For years, the cybersecurity trade has suffered from a “data gravity” downside. Safety groups are buried beneath billions of rows of telemetry, but they continue to be starved for actionable insights.
A Menace Intelligence Platform (TIP) is a centralized safety system that collects, aggregates, and organizes knowledge about recognized and rising cyber threats. It serves because the important connective tissue between uncooked telemetry and lively protection.
The underlying structure of Cloudflare’s Menace Intelligence Platform units it other than different options. We now have developed our Menace Intelligence Platform to get rid of the necessity for advanced ETL (Extract, Rework, Load) pipelines by utilizing a sharded, SQLite-backed structure. By working GraphQL straight on the sting, safety groups can now visualize and automate menace response in actual time. As an alternative of 1 huge database, we distribute Menace Occasions throughout hundreds of logical shards — which means sub-second question latency, even when aggregating thousands and thousands of occasions throughout world datasets.
By unifying our world telemetry with the guide investigations carried out by our analysts, our intelligence platform creates a single supply of reality that enables safety groups to maneuver from observing a menace to preemptively blocking it throughout the Cloudflare community. We imagine your intelligence platform should not simply let you know that one thing is “bad”; it ought to let you know why it’s occurring, who’s behind it, and robotically forestall it from occurring once more.
On this submit, we’ll discover a few of the options that make the Cloudforce One expertise highly effective and efficient.
Why are we launching a Menace Intelligence Platform?
Once we introduced the Cloudforce One staff in 2022, we rapidly realized that monitoring adversary infrastructure required instruments that did not but exist. So we constructed our personal.
What started as an inner challenge has developed right into a cloud-first, agentic-capable Menace Intelligence Platform (TIP) designed for our customers. We now have moved from conceptualizing “observable” occasions throughout varied datasets to constructing a platform that maps the whole lifecycle of a menace. Right this moment, the Cloudflare TIP means that you can correlate actors to malware, hyperlink instances to indicators, and retailer every little thing in a single unified ecosystem.
We’re transferring past easy knowledge entry to offer a totally built-in, visible, and automatic command heart in your SOC. Our motivation behind constructing this TIP stems from the core tenets of efficient menace intelligence: relevance, accuracy, and actionability. We would have liked a extremely extensible system that may combine a number of datasets, help multi-tenancy, allow group-based and tenant-to-tenant sharing, and scale effectively on the sting.
By utilizing Cloudflare Employees, we’ve constructed a next-generation developer stack that ensures speedy innovation. We are able to now synthesize thousands and thousands of menace occasions into real-time graphs and diagrams and immediately reply the important questions: What occurred? And what does it imply?
As a result of our GraphQL endpoint is inbuilt the identical Employee that’s driving the Menace Occasions platform, your knowledge is all the time stay and there are not any delays between ingestion and availability. Whether or not you might be making use of advanced evaluation or drilling down into a particular occasion, the platform responds immediately. As Employees runtime evolves, our TIP inherits these optimizations robotically. For instance, Sensible Placement ensures our query-handling Employees are bodily situated close to the Sturdy Objects they’re fanning out to, minimizing tail latency. And the flexibility to make use of bigger CPU limits and Hyperdrive permits us to take care of greater efficiency connection pooling straight on the edge, somewhat than backhauling the logic to a single datacenter.
Past the SIEM: historic context and intelligence enrichment
Whereas a SIEM (Safety Data and Occasion Administration) is designed for real-time log aggregation and speedy alerting, it usually lacks the specialised schema and long-term retention wanted for deep adversary monitoring. Our TIP fills this hole by performing as a devoted intelligence layer that enriches uncooked logs with historic actor patterns. The aim of our platform isn’t to exchange a SIEM, however to enhance it. Our TIP supplies the long-term, structured storage for Menace Occasions — retained and listed on the edge — wanted to bridge the hole between technical telemetry and govt perception.
The Cloudflare Managed Protection and Menace Intelligence Platform are designed to function in a symbiotic loop, creating a robust pressure multiplier for menace detection and response. By integrating the TIP straight with the SOC, analysts acquire speedy, wealthy context for any alert or occasion. As an alternative of simply seeing an anomalous IP tackle or a suspicious file hash, the SOC staff can immediately see its historical past, its affiliation with recognized menace actors, its function in broader campaigns, and its danger rating as decided by the TIP’s analytics. This speedy context eliminates time-consuming guide analysis and allows quicker, extra correct decision-making.
Conversely, because the intel analyst staff investigates incidents and hunts for brand new threats, their findings turn out to be an important supply of latest intelligence.
Newly found indicators of compromise (IOCs) are fed again into the TIP, enriching the platform for all customers and enhancing its automated defenses. This steady suggestions loop ensures the intelligence is all the time present and grounded in real-world observations, offering unparalleled visibility into the menace panorama and permitting safety groups to shift from a reactive to a proactive protection posture.
An structure that eliminates bottlenecks
To make sure every bit of Cloudforce One telemetry is actionable, we needed to remedy a elementary storage downside: how do you present low-latency, advanced queries over billions of occasions with out the overhead of a conventional centralized database?
We selected a sharded structure constructed on SQLite backed Sturdy Objects. By distributing Menace Occasions throughout this high-cardinality fleet of storage models, we be certain that no single database turns into a degree of rivalry throughout high-volume ingestion. Every shard is a Sturdy Object, offering a constant, transactional interface to its personal non-public SQLite database.
This structure permits us to make use of the total Cloudflare developer stack. We use Cloudflare Queues to ingest and distribute incoming telemetry asynchronously, guaranteeing that high-volume assault spikes do not saturate our write throughput. As soon as ingested, knowledge is saved in R2 for long-term retention, whereas the “hot” index stays within the Sturdy Object’s SQLite storage for immediate retrieval.
Parallel execution on the edge
The true energy of this strategy is seen throughout a search. When a consumer queries our GraphQL endpoint — which additionally runs in a Employee — the platform would not question a single desk. As an alternative, it followers out the request to a number of Sturdy Objects in parallel. As a result of Sturdy Objects are distributed throughout our world community, we are able to combination outcomes with minimal latency. After we confirm the consumer’s permissions and get rid of the shards that will not comprise our occasions (by date), here’s a simplified have a look at how the Employee handles a multi-shard fan-out:
// A conceptual have a look at fanning out a question to a number of shards
async perform fetchFromShards(shards, question) {
const guarantees = shards.map(shardId => {
const stub = TELEMETRY_DO.get(shardId);
return stub.querySQLite(question); // Calling the DO's storage technique
});
// Parallel execution throughout the Cloudflare community
const outcomes = await Promise.all(guarantees);
return outcomes.flat();
}
This parallelism ensures a fluid expertise whether or not you might be auditing a single dataset for a yr of historical past or synthesizing a month of exercise throughout each dataset in your account. By transferring the compute — the SQL execution — to the place the information lives, we get rid of the bottleneck of a single, monolithic database.
Visualize the Adversary with dynamic graphs and diagrams
Numbers on a spreadsheet do not inform tales; patterns do. We’ve launched dynamic visualizations that can assist you “see” the menace panorama.
Sankey Diagrams to hint the stream of assaults from origin to focus on, figuring out which areas are being hit hardest and the place the infrastructure resides.
Business and dataset distribution of assaults, for customers to immediately pivot your view to see if a particular marketing campaign is concentrating on your sector (e.g., Finance or Retail) or if it is a broad-spectrum commodity assault.
Correlating telemetry by way of attribute mapping
A single indicator, equivalent to an IP tackle, supplies restricted utility with out historic and relational context. We now have structured our Menace Insights to behave as a pivot level, permitting you to correlate disparate menace occasions throughout a number of datasets right into a single, cohesive marketing campaign or exploit.
As an alternative of guide cross-referencing, the platform robotically maps our inner actor nomenclature to acknowledged trade aliases — equivalent to linking our inner monitoring to “Fancy Bear” or “APT28.” This ensures that your native surroundings’s telemetry is immediately interoperable with broader world analysis and menace intelligence feeds.
Search, filters, and alerts
Saved configurations and real-time notifications aid you get notified the second our telemetry matches your customized filters, permitting you to react on the velocity of the sting. Efficient menace searching requires the flexibility to filter world telemetry by particular technical attributes. The platform helps high-cardinality searches throughout our complete dataset — together with IP addresses, file hashes, domains, and JA3 fingerprints — with outcomes usually returned in seconds.
To maneuver past guide looking out, you possibly can persist these question parameters as saved configurations. These configurations act as triggers for our real-time notification engine; when new incoming telemetry matches your outlined filters, the platform pushes an alert to your configured endpoints. This transition from pull-based looking out to push-based alerting ensures that your safety stack can reply to matches as quickly as they’re ingested by our world community.
Automated guidelines and STIX2 Exports
Intelligence is just “actionable” if it ends in a diminished assault floor. We’ve constructed the TIP to deal with the interpretation between uncooked telemetry and safety enforcement robotically.
For organizations utilizing third-party or in-house SIEM or SOAR platforms, interoperability is a requirement. Nonetheless, mapping disparate inner knowledge schemas to the STIX2 (Structured Menace Data eXpression) normal is historically a high-latency ETL activity. We’ve moved this translation to the sting.
When a consumer requests a STIX2 export, a Employee dynamically maps our inner SQLite information to the STIX2 JSON schema. This implies we’re first changing uncooked IP addresses, file hashes, and domains into standardized STIX cyber observables. Then we outline relationship objects utilizing our platform’s inner mapping to hyperlink indicator objects to threat-actor or malware objects, preserving the context of the investigation. Lastly, we robotically handle the modified and created timestamps in UTC to make sure your downstream instruments can observe the evolution of the menace.
Instantaneous Safety through the Firewall API
Past exports, the platform means that you can shut the loop between discovery and protection. Whenever you establish a malicious sample in a Sankey diagram or a particular Actor marketing campaign, you possibly can generate a safety rule with one click on.
Below the hood, the TIP interacts straight with the Cloudflare Firewall Guidelines API. It takes the filtered attributes of your investigation (e.g., a particular JA3 fingerprint mixed with a listing of recognized malicious ASNs) and compiles them right into a wire-protocol rule that’s deployed throughout our world community in seconds.
Human-in-the-loop intelligence
Whereas automation handles the majority of telemetry, essentially the most advanced threats require human instinct. We’ve built-in a Requests for Data (RFI) Portal straight into the platform, permitting customers to activity Cloudforce One analysts with deep-dive investigations.
From a technical perspective, the RFI system is not only a ticketing portal; it is a data-enrichment pipeline. When a subscriber makes use of numerous “tokens” to provoke a request, the workflow triggers a collection of occasions:
The RFI Employee pulls the particular Menace Occasion IDs associated to the question from the sharded SQLite storage, packaging the related telemetry for the analyst
Cloudforce One analysts use an inner model of the TIP to carry out reverse engineering or pivot throughout world datasets
As soon as the investigation is full, the findings (new IOCs, actor attributions, or marketing campaign notes) are written again into our world intelligence feed
This ensures that the “human” perception would not simply sit in a PDF report. As an alternative, the ensuing metadata is pushed again to the sting as a menace occasion the place related, the place it may be utilized by the WAF or Firewall guidelines you’ve already configured. We’ve moved from a static “report” mannequin to a dynamic “intel-as-code” mannequin, the place human evaluation straight improves the platform’s automated detection logic in actual time.
From knowledge administration to lively searching
The shift from managing ETL pipelines to lively menace searching is not nearly a brand new interface however about the place the compute occurs. By transferring the storage, aggregation, and visualization layers to the Cloudflare world community, we’ve eliminated the “data gravity” that usually slows down a SOC. Defenders not want to attend for logs to sync to a central repository earlier than they will ask, “Is this IP related to a known campaign?” The reply is now out there on the edge, in the identical surroundings the place the visitors is being filtered.
To make sure this intelligence is accessible no matter your staff’s measurement or particular necessities, we’ve structured our Cloudforce One entry into three purposeful ranges:
Cloudforce One Necessities permits clients to entry the default datasets in menace occasions, seek for indicators, and conduct menace searching investigations.
Cloudforce One Benefit permits clients to entry our Menace Intelligence Analyst customized insights through requests for info.
Cloudforce One Elite, the whole package deal, contains model safety, a excessive variety of requests for info, and entry to all menace occasions datasets.
The Web strikes quick, and the infrastructure utilized by adversaries strikes even quicker. By centralizing your telemetry and your response logic in a single built-in platform, you possibly can cease constructing pipelines and begin defending your community.
[Threat Landscape Report 2026] [Explore the Threat Intelligence Platform] | [Contact Sales for a Demo]
