cloudflare.com/security-overview-dashboard/"><sup><i><u>Security Overview page</u></i></sup></a><sup><i> in the Cloudflare dashboard</i></sup></p><p>The lesson we learned is that it’s crucial to deeply understand the existing system before throwing anything away. By looking closely at our code, SQL queries, logs, and metrics (<i>especially </i>metrics!), we were able to increase our capacity without simply adding more pods or partitions. By questioning our assumptions, digging into weird-looking metrics, and refusing to take the easy shortcuts (such as increasing API client-side timeouts), we built a more stable and resilient system.</p><p>Throwing more resources at the problem might <i>sometimes</i> be the answer, but at Cloudflare, we believe in engineering our way out of problems.</p><p>Security Insights scans are enabled by default on all Cloudflare plans. Log in to the <a href="https://dash.cloudflare.com/?to=/:account/security-center"><u>Cloudflare dashboard</u></a> today to review and manage your security insights.</p> ]]></content:encoded>
            <category><![CDATA[Application Security]]></category>
            <category><![CDATA[Security Posture Management]]></category>
            <category><![CDATA[Engineering]]></category>
            <category><![CDATA[Postgres]]></category>
            <category><![CDATA[Kafka]]></category>
            <guid isPermaLink="false">2K9aPHKPuXNJBQtPo0ylUi</guid>
            <dc:creator>Dave Baxter</dc:creator>
        </item>
        <item>
            <title><![CDATA[Route public traffic to private applications with Cloudflare]]></title>
            <link>https://blog.cloudflare.com/private-origins-dns-routing/</link>
            <pubDate>Wed, 10 Jun 2026 13:00:00 GMT</pubDate>
            <description><![CDATA[ Application Services for Private Origins is available now in closed beta. Route public hostnames to private IP origins over your existing IPsec, GRE, CNI, or Cloudflare Mesh paths. No public IPs or extra connector software required. ]]></description>
            <content:encoded><![CDATA[ <p>For most of the Internet’s history, public and private infrastructure operated as separate worlds. Public applications lived behind content delivery networks (CDNs) and web application firewalls (WAFs). Private applications lived behind virtual private networks (VPNs), firewalls, and separate operational stacks. We think that distinction is becoming obsolete.</p><p>Many of the applications organizations care about are not public websites. They are internal APIs, AI agent backends, MCP servers, operational tools, and services that were never designed to be exposed to the public Internet. Yet these applications still need modern security, performance, and programmability services. Security should be a property of the traffic reaching an application, not an accident of where the application happens to sit.</p><p>Until now, applying those services to private applications often required public IPs, firewall exceptions, connector software, or complex networking. As a result, many private applications missed out on capabilities such as WAF, bot management, rate limiting, caching, traffic acceleration, rewrites, and Workers, despite needing the same protections and controls as public-facing applications.</p><p><b>Today, we're launching Application Services for Private Origins in closed beta for eligible Enterprise customers.</b> Customers can now securely route traffic to private origins without exposing those origins to the public Internet. This allows Cloudflare's security, performance, and programmability services to protect applications running on private networks, just as they do for public Internet applications.</p><p>WAF rules, bot management, rate limiting, caching, rewrites, and Workers can now sit in front of private origins without requiring public IP exposure, inbound firewall rules, or <code>cloudflared</code> running on the origin.</p>
    <div>
      <h3>Four use cases, one application layer</h3>
      <a href="#four-use-cases-one-application-layer">
        
      </a>
    </div>
    <p>This routing model builds on connectivity patterns Cloudflare already supports today through <a href="https://developers.cloudflare.com/tunnel/"><u>Cloudflare Tunnel</u></a>, <a href="https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/"><u>Cloudflare One Client</u></a>, and private network integrations. For years, Cloudflare Tunnel has allowed customers to route public traffic to private applications through <code>cloudflared</code>. This new capability extends the same model to existing <a href="https://developers.cloudflare.com/cloudflare-wan/"><u>Cloudflare WAN</u></a> or <a href="https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/"><u>Cloudflare Mesh connectivity</u></a> without requiring connector software running on the origin.</p><p>Much of that connectivity is orchestrated through <a href="https://blog.cloudflare.com/mesh/#integrated-with-the-developer-platform-with-workers-vpc"><u>Cloudflare’s private networking</u></a> routing layer that determines how traffic reaches private destinations across Cloudflare Tunnels, <a href="https://developers.cloudflare.com/cloudflare-one/networks/virtual-networks/"><u>Virtual Networks</u></a>, Cloudflare Mesh, and other connectivity models. Customers can define their routing behavior through APIs and the dashboard instead of managing separate networking stacks for each product.  </p><p>We have extended Cloudflare’s private networking layer directly into the application services stack, allowing security and performance proxy infrastructure to treat private IPs as valid origin targets for public hostnames. As a result, the same private IPs previously reachable only through Cloudflare Tunnel, Cloudflare One, Cloudflare Mesh, or Cloudflare WAN can now sit behind Cloudflare’s security, performance, and programmability services the same way public origins already do.</p><p>This also creates a more unified model across Cloudflare products. <a href="https://developers.cloudflare.com/workers-vpc/"><u>Workers VPC</u></a> bindings and <a href="https://developers.cloudflare.com/spectrum/"><u>Spectrum</u></a> private origin routing now rely on the same underlying private connectivity layer, giving customers a single source of truth for controlling how private traffic moves through their Cloudflare environment.</p><p>Application traffic now falls into four combinations based on where users come from and where applications live: </p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3dPNpYW2ByViLaO237MJf/c535f739bb0949b908d529bf62e9ad54/1-connectivity-models_2x__4_.png" />
          </figure><p>The combination on the upper right is what Cloudflare has always done: users on the Internet reach applications on the Internet, with Cloudflare in the middle. The bottom right is <a href="https://www.cloudflare.com/cloudflare-one/"><u>Cloudflare One</u></a>: users on private networks reach public services securely. </p><p>The upper left is what we are shipping today. The bottom left, private-to-private, is what we are building toward next.</p>
    <div>
      <h3>What is shipping today</h3>
      <a href="#what-is-shipping-today">
        
      </a>
    </div>
    <p>Until now, getting public traffic to a private origin often meant making tradeoffs. Customers could use <a href="https://developers.cloudflare.com/tunnel/"><u>Cloudflare Tunnel</u></a>, which runs <a href="https://developers.cloudflare.com/tunnel/downloads/"><u>cloudflared</u></a>, our connector software, on or near the origin, or <a href="https://developers.cloudflare.com/load-balancing/"><u>Cloudflare Load Balancing</u></a> with private origin pools for health checks and failover. In many cases, organizations also maintained parallel infrastructure such as public-facing load balancers, reverse proxies, mTLS between hops, and TLS termination across multiple layers. As a result, applying Cloudflare's full Application Services stack to private applications often required additional complexity, operational overhead, or separate products. Application Services for Private Origins removes those tradeoffs.</p><p>What was missing was a path for customers who already operate Cloudflare WAN (<a href="https://www.cloudflare.com/learning/network-layer/what-is-ipsec/"><u>IPsec tunnels</u></a>, <a href="https://www.cloudflare.com/learning/network-layer/what-is-gre-tunneling/"><u>GRE tunnels</u></a>, <a href="https://developers.cloudflare.com/network-interconnect/"><u>CNI links</u></a>) or <a href="https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/"><u>Cloudflare Mesh</u></a>. They had built private connectivity into Cloudflare for site-to-site networking and <a href="https://www.cloudflare.com/zero-trust/"><u>Zero Trust</u></a>, and they wanted to use that same connectivity for public traffic to private origins. That is what Application Services for Private Origins delivers.</p><p>When you toggle <b>Use private network routing</b> on a proxied A or AAAA record, Cloudflare's WAF, rate limiting, caching, bot management, and transform rules all run as normal on Cloudflare’s network. The only difference is the final hop: instead of reaching the origin over the public Internet, Cloudflare routes the connection through your existing private network connectivity.</p><p>The toggle is enabled automatically for RFC 1918 private IPv4 ranges (10.x.x.x, 172.16.x.x–172.31.x.x, and 192.168.x.x), RFC 6598 CGNAT ranges (100.64.x.x–100.127.x.x), and RFC 4193 Unique Local IPv6 Addresses (FC00::/7), since these addresses are only reachable within private networks. For public IP addresses that are reachable only through your private network or tunnel, you can enable the toggle manually. </p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4yZlMA8F2YNCAzBdKA92Et/c2cd3b984347e54c259795cc9432efb4/dash-blog-screen.png" />
          </figure>
    <div>
      <h3>What the API looks like</h3>
      <a href="#what-the-api-looks-like">
        
      </a>
    </div>
    <p>For customers automating deployments through the API, private routing is simply an additional attribute on a standard DNS record.</p>
            <pre><code>POST /zones/{zone_id}/dns_records
{
 "type": "A",
 "name": "app.example.com",
 "content": "10.0.0.50",
 "ttl": 300,
 "proxied": true,
 "use_private_routing": true
}</code></pre>
            <p>Behind the scenes, Cloudflare's proxy platform determines where to send traffic for <code>app.example.com</code> by querying Cloudflare's Origin API. The response includes metadata indicating that the destination should be reached through a private network path:</p>
            <pre><code>{
 "zone_name": "example.com",
 "ipv4_addresses": ["10.0.0.50"],
 "use_private_routing": true
}</code></pre>
            <p>The <code>use_private_routing</code> flag is the key signal. When our proxy sees it, instead of attempting to connect directly to the private IP address over the public Internet, it hands the request to our private networking layer, which then routes the connection across the customer's existing private network connectivity, whether that's IPsec, GRE, Cloudflare Tunnel, CNI, or Cloudflare Mesh.</p>
    <div>
      <h3>Beyond HTTP: Spectrum and Workers VPC</h3>
      <a href="#beyond-http-spectrum-and-workers-vpc">
        
      </a>
    </div>
    <p>The same routing model now extends beyond HTTP applications. The origin does not have to be a web server. It can be a TCP database, a UDP logging endpoint, or a private API that Workers call directly. The common thread is that Cloudflare sits between your traffic and your private network, applying the same security, performance, and routing layer regardless of protocol or where the request originated.</p><p><a href="https://developers.cloudflare.com/spectrum/"><b><u>Spectrum</u></b></a>, Cloudflare's Layer 4 proxy, can now sit in front of TCP and UDP services running on private IPs. Instead of creating a load balancer pool as an intermediary, Spectrum applications can specify a <code>virtual_network_id</code> directly on the origin configuration. When you create a Spectrum application, you can include the virtual network ID alongside your private origin IP:</p>
            <pre><code>{
 "protocol": "tcp/22",
 "dns": {
   "type": "CNAME",
   "name": "ssh.example.com"
 },
 "origin_direct": ["tcp://10.0.0.50:22"],
 "virtual_network_id": "fab9ac85-491b-44c8-b7ae-dd44d4f4672e"
}</code></pre>
            <p>When you create or update a Spectrum application with a private origin and virtual network, Cloudflare verifies that the IP address matches a route in your Cloudflare Tunnel before the configuration is saved. If no matching route exists, the API rejects the request and the application is not created. Once saved, Spectrum hands the connection to your <a href="https://developers.cloudflare.com/cloudflare-one/networks/virtual-networks/"><u>virtual network</u></a>, which routes it through the associated tunnel, via the same path that HTTP traffic uses when you enable private network routing on a DNS record. In this initial release, Spectrum private origins are supported through Cloudflare Tunnel. Support for additional private network connectivity options will follow in future releases.</p><p>This means you can now put Spectrum in front of any TCP/UDP service running on a private IP. The service stays private. No public IP, connector software, or load balancer required.</p><p><a href="https://developers.cloudflare.com/workers-vpc/"><b><u>Workers VPC</u></b></a> closes the loop for code running on Cloudflare. A binding tells the Workers runtime to route through the same private path as DNS records. Browsers, mobile apps, Workers, and AI agents all reach your private origins through Cloudflare: DNS records for Internet traffic, bindings for Workers.</p>
    <div>
      <h3>What comes next</h3>
      <a href="#what-comes-next">
        
      </a>
    </div>
    <p>Public-to-private routing is in closed beta today, and we are targeting GA (General Availability) in Q4 2026.</p><p>Beyond GA, we are building toward private-to-private traffic flows: users, services, and AI agents on private networks securely reaching applications on other private networks, with Cloudflare’s application services sitting in the middle.</p><p>We are moving toward a model where the same Cloudflare infrastructure can secure traffic regardless of whether the user or the origin is public.</p><p>The end state is a world where an employee on Cloudflare One Client accessing <code>wiki.company.internal</code> gets the same WAF, rate limiting, and bot management protections as a customer accessing a public API. An AI agent consuming a proprietary internal API runs through the same security stack as a browser. Service-to-service traffic across clouds and data centers gets the same controls as Internet traffic, even when neither the user nor the server sits on the public Internet.</p>
    <div>
      <h3>Get started today</h3>
      <a href="#get-started-today">
        
      </a>
    </div>
    <p>Routing to private origins is available today in closed beta for eligible Enterprise customers. Reach out to your Cloudflare account team to request access. Once enabled, follow our <a href="https://developers.cloudflare.com/dns/private-origins/"><u>developer documentation</u></a>, which walks through the full setup. You will need <a href="https://developers.cloudflare.com/cloudflare-one/networks/connectivity-options/"><u>Cloudflare One connectivity</u></a> (IPsec, GRE, CNI, or Cloudflare Mesh) and a return route for Cloudflare’s source IP range <code>100.64.0.0/12</code> in your private network.</p><p>Questions or feedback? Join the conversation in our <a href="https://community.cloudflare.com/"><u>community forums</u></a> or reach out to your account team.</p> ]]></content:encoded>
            <category><![CDATA[Application Services]]></category>
            <category><![CDATA[Private Network]]></category>
            <category><![CDATA[DNS]]></category>
            <category><![CDATA[Pingora]]></category>
            <category><![CDATA[Cloudflare One]]></category>
            <category><![CDATA[Cloudflare Zero Trust]]></category>
            <category><![CDATA[Zero Trust]]></category>
            <category><![CDATA[Product News]]></category>
            <guid isPermaLink="false">7it4N1iImLVhf4Mt9YilGH</guid>
            <dc:creator>Enrique Somoza</dc:creator>
            <dc:creator>Steve Welham</dc:creator>
            <dc:creator>Shruti Mittal</dc:creator>
        </item>
        <item>
            <title><![CDATA[Defend against frontier cyber models: Cloudflare's architecture as customer zero]]></title>
            <link>https://blog.cloudflare.com/frontier-model-defense/</link>
            <pubDate>Tue, 09 Jun 2026 06:00:00 GMT</pubDate>
            <description><![CDATA[ In our post about Project Glasswing, we made the argument that the architecture around a vulnerability matters more than the speed of the patch. Here we walk through what that architecture looks like, the threats it defends against, and how we run it ourselves as Cloudflare's customer zero. ]]></description>
            <content:encoded><![CDATA[ <p></p><p></p><p>A few weeks ago, we <a href="https://blog.cloudflare.com/cyber-frontier-models/"><u>wrote about Project Glasswing</u></a> and what we observed when we pointed cyber frontier models at our own code. Since then, we’ve seen that the part of the post that has resonated most deeply is the argument that the architecture around the vulnerability matters more than the speed of the patch.</p><p>In the conversations we've had with CISOs and security teams since, the questions have been consistent: what does our architecture actually look like, what should we monitor for, where do we start, and how can Cloudflare help?</p><p>Before getting into the details: the architecture below is built almost entirely from Cloudflare's own products, because Cloudflare security is <a href="https://blog.cloudflare.com/tag/customer-zero/"><u>customer zero</u></a> for the security products we build. The Cloudflare stack already exists in front of our code, employees, and customer-facing applications. If you're a Cloudflare customer, every layer below is available to you today. If you're not, the principles still apply to whatever stack you've built.</p>
    <div>
      <h2>What a cyber frontier model actually changes</h2>
      <a href="#what-a-cyber-frontier-model-actually-changes">
        
      </a>
    </div>
    <p>In the <a href="https://blog.cloudflare.com/cyber-frontier-models/"><u>previous post</u></a>, we showed how a cyber frontier model like Mythos changes the attacker’s timeline. It can find vulnerabilities, reason through exploit chains, and generate working proofs faster than earlier models. While models like Mythos do not change the shape of an intrusion — reconnaissance, initial access, lateral movement, persistence, and exfiltration still have to happen — the difference is in the speed and scale. When pointed at the open web, a model can find and hit low-hanging fruit quickly. Against a hardened target, it still has to probe, and adapt, and it often produces more noise than a careful human operator would.</p><p>Discovery, exploit chain construction, and proof-of-concept generation used to be the gating constraints on producing a working attack. A frontier model handles all three in a fraction of the time. Work that used to be slow and methodical is now fast and indiscriminate.</p><p>While AI is accelerating how fast developer teams at Cloudflare and many other companies can ship code, the security team’s work has not compressed the same way. An attacker only needs one opening to get in, while security teams need to find and close them all. Writing a fix, regressing it, and shipping it without breaking the code around it has constraints that AI doesn't remove. We learned this the hard way when we let an AI coding assistant write its own patches against our own bugs, as we described at the end of the previous <a href="https://blog.cloudflare.com/cyber-frontier-models/"><u>post</u></a>. Some of those patches fixed the original bug while quietly breaking something else the code depended on.</p><p>As these models become more competent and capable, our main focus from a threat standpoint comes down to three things. Each one shapes the architecture we walk through in the rest of this post.</p><ul><li><p>The first is the <b>speed of discovery.</b> Frontier models make it easier to search large bodies of public code, including the open-source libraries that many companies depend on. That does not mean every bug in a library is exploitable, or that library bugs are where most vulnerabilities live. Exploitability still depends on how the code is used, whether attacker-controlled input can reach the vulnerable path, and the protections that sit around it. But widely used open-source libraries and frameworks give attackers a shared surface to study at scale. When a real, reachable vulnerability exists there, a model can help find it, reason about possible exploit paths, and generate proof-of-concept variants faster than maintainers and defenders can review every downstream use. The gap between when an attacker discovers a vulnerability and when defenders learn it exists is what worries us most. If you are not running these models against your own code, it is safe to assume someone else is.</p></li><li><p>The second is <b>exploit</b> <b>volume and adaptation.</b> A model can produce thousands of variations of a single exploit and run reconnaissance at the same scale. All that volume gives an attacker an advantage, but it won’t necessarily get them past signature-based detections. Many of those iterations will have the same underlying signature, so a rule that catches the first one will catch the rest. Adaptation is how they will get past signature-based detections. Ask a model to show you a SQL injection, and it will return a textbook example. Tell it there is a WAF in the way, and it will start probing, learning what gets blocked, and rewriting the payload until it can slip past the rule blocking it. </p></li><li><p>The third is <b>the impact when a vulnerability is inevitably exploited. </b>No architecture catches everything. After the vulnerability is exploited, the question we ask ourselves is: where can the attacker get to with one identity, one path, or one credential, before something else stops them? If the answer is "anywhere they want," the vulnerability was never the problem. The architecture around the vulnerability was.</p></li></ul>
    <div>
      <h2>Cloudflare’s superpower: visibility</h2>
      <a href="#cloudflares-superpower-visibility">
        
      </a>
    </div>
    <p>We see roughly a fifth of the web and that tells us, in real time, which payloads are mutating, which patterns are picking up, and where attacker tooling is moving next. Two teams turn that visibility into defense.</p><p>First is <a href="https://www.cloudflare.com/cloudforce-one/"><b><u>Cloudforce One</u></b></a>, our threat intelligence, research, and operations team, which sits within the Cloudflare security organization. They turn what we see across the network into insights the rest of the stack can act on: tracked adversaries, emerging campaigns, and indicators of compromise (IOCs). The hard part of this work was never knowing what is malicious — it was the delay in mitigation. Knowledge of a new threat normally has to travel from a threat report, into a feed, and then into a company’s defense before it can be used to block anything. Attackers have learned to move faster than that. Our network closes that gap: Cloudflare customers can now use Cloudforce One threat intelligence <a href="https://blog.cloudflare.com/realtime-threat-intel-waf-rules/"><u>directly within the WAF</u></a> to block high-risk traffic.</p><p>Second is the team that owns the WAF engine that does the actual detecting: the managed rulesets that run in front of our own properties and are available to every Cloudflare customer, the machine learning behind <a href="https://developers.cloudflare.com/waf/about/waf-attack-score/"><u>WAF Attack Score</u></a>, and the relationships that sometimes let us ship a rule before a CVE is publicly disclosed. The team is globally distributed and moves fast, releasing rules within hours of a proof-of-concept of an attack becoming known. Once a detection is deployed, it reaches our entire network, along with every Cloudflare customer, in under 30 seconds. <a href="https://blog.cloudflare.com/react2shell-rsc-vulnerabilities-exploitation-threat-brief/"><u>React2Shell</u></a> is a recent example: a managed WAF rule <a href="https://blog.cloudflare.com/waf-rules-react-vulnerability/"><u>was protecting our own properties, and everyone else's on Cloudflare</u></a>, hours before the official advisory was published.</p><p>The scoring layer, the defenses we put in front of the application, and the containment around the vulnerability all build on what these two teams see. </p>
    <div>
      <h2>Scores over signatures</h2>
      <a href="#scores-over-signatures">
        
      </a>
    </div>
    <p>Signature-based defenses were built for a world where novel exploits were scarce and variations took weeks. Cloudflare's traditional SLA from a fresh proof-of-concept to a live, deployed rule has been 12 hours. With the advent of frontier models, this is not good enough anymore. Detections need to be in place <a href="https://blog.himanshuanand.com/2026/05/the-90-day-disclosure-policy-is-dead/"><u>before a CVE is discovered</u></a>. This is why we layer ML-based detection in front of the traditional signature-based WAF.</p><p>The model is trained on a large body of past attack traffic, and it catches new variants of vulnerabilities before they're publicly known. A novel <a href="https://www.cloudflare.com/learning/security/threats/sql-injection/"><u>SQL injection</u></a> or remote code execution chain is almost always a rearrangement of attack shapes the model has seen before, even when the specific exploit is brand new. We run the model on every request and assign a WAF Attack Score between 1 and 99, based on how closely the request resembles those underlying shapes, not against a list of known-bad signatures. The lower the score, the more aggressively we treat the request. That score determines whether we let the request through. We apply a similar scoring methodology to AI prompts with <a href="https://developers.cloudflare.com/waf/detections/ai-security-for-apps/"><u>AI Security for Apps</u></a>: rather than check each prompt against a list of known malicious prompts, we score how closely a prompt resembles an actual attack. </p>
    <div>
      <h2>The architecture around the vulnerability</h2>
      <a href="#the-architecture-around-the-vulnerability">
        
      </a>
    </div>
    <p>Those capabilities only matter once they're stacked in front of an application, and the first layer in our defense-in-depth approach is the <a href="https://www.cloudflare.com/en-gb/application-services/products/waf/"><b><u>WAF</u></b></a>. Anything that matches a known-bad pattern gets dropped before it reaches the application, which clears the bulk of the obvious traffic and lets the more specialized layers below focus on what's left.

On the API surface, we run a positive security model through <a href="https://www.cloudflare.com/en-gb/application-services/products/api-shield/"><b><u>API Shield</u></b></a>. Instead of trying to anticipate every bad request, we describe what a valid request to each API looks like, either from the API's own definition or learned from our real traffic, and anything that doesn't fit doesn't get through. This neutralizes the advantage of frontier AI models: because we only permit validated traffic, generating thousands of new attack variations fails to bypass the system.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5KSSyocxKzsJsOfG4pxOM7/059a597af1b67a3d5a5ccdeda5ab7ca1/image2.png" />
          </figure><p><sup><i>Cloudflare’s layered architecture</i></sup></p><p><a href="https://www.cloudflare.com/learning/bots/what-is-bot-management/"><b><u>Bot Management</u></b></a> catches probing traffic on our network before frontier models can build a map. It scores every request on how likely it is to be automated, using the same signals across our whole network: how the client behaves, whether it looks like a real browser, and whether the connection matches a known-bad pattern. An attack only lands if it can find a soft spot. </p><p><a href="https://www.cloudflare.com/sase/products/access/"><b><u>Zero Trust Network Access</u></b></a> is used for every internal application. The implicit trust of being inside the network is replaced with explicit per-request identity and policy for every employee accessing every tool. The value of this was clear when one of our engineers shipped a misconfigured tool. A flat network would have exposed everything on the same segment, but in our deployment, the exposure stopped at the tool itself. We built <a href="https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/require-access-protection/"><b><u>Require Access Protection</u></b></a> afterwards so newly deployed or misconfigured applications can't be reachable before an access policy is in place.</p><p><a href="https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/idp-federation/"><b><u>IdP Federation</u></b></a> makes that secure by default posture easier to keep consistent across every Cloudflare account — which becomes even more necessary when more people are shipping internal tools quickly. Instead of asking each team to wire up SSO separately, we configure our identity provider (IdP) once and share it across the organization. New accounts get SSO automatically, recipient-side IdP connections are read-only, and Access policies in each account still evaluate the resulting identity as part of the normal request flow. </p><p><a href="https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/"><b><u>MCP Server Portal</u></b></a> gives teams a controlled way to connect AI agents to enterprise systems. Agents access MCP servers that are centrally managed through a single portal, with every action logged. That way when an agent acts on someone's behalf, we know what it did, what it touched, and whether it should have been allowed to. The full picture of how we built it is in our post on <a href="https://blog.cloudflare.com/enterprise-mcp/"><u>enterprise MCP</u></a>.</p><p><a href="https://www.cloudflare.com/developer-platform/products/ai-gateway/"><b><u>AI Gateway</u></b></a> runs in front of our internal AI tools the same way <a href="https://developers.cloudflare.com/waf/detections/ai-security-for-apps/"><u>AI Security for Apps</u></a> runs in front of customer-facing AI features, with the same scoring and the same visibility. Inside the company, the visibility piece is more useful than the blocking, because we needed to see what engineers were actually building before we could write meaningful policy on it.</p>
    <div>
      <h2>Where your teams can start </h2>
      <a href="#where-your-teams-can-start">
        
      </a>
    </div>
    <p>Frontier models can help attackers find vulnerabilities, adapt payloads, and move faster, but they still have to pass through the layered defense you deploy in front of your application. That is where teams should start:</p><ul><li><p>Put inspection in front of public applications.</p></li><li><p>Define what valid API traffic looks like.</p></li><li><p>Use bot detection to limit automated probing.</p></li><li><p>Require identity and access policy before any internal tool is reachable.</p></li></ul><p>For AI and agentic systems:</p><ul><li><p>Route model traffic through a gateway.</p></li><li><p>Keep agents connected through approved MCP servers.</p></li><li><p>Log what they do. </p></li></ul><p>The goal is to make sure that when one layer misses, the next layer limits what the attacker can see, reach, or change.</p><p>That is the point of the architecture around the vulnerability: to limit the scope of an attack. The vulnerability may be what starts the attack, but the architecture determines how far it can go.</p>
    <div>
      <h2>How do we know this approach works?</h2>
      <a href="#how-do-we-know-this-approach-works">
        
      </a>
    </div>
    <p>Plenty of security stacks look impenetrable on a whiteboard but fall over in practice. That is why we test ours continuously, both at the perimeter and inside our environment, with our red team involved across both.</p><p><b>At the perimeter</b>, frontier models are one tool we use to test our application security stack as an adaptive attacker. These models sit alongside the rest of our red team and detection workflows including: manual testing, threat intelligence, observed traffic patterns, proof-of-concept analysis, and signals from our own network. Together, those inputs help us decide where to aim testing: newly launched products, recently changed surfaces, and the paths an attacker is most likely to probe first. The most important part is the process that follows. When something gets through, we identify the gap, use the right mix of tools to understand it, write the rule or mitigation, ship the update, and test again to make sure the gap is closed.</p><p><b>Inside the environment,</b> our red team starts from the assumption that the perimeter has already failed. They look at what has changed, where sensitive systems carry risk, and whether one compromised identity, path, or credential can reach farther than it should. When we change the architecture based on what they find, they run the scenario again against the new version to confirm the gap is actually closed.</p><p>We confirm that this architecture is working by continuously testing its behavior during failures, rather than relying on the perfection of individual layers.</p><p>If your team is working on the same problems and would like to compare notes, reach out to us at <a href="#"><u>security-ai-research@cloudflare.com</u></a>.</p> ]]></content:encoded>
            <category><![CDATA[Security]]></category>
            <category><![CDATA[AI]]></category>
            <category><![CDATA[Threat Intelligence]]></category>
            <category><![CDATA[Risk Management]]></category>
            <category><![CDATA[Customer Zero]]></category>
            <category><![CDATA[WAF]]></category>
            <category><![CDATA[Zero Trust]]></category>
            <category><![CDATA[Cloudforce One]]></category>
            <category><![CDATA[Bot Management]]></category>
            <guid isPermaLink="false">5Jw5AkmauDqCVgDeCs0mBa</guid>
            <dc:creator>Rohit Chenna Reddy</dc:creator>
            <dc:creator>Chase Catelli</dc:creator>
            <dc:creator>Dan Jones</dc:creator>
        </item>
        <item>
            <title><![CDATA[Turning Cloudflare’s threat indicators into real-time WAF rules]]></title>
            <link>https://blog.cloudflare.com/realtime-threat-intel-waf-rules/</link>
            <pubDate>Mon, 08 Jun 2026 13:00:00 GMT</pubDate>
            <description><![CDATA[ Cloudflare customers can now use Cloudforce One threat intelligence directly within the WAF to block high-risk traffic. By using new cf.intel fields, security teams can automate protection against specific threat actors and targeted industries in real time. ]]></description>
            <content:encoded><![CDATA[ <p>Cloudflare’s <a href="https://blog.cloudflare.com/threat-events-platform/"><u>Threat Events</u></a> provides security analysts with a window into the global threat landscape. The platform <a href="https://developers.cloudflare.com/api/node/resources/cloudforce_one/subresources/threat_events/"><u>offers a peek</u></a> into the immense traffic that Cloudflare processes every day, so you can see in real time which IPs are attacking specific industries or which threat actors are trending globally. However, translating that visibility into active mitigation has often been a manual, reactive process.</p><p>Security teams have faced a recurring frustration: knowing that certain IP addresses were associated with specific threat actors (like <a href="https://www.cloudflare.com/en-gb/threat-intelligence/research/report/tycoon-2fa-takedown/"><b><u>Tycoon 2FA</u></b></a> or <a href="https://www.cloudflare.com/en-gb/threat-intelligence/research/report/cloudflare-participates-in-global-operation-to-disrupt-raccoono365/"><b><u>RaccoonO365</u></b></a>) or had been seen targeting their specific industry in other regions, but they couldn't easily automate the blocking of these high-risk IPs within their own WAF unless they manually configured the rules. </p><p>We are excited to announce a new integration that brings Cloudflare’s vast threat intelligence directly into your WAF engine: <b>you can now write proactive rules using live intelligence data</b>. This means you can add more intelligence context to protect your application against known bad actors — before they even attempt to touch your infrastructure.</p><p>By populating specialized fields during the early stages of a request, the WAF can now screen traffic based on:</p><ul><li><p><i>Who is attacking</i> by matching specific threat actor names</p></li><li><p><i>Who they are targeting</i> via the industry or country filters to see who the IP has targeted in the past</p></li><li><p><i>What type of attack </i>using enriched threat context, filtering by attack type (DDoS, WAF, cybercrime, etc.) and the timeframe it was last seen</p></li></ul>
    <div>
      <h2>Always-on detection</h2>
      <a href="#always-on-detection">
        
      </a>
    </div>
    <p>This new capability is built on the same<a href="https://blog.cloudflare.com/attack-signature-detection/"> <u>always-on detection framework</u></a> we recently introduced for Attack Signature Detection, a system that identifies common attack patterns in real time without requiring pre-configured rules. By separating detection from mitigation, we ensure that threat intelligence is constantly running in the background, enriching your HTTP request analytics with insightful threat metadata before you even decide to take an action.</p><p>The primary advantage of an "always-on" model is the elimination of the traditional "log vs. block" trade-off: visibility in log mode, or protection in block mode. That’s because when a rule blocks a request, you lose visibility into how other signatures would have assessed it — insight that could have helped you strengthen your defenses.</p><p>If you have a <a href="https://www.cloudflare.com/en-gb/cloudforce-one/"><u>Cloudforce One subscription</u></a>, these insights appear in your analytics automatically. You can see which threat actors are hitting your site and which industries those IPs usually target, allowing you to verify traffic patterns before "flipping the switch" to block.</p><p>These detections execute with negligible latency, ensuring your performance remains lightning-fast while providing the high-confidence data needed to build robust security policies. While this initial release focuses on IP-based matching, we are already looking toward extending these capabilities to <a href="https://developers.cloudflare.com/bots/additional-configurations/ja3-ja4-fingerprint/"><u>JA3 fingerprints</u></a> and domain-based matching. This will allow you to block malicious traffic even when attackers rotate IPs, by identifying the unique software signatures or malicious destination links they use in their payloads.</p>
    <div>
      <h3>New WAF fields</h3>
      <a href="#new-waf-fields">
        
      </a>
    </div>
    <p>To make this possible, we've exposed the following specific signals directly to the WAF engine:</p><table><tr><td><p><b>Field</b></p></td><td><p><b>Description</b></p></td></tr><tr><td><p>cf.intel.ip.attacker_names</p></td><td><p>Names of known threat groups (e.g., <code>CRAVENFLEA</code>).</p></td></tr><tr><td><p>cf.intel.ip.target_industries</p></td><td><p>Industries targeted by this IP (e.g., <code>Cryptocurrency</code>, <code>Automotive</code>).</p></td></tr><tr><td><p>cf.intel.ip.attacker_countries</p></td><td><p>The source country of the threat event.</p></td></tr><tr><td><p>cf.intel.ip.target_countries</p></td><td><p>The countries targeted by the threat event.</p></td></tr><tr><td><p>cf.intel.ip.datasets</p></td><td><p>The source feed providing the data (e.g., <code>ddos</code>, <code>waf</code>).</p></td></tr></table>
    <div>
      <h3>Example rule expressions</h3>
      <a href="#example-rule-expressions">
        
      </a>
    </div>
    <p>Because a single IP address could be associated with multiple threat actors or targeted industries simultaneously, these fields are represented as arrays. We use the <code>any()</code> function and <code>[*]</code> wildcard to check whether any value within that threat profile matches your criteria:</p><ul><li><p><b>Block known DDoS participants targeting your region: </b><code>any(cf.intel.ip.target_countries[*] == "FR") and any(cf.intel.ip.datasets[*] == "ddos")</code></p></li><li><p><b>Protect against specific threat actors targeting the Finance sector: </b><code>any(cf.intel.ip.target_industries[*] == "Banking &amp; Financial Services") and any(cf.intel.ip.attacker_names[*] == "BLACKBASTA")</code></p></li><li><p><b>Broad protection against specific high-risk origin countries: </b><code>any(cf.intel.ip.attacker_countries[*] == "IR")</code></p></li></ul>
    <div>
      <h2>How to use Threat Events data in your workflows</h2>
      <a href="#how-to-use-threat-events-data-in-your-workflows">
        
      </a>
    </div>
    <p>Whether you prefer a UI-driven approach or <a href="https://blog.cloudflare.com/shift-left-enterprise-scale/"><u>Infrastructure as Code</u></a>, these fields are integrated into your existing workflows.</p>
    <div>
      <h3>The WAF rule builder (API &amp; Terraform)</h3>
      <a href="#the-waf-rule-builder-api-terraform">
        
      </a>
    </div>
    <p>For teams that prefer Infrastructure as Code, the new <code>cf.intel</code> fields are fully integrated into the WAF rule builder for WAF <a href="https://developers.cloudflare.com/waf/custom-rules/"><u>custom rules</u></a> and <a href="https://developers.cloudflare.com/waf/rate-limiting-rules/"><u>rate limiting</u></a>. You can write complex expressions using the same syntax you use today. Because these are standard WAF fields, they are fully supported via the Cloudflare API and Terraform, allowing you to automate threat blocking across your selected domains or even on your whole account.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1YQOp7XzNrFIHE1HSNhz6b/06d1565243b2902df5a5b294e3e80709/BLOG-3272_image3.png" />
          </figure><p><sup><i>New fields added to the WAF rule builder to allow users to choose the relevant configuration based on the Threat Events indicators. </i></sup></p>
    <div>
      <h3>Visibility in Security Analytics</h3>
      <a href="#visibility-in-security-analytics">
        
      </a>
    </div>
    <p>Deployment is only half the battle. All matches triggered by these threat intelligence fields are logged in <a href="https://developers.cloudflare.com/waf/analytics/security-analytics/"><u>Security Analytics</u></a>. You can drill down into your traffic to see exactly which rule was triggered and which specific indicator matched. These enriched logs allow for faster auditing and postmortem analysis when a rule triggers.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/eXh1MgDAROkPZpXwvAaXl/0f124fe79995f213b63f6152e9dd8050/BLOG-3272_image1.png" />
          </figure><p><sup><i>Threat event matches surface in Security Analytics, with full context and a one-click option to create a custom security rule.</i></sup></p>
    <div>
      <h3>One-click rule from the Threat Events dashboard</h3>
      <a href="#one-click-rule-from-the-threat-events-dashboard">
        
      </a>
    </div>
    <p>If you are already using the <b>Threat Intelligence Dashboard</b> to investigate trends, you don't have to copy and paste IP lists. You can create <b>Saved Views</b> based on your specific filters, such as <i>"IPs seen attacking the Financial sector in the last seven days."</i> With a single click, you can <a href="https://developers.cloudflare.com/security-center/changelog/#2026-05-27"><u>export these filters</u></a> directly into a WAF rule.</p>
          <figure>
          <img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/2AOxzgPOUpk5gRrL3VfEB/5160a9fe57808483770fdb1e9979e312/BLOG-3272_-2.png" />
          </figure><p><sup><i>Saved Views now allow users to easily create WAF rules to match the saved view configuration. </i></sup></p>
    <div>
      <h2>Global intelligence across our network</h2>
      <a href="#global-intelligence-across-our-network">
        
      </a>
    </div>
    <p>Visibility and ease of use are only possible if the underlying engine is fast. How do we handle millions of threat indicators without slowing down your traffic?</p><p>These threat intelligence datasets are compressed into a high-performance format and distributed to every single Cloudflare data center globally. When a request hits our network, the Cloudflare WAF performs an <code>O(1)</code> constant-time lookup against these local datasets. This ensures that whether we are checking against ten indicators or ten million, the latency overhead remains effectively zero (measured in microseconds).</p><p>Because an IP can be associated with multiple threat vectors, our engine doesn't stop at the first match. It evaluates the set of all signals associated with that IP simultaneously. This ensures that a rule looking for "Attacker = RU" AND "Target Industry = Banking" will trigger correctly by evaluating the intersection of these attributes in a single pass, providing maximum coverage against multi-vector actors without increasing computational complexity.</p>
    <div>
      <h2>Ready to get started?</h2>
      <a href="#ready-to-get-started">
        
      </a>
    </div>
    <p>This feature is available today for customers with any active <a href="https://www.cloudflare.com/en-gb/cloudforce-one/"><u>Cloudforce One subscription</u></a>:</p><ul><li><p>Cloudforce One Essentials allows customers to access the default datasets in Threat Events, search for indicators, and conduct threat-hunting investigations</p></li><li><p>Cloudforce One Advantage allows customers to access our Threat Intelligence Analyst custom insights via requests for information</p></li><li><p>Cloudforce One Elite — our most complete package — includes brand protection, a high number of requests for information, and access to all Threat Events datasets</p></li></ul><p>Ready to turn global insights into local defense? Head over to <a href="https://developers.cloudflare.com/security-center/cloudforce-one/#analyze-threat-events"><u>Threat Events</u></a> or the <a href="https://developers.cloudflare.com/firewall/cf-dashboard/"><u>WAF</u></a> section of your Cloudflare Dashboard to start building your first Threat Intel rule, or contact your account team to learn more about subscribing to Cloudforce One.</p> ]]></content:encoded>
            <category><![CDATA[Security]]></category>
            <category><![CDATA[WAF]]></category>
            <category><![CDATA[Threat Intelligence]]></category>
            <category><![CDATA[Cloudforce One]]></category>
            <category><![CDATA[Product News]]></category>
            <guid isPermaLink="false">2rMCnbhtTEow346RobyHOh</guid>
            <dc:creator>Alexandra Moraru</dc:creator>
            <dc:creator>Harsh Saxena</dc:creator>
            <dc:creator>Georgie Yoxall</dc:creator>
            <dc:creator>Brian Seel</dc:creator>
        </item>
    </channel>
</rss>