Cloudflare Radar already affords a wide selection of safety insights — from software and community layer assaults, to malicious e mail messages, to digital certificates and Web routing.
And immediately we’re introducing much more. We’re launching a number of new security-related information units and instruments on Radar:
We’re extending our post-quantum (PQ) monitoring past the consumer facet to now embody origin-facing connections. We’ve got additionally launched a brand new software that will help you examine any web site’s post-quantum encryption compatibility.
A brand new Key Transparency part on Radar supplies a public dashboard displaying the real-time verification standing of Key Transparency Logs for end-to-end encrypted messaging companies like WhatsApp, displaying when every log was final signed and verified by Cloudflare’s Auditor. The web page serves as a clear interface the place anybody can monitor the integrity of public key distribution and entry the API to independently validate our Auditor’s proofs.
Routing Safety insights proceed to broaden with the addition of worldwide, nation, and network-level details about the deployment of ASPA, an rising normal that may assist detect and stop BGP route leaks.
Measuring origin post-quantum assist
Since April 2024, we’ve got tracked the mixture progress of consumer assist for post-quantum encryption on Cloudflare Radar, chronicling its international progress from underneath 3% at first of 2024, to over 60% in February 2026. And in October 2025, we added the power for customers to examine whether or not their browser helps X25519MLKEM768 — a hybrid key trade algorithm combining classical X25519 with ML-KEM, a lattice-based post-quantum scheme standardized by NIST. This supplies safety in opposition to each classical and quantum assaults.
Nonetheless, post-quantum encryption assist on user-to-Cloudflare connections is simply a part of the story.
For content material not in our CDN cache, or for uncacheable content material, Cloudflare’s edge servers set up a separate reference to a buyer’s origin servers to retrieve it. To speed up the transition to quantum-resistant safety for these origin-facing fetches, we beforehand launched an API permitting clients to decide in to preferring post-quantum connections. Right this moment, we’re making post-quantum compatibility of origin servers seen on Radar.
The brand new origin post-quantum assist graph on Radar illustrates the share of buyer origins supporting X25519MLKEM768. This information is derived from our automated TLS scanner, which probes TLS 1.3-compatible origins and aggregates the outcomes day by day. It is very important word that our scanner checks for assist relatively than the origin server’s particular desire. Whereas an origin might assist a post-quantum key trade algorithm, its native TLS key trade desire can finally dictate the encryption consequence.
Whereas the headline graph focuses on post-quantum readiness, the scanner additionally evaluates assist for classical key trade algorithms. Throughout the Radar Knowledge Explorer view, you can too see the complete distribution of those supported TLS key trade strategies.
As proven within the graphs above, roughly 10% of origins may gain advantage from a post-quantum-preferred key settlement immediately. This represents a big soar from lower than 1% at first of 2025 — a 10x improve in simply over a 12 months. We anticipate this quantity to develop steadily because the trade continues its migration. This upward development doubtless accelerated in 2025 as many server-side TLS libraries, corresponding to OpenSSL 3.5.0+, GnuTLS 3.8.9+, and Go 1.24+, enabled hybrid post-quantum key trade by default, permitting platforms and companies to assist post-quantum connections just by upgrading their cryptographic library dependencies.
Along with the Radar and Knowledge Explorer graphs, the origin readiness information is offered via the Radar API as nicely.
As an extra a part of our efforts to assist the Web transition to post-quantum cryptography, we’re additionally launching a software to check whether or not a selected hostname helps post-quantum encryption. These checks could be run in opposition to any publicly accessible web site, so long as they permit connections from Cloudflare’s egress IP tackle ranges.
A screenshot of the software in Radar to check whether or not a hostname helps post-quantum encryption.
The software presents a easy kind the place customers can enter a hostname (corresponding to cloudflare.com or www.wikipedia.org) and optionally specify a customized port (the default is 443, the usual HTTPS port). After clicking “Test”, the end result shows a tag indicating PQ assist standing alongside the negotiated TLS key trade algorithm. If the server prefers PQ safe connections, a inexperienced “PQ” tag seems with a message confirming the connection is “post-quantum secure.” In any other case, a purple tag signifies the connection is “not post-quantum secure”, displaying the classical algorithm that was negotiated.
Underneath the hood, this software makes use of Cloudflare Containers — a brand new functionality that permits operating container workloads alongside Staff. Because the Staff runtime isn’t uncovered to particulars of the underlying TLS handshake, Staff can’t provoke TLS scans. Subsequently, we created a Go container that leverages the crypto/tls package deal’s assist for post-quantum compatibility checks. The container runs on-demand and performs the precise handshake to find out the negotiated TLS key trade algorithm, returning outcomes via the Radar API.
With the addition of those origin-facing insights, complementing the prevailing client-facing insights, we’ve got moved all of the post-quantum content material to its personal part on Radar.
Securing E2EE messaging methods with Key Transparency
Finish-to-end encrypted (E2EE) messaging apps like WhatsApp and Sign have turn into important instruments for personal communication, relied upon by billions of individuals worldwide. These apps use public-key cryptography to make sure that solely the sender and recipient can learn the contents of their messages — not even the messaging service itself. Nonetheless, there’s an often-overlooked vulnerability on this mannequin: customers should belief that the messaging app is distributing the right public keys for every contact.
If an attacker had been capable of substitute an incorrect public key within the messaging app’s database, they may intercept messages meant for another person — all with out the sender figuring out.
Key Transparency addresses this problem by creating an auditable, append-only log of public keys — related in idea to Certificates Transparency for TLS certificates. Messaging apps publish their customers’ public keys to a transparency log, and unbiased third events can confirm and vouch that the log has been constructed accurately and persistently over time. In September 2024, Cloudflare introduced such a Key Transparency auditor for WhatsApp, offering an unbiased verification layer that helps make sure the integrity of public key distribution for the messaging app’s billions of customers.
Right this moment, we’re publishing Key Transparency audit information in a brand new Key Transparency part on Cloudflare Radar. This part showcases the Key Transparency logs that Cloudflare audits, giving researchers, safety professionals, and curious customers a window into the well being and exercise of those important methods.
The brand new web page launches with two monitored logs: WhatsApp and Fb Messenger Transport. Every monitored log is displayed as a card containing the next data:
Standing: Signifies whether or not the log is on-line, in initialization, or disabled. An “online” standing means the log is actively publishing key updates into epochs that Cloudflare audits. (An epoch represents a set of updates utilized to the important thing listing at a selected time.)
Final signed epoch: The newest epoch that has been printed by the messaging service’s log and acknowledged by Cloudflare. By clicking on the attention icon, customers can view the complete epoch information in JSON format, together with the epoch quantity, timestamp, cryptographic digest, and signature.
Final verified epoch: The newest epoch that Cloudflare has verified. Verification entails checking that the transition of the transparency log information construction from the earlier epoch to the present one represents a legitimate tree transformation — guaranteeing the log has been constructed accurately. The verification timestamp signifies when Cloudflare accomplished its audit.
Root: The present root hash of the Auditable Key Listing (AKD) tree. This hash cryptographically represents your entire state of the important thing listing on the present epoch. Just like the epoch fields, customers can click on to view the whole JSON response from the auditor.
The info proven on the web page can also be obtainable through the Key Transparency Auditor API, with endpoints for auditor data and namespaces.
If you need to carry out audit proof verification your self, you’ll be able to observe the directions in our Auditing Key Transparency weblog submit. We hope that these use circumstances are the primary of many who we publish on this Key Transparency part in Radar — if your organization or group is desirous about auditing on your public key or associated infrastructure, you’ll be able to attain out to us right here.
Monitoring RPKI ASPA adoption
Whereas the Border Gateway Protocol (BGP) is the spine of Web routing, it was designed with out built-in mechanisms to confirm the validity of the paths it propagates. This inherent belief has lengthy left the worldwide community susceptible to route leaks and hijacks, the place visitors is by accident or maliciously detoured via unauthorized networks.
Though RPKI and Route Origin Authorizations (ROAs) have efficiently hardened the origin of routes, they can’t confirm the trail visitors takes between networks. That is the place ASPA (Autonomous System Supplier Authorization) is available in. ASPA extends RPKI safety by permitting an Autonomous System (AS) to cryptographically signal a document itemizing the networks licensed to propagate its routes upstream. By validating these Buyer-to-Supplier relationships, ASPA permits methods to detect invalid path bulletins with confidence and react accordingly.
Whereas the precise IETF normal stays in draft, the operational neighborhood is transferring quick. Help for creating ASPA objects has already landed within the portals of Regional Web Registries (RIRs) like ARIN and RIPE NCC, and validation logic is offered in main software program routing stacks like OpenBGPD and BIRD.
To offer higher visibility into the adoption of this rising normal, we’ve got added complete RPKI ASPA assist to the Routing part of Cloudflare Radar. Monitoring these information globally permits us to grasp how shortly the trade is transferring towards higher path validation.
Our new ASPA deployment view permits customers to look at the expansion of ASPA adoption over time, with the power to visualise traits throughout the 5 Regional Web Registries (RIRs) primarily based on AS registration. You’ll be able to view your entire historical past of ASPA entries, relationship again to October 1, 2023, or zoom into particular date ranges to correlate spikes in adoption with trade occasions, such because the introduction of ASPA options on ARIN and RIPE NCC on-line dashboards.
Past mixture traits, we’ve got additionally launched a granular, searchable explorer for real-time ASPA content material. This desk view permits you to examine the present state of ASPA information, searchable by AS quantity, AS title, or by filtering for under suppliers or buyer ASNs. This permits community operators to confirm that their information are printed accurately and to view different networks’ configurations.
We’ve got additionally built-in ASPA information immediately into the nation/area routing pages. Customers can now monitor how completely different areas are progressing in securing their infrastructure, primarily based on the related ASPA information from the shopper ASNs registered domestically.
On particular person AS pages, we’ve got up to date the Connectivity part. Now, when viewing the connections of a community, you might even see a visible indicator for “ASPA Verified Provider.” This annotation confirms that an ASPA document exists authorizing that particular upstream connection, offering a right away sign of routing hygiene and belief.
For ASes which have deployed ASPA, we now show an entire record of licensed supplier ASNs together with their particulars. Past the present state, Radar additionally supplies an in depth timeline of ASPA exercise involving the AS. This historical past distinguishes between adjustments initiated by the AS itself (“As customer”) and information created by others designating it as a supplier (“As provider”), permitting customers to instantly establish when particular routing authorizations had been established or modified.
Visibility is a necessary first step towards broader adoption of rising routing safety protocols like ASPA. By surfacing this information, we goal to assist operators deploy protections and help researchers in monitoring the Web’s progress towards a safer routing path. For individuals who have to combine this information into their very own workflows or carry out deeper evaluation, we’re additionally exposing these metrics programmatically. Customers can now entry ASPA content material snapshots, historic timeseries, and detailed adjustments information utilizing the newly launched endpoints within the Cloudflare Radar API.
As safety evolves, so does our information
Web safety continues to evolve, with new approaches, protocols, and requirements being developed to make sure that data, functions, and networks stay safe. The safety information and insights obtainable on Cloudflare Radar will proceed to evolve as nicely. The brand new sections highlighted above serve to broaden present routing safety, transparency, and post-quantum insights already obtainable on Cloudflare Radar.
Should you share any of those new charts and graphs on social media, make sure to tag us: @CloudflareRadar (X), noc.social/@cloudflareradar (Mastodon), and radar.cloudflare.com (Bluesky). You probably have questions or feedback, or strategies for information that you simply’d wish to see us add to Radar, you’ll be able to attain out to us on social media, or contact us through e mail.
