< ciso
brief />
Tag Banner

All news with #cloudflare tag

318 articles · page 2 of 16

Cloudflare DMARC Management Generally Available

📣 Cloudflare has made DMARC Management generally available and free for customers, offering a redesigned dashboard to simplify the path to full DMARC enforcement. The tool unifies visibility into SPF, DKIM, DMARC, and BIMI, surfaces sending source IPs, and integrates Cloudflare threat intelligence for investigation. It provides automated record analysis with pass/warning/fail statuses and plain-language recommendations, plus an SPF lookup audit to reveal and resolve the 10-lookup limit. DMARC Management requires Cloudflare DNS and is enabled from Email > DMARC Management in the dashboard.
read more →

Chainguard launches Athena coalition to protect OSS

🔒 Chainguard has launched Athena, an industry coalition announced on June 16 to protect open-source software from attacks facilitated by frontier AI models. Founding members include BNY, Cisco, Cloudflare, Docker, JPMorganChase, PwC and others. Athena pools vulnerability findings into a shared platform, applies private patches and provides mitigations to members before public disclosure. The initiative aims to coordinate upstream fixes and partner with the Linux Foundation for broader incident response support.
read more →

Cloudflare expands AI infrastructure team with Ensemble hire

🚀 Today Cloudflare announced that key members of Ensemble AI are joining the company to accelerate AI infrastructure work and help developers run powerful models efficiently at scale. Ensemble AI developed methods like NdLinear and NdLinear-LoRA to preserve model structure while reducing parameters and compute, complementing quantization and vector quantization. The hire strengthens Cloudflare Workers AI and advances efforts to lower inference costs, improve GPU utilization, and enable global, serverless model deployment.
read more →

Scaling Security Scans to Serve Millions

🔍 Cloudflare’s Security Insights runs automated scans to surface risks across accounts, zones, and DNS records. They faced two problems: scans were too infrequent (up to two weeks) and many free accounts were opt-in only. To resolve this they increased scanning throughput ~10x, redesigned Kafka consumers, optimized Postgres bulk inserts, centralized API latency to follow the primary DB, and improved scheduling with per-zone timing, randomization, and adaptive rate limiting.
read more →

Cloudflare adds private origin routing for apps

🛡️ Today Cloudflare launched Application Services for Private Origins in closed beta for eligible Enterprise customers, enabling secure routing to private IP origins without exposing them to the public Internet. This lets Cloudflare’s WAF, bot management, rate limiting, Workers, and other services sit in front of private applications using existing private connectivity such as Cloudflare Tunnel, Cloudflare Mesh, or Cloudflare WAN. The feature uses a toggle on proxied DNS records or an API attribute to instruct Cloudflare’s private networking layer to route traffic to private networks, and extends Layer 4 support via Spectrum for TCP/UDP services.
read more →

Defending Applications Against Frontier Model Threats

🔒 Cloudflare describes an architectural approach to defend applications and internal systems from high-speed attacks enabled by frontier AI models. The post explains how layered controls — including WAF, ML-based scoring, API Shield, Bot Management, Zero Trust, IdP federation, MCP server controls, and AI Gateway — work together to reduce discovery, limit exploit adaptation, and contain impact. It emphasizes deploying inspection ahead of public apps, defining valid API traffic, restricting automated probing, and enforcing per-request identity for internal tools.
read more →

Cloudflare adds realtime threat intel to WAF

🛡️ Cloudflare now exposes live Threat Events signals directly to its WAF engine, enabling security teams to create proactive rules using attacker names, target industries, countries, attack types, and dataset sources. The integration enriches HTTP request metadata in real time without adding noticeable latency, supporting both UI and Infrastructure-as-Code workflows via API and Terraform. Matches are logged in Security Analytics for auditing, and Saved Views can be exported directly into WAF rules for streamlined operations.
read more →

Cloudflare AI Gateway Adds Dollar-Based Spend Limits

🛡️ Cloudflare announces spend controls in AI Gateway, plus a closed beta for identity-driven budgets and routing using Cloudflare Access and existing identity providers. The update introduces dollar-denominated budgets, real-time cost tracking, and options to block or route requests when limits are reached. Identity integration enables per-user and per-team attribution and policies to manage who can access which models and how much they may spend.
read more →

HTTP/2 header flaw enables new DoS attacks

🔍 Security researchers disclosed a flaw in default HTTP/2 configurations that enables a denial-of-service technique dubbed the "HTTP/2 Bomb." The issue abuses HPACK header compression and flow-control behavior to force excessive memory allocations and hold them, impacting servers such as nginx, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare’s Pingora. Patches have been released for several implementations, and mitigations include disabling HTTP/2 or enforcing header count caps.
read more →

Enforce First AS to Prevent BGP Path Forgery

🔍 Recent route hijacks exploited unused ASNs and forged AS_PATHs to misdirect traffic and conceal attackers. Cloudflare analyzed incidents reported by Spamhaus and found implausible AS relationships indicating path fabrication, including forged paths that inserted Cloudflare’s ASN. The post explains how enforcing the First AS in an AS_PATH, per RFC 4271 and RFC 7606 guidance, would block such manipulations. Cloudflare also conducted safe tests against Tier 1 peers to measure First AS enforcement and observed variation in vendor and operator behavior.
read more →

Reducing Core Server Boot Time After Firmware Update

🚀 After a firmware update, Cloudflare's Gen12 core servers experienced boots stretching from minutes to hours due to repeated network boot timeouts. The team traced the issue to UEFI probing every available network boot interface sequentially and fixed it by declaring the correct boot interface early in the PXE pre-boot stage. They implemented validation, vendor collaboration, and tooling enhancements (including regex matching and a uefi-same-hex flag) to enforce persistent settings. The result cut firmware upgrade automation from nearly four hours to about three minutes and subsequent boots from ~20 minutes to under a minute.
read more →

Cloudflare’s Unified Data Platform: Town Lake

📊 Cloudflare built Town Lake, a lakehouse-style unified data analytics platform, and Skipper, an AI data agent, to make its vast telemetry and logs queryable and auditable. Town Lake combines Trino, Iceberg on R2, a metadata catalog, PII scanning, access control, and ELT tooling to provide fresh, accurate, and governed data. Skipper lets non-SQL users ask natural-language questions, produce correct SQL-backed answers, and create shareable charts and dashboards.
read more →

Cloudflare CASB Adds Claude Compliance API Support

🔒 Cloudflare has extended its Cloud Access Security Broker (CASB) to support the Claude Compliance API, enabling security and compliance teams to monitor Claude Enterprise activity directly in the Cloudflare dashboard without endpoint agents. The integration surfaces security findings for projects, attachments, chat files, messages, and provider-generated artifacts, and groups findings by category and severity. Customers can immediately convert findings into enforcement actions via Gateway policies and use existing detection and remediation workflows. Setup requires a Claude Enterprise account and Compliance API access, and the integration begins scanning and surfacing findings within minutes.
read more →

Cloudflare Integrates Claude Managed Agents with Sandboxes

🚀 Cloudflare and Anthropic have integrated Claude Managed Agents with Cloudflare Sandboxes, allowing teams to run the Claude agent loop on Anthropic while Cloudflare executes code, secures connections, and provides detailed observability. A default deployment template offers enhanced security through customizable outbound proxies, sandbox metrics and logs, SSH access, and configurable sandbox images. You can choose traditional microVMs or lightweight V8 isolates to optimize for performance and cost, and use Cloudflare Mesh or Workers VPC to connect agents to private services without exposing them to the Internet.
read more →

Cloudflare Findings on Frontier Cybersecurity LLMs

🔍 Cloudflare tested security-focused LLMs on its infrastructure and reports detailed findings from using Anthropic’s Mythos Preview as part of Project Glasswing. The model stood out for exploit chain construction and automated proof generation, producing runnable PoCs and iterating on failures. Its emergent guardrails proved inconsistent across runs and prompts, so Cloudflare built a tailored harness and additional safeguards to scale safely. The team also observed higher-quality, actionable findings compared with earlier frontier models, but noted increased noise from memory-unsafe languages and model bias.
read more →

ClickHouse query-plan contention and performance fixes

🔧 At Cloudflare we encountered severe query slowdowns after changing partitioning for a large ClickHouse table to support per-namespace retention; the migration aimed to enable tenant-specific TTLs without thousands of tables. Usual metrics (I/O, memory, rows scanned, parts read) looked normal, but flame graphs exposed heavy lock contention in query planning and costly copies of a giant parts vector. We implemented shared locks, a shared cached parts view, and a binary-search-based prune on the partition key to avoid linear scans. These patches dramatically reduced SELECT latency and were contributed upstream.
read more →

Cloudflare Rebuilds Browser Run on Containers for Scale

🚀 Cloudflare rebuilt Browser Run on its new Containers platform to boost concurrency, throughput, and reliability. Developers can now start 60 browsers per minute via the Workers binding and run up to 120 concurrently — four times the previous limit — while Quick Action response times have dropped by over 50%. The team migrated state from Workers KV to D1, introduced regional pre-warmed pools, and adopted batched Queue writes to avoid race conditions and scale to very large fleets. These changes let Cloudflare ship fixes and features faster and reduce global latency for automated browser tasks.
read more →

Resolving CUBIC congestion collapse in QUIC quiche

🔧Cloudflare engineers describe a CUBIC congestion control bug in their open-source QUIC implementation, quiche, where the congestion window (cwnd) becomes permanently pinned at its minimum after an early congestion collapse. Test harnesses that injected 30% loss during the first two seconds revealed per-RTT oscillations and frequent timeouts despite loss stopping. The root cause was an idle-period epoch adjustment ported from the Linux kernel that could advance the recovery epoch into the future; a concise near-one-line change in quiche breaks the death spiral and restores recovery.
read more →

Cloudflare Restructures Operations for the Agentic AI Era

🔧 Cloudflare announced a global workforce reduction of more than 1,100 employees as it reorganizes for the agentic AI era. Founders Matthew Prince and his co-sender emphasized transparency, notifying the entire global team directly by email and scheduling an all-hands and an earnings call to explain the change. The company characterized the move as a structural redesign to adapt to a 600% surge in internal AI usage, not a performance-based action. Departing employees will receive industry-leading severance, extended equity vesting through August 15, and U.S. healthcare support through year-end.
read more →

Copy Fail (CVE-2026-31431): Fleet Mitigation and Outcome

🔒 Cloudflare assessed and mitigated the Linux local privilege escalation named Copy Fail (CVE-2026-31431) following public disclosure on 2026-04-29. Our behavioral detections flagged the exploit chain within minutes during validation, and threat hunting across a 48-hour window found no evidence of compromise. We deployed an eBPF LSM allow-list (bpf-lsm) to block AF_ALG binds for non-allow-listed binaries, built and staged patched LTS kernels, and completed fleet protection via controlled reboots with no customer impact.
read more →