Cloudflare’s Threat Events gives security analysts a comprehensive view of global cyber threats. The platform offers a snapshot of the massive volume of traffic Cloudflare handles daily, enabling real-time tracking of which IPs are attacking specific industries or which threat actors are gaining momentum worldwide. However, turning that awareness into active defense has traditionally been a manual, after-the-fact effort.
Security teams have long dealt with a persistent challenge: being aware that certain IP addresses were linked to particular threat actors (such as Tycoon 2FA or RaccoonO365) or had been observed targeting their industry in other regions, yet lacking an easy way to automatically block these high-risk IPs through their own WAF without manually setting up rules.
We’re thrilled to unveil a new integration that channels Cloudflare’s extensive threat intelligence straight into your WAF engine: you can now create proactive rules powered by live intelligence data. This empowers you to add deeper intelligence context to shield your application from known malicious actors — before they ever reach your infrastructure.
By populating dedicated fields during the initial phases of a request, the WAF can now evaluate traffic based on:
Who is launching the attack by identifying specific threat actor names
Who they’re going after through industry or country filters to determine who the IP has previously targeted
What kind of attack it is using enriched threat context, filtering by attack category (DDoS, WAF, cybercrime, etc.) and when it was last observed
This new functionality is built on the same continuous detection framework we recently rolled out for Attack Signature Detection, a system that spots common attack patterns in real time without needing pre-configured rules. By decoupling detection from mitigation, we ensure threat intelligence runs constantly in the background, enriching your HTTP request analytics with valuable threat metadata before you even decide to act.
The key benefit of an “always-on” approach is removing the traditional “log vs. block” dilemma: visibility in log mode, or protection in block mode. That’s because when a rule blocks a request, you lose insight into how other signatures would have evaluated it — information that could have helped you fortify your defenses.
If you have a Cloudforce One subscription, these insights show up in your analytics automatically. You can see which threat actors are hitting your site and which industries those IPs typically target, letting you validate traffic patterns before “flipping the switch” to block.
These detections run with minimal latency, keeping your performance blazing fast while delivering the high-confidence data needed to craft strong security policies. While this first release centers on IP-based matching, we’re already planning to expand these capabilities to JA3 fingerprints and domain-based matching. This will let you block malicious traffic even when attackers cycle through IPs, by recognizing the unique software signatures or malicious destination URLs they include in their payloads.
To enable this, we’ve made the following specific signals directly accessible to the WAF engine:
Field | Description |
cf.intel.ip.attacker_names | Names of known threat groups (e.g., |
cf.intel.ip.target_industries | Industries targeted by this IP (e.g., |
cf.intel.ip.attacker_countries | The source country of the threat event. |
cf.intel.ip.target_countries | The countries targeted by the threat event. |
cf.intel.ip.datasets | The source feed providing the data (e.g., |
Since a single IP address could be tied to multiple threat actors or targeted industries at the same time, these fields are represented as arrays. We use the any() function and [*] wildcard to check whether any value within that threat profile matches your criteria:
Block known DDoS participants targeting your region:
any(cf.intel.ip.target_countries[*] == "FR") and any(cf.intel.ip.datasets[*] == "ddos")Protect against specific threat actors targeting the Finance sector:
any(cf.intel.ip.target_industries[*] == "Banking & Financial Services") and any(cf.intel.ip.attacker_names[*] == "BLACKBASTA")Broad protection against specific high-risk origin countries:
any(cf.intel.ip.attacker_countries[*] == "IR")
How to use Threat Events data in your workflows
Whether you favor a UI-driven approach or Infrastructure as Code, these fields are woven into your existing workflows.
The WAF rule builder (API & Terraform)
For teams that prefer Infrastructure as Code, the new cf.intel fields are fully incorporated into the WAF rule builder for WAF custom rules and rate limiting. You can craft complex expressions using the same syntax you already use. Since these are standard WAF fields, they’re fully supported through the Cloudflare API and Terraform, enabling you to automate threat blocking across your chosen domains or even across your entire account.
New fields added to the WAF rule builder to allow users to choose the relevant configuration based on the Threat Events indicators.
Visibility in Security Analytics
Launching your defenses is just the beginning. Every match generated by these threat intelligence fields is recorded in Security Analytics. You can dig into your network traffic to pinpoint exactly which rule fired and which specific indicator was identified. These detailed logs make it much quicker to audit incidents and perform postmortem reviews whenever a rule is triggered.
Threat event matches appear in Security Analytics with complete context and a one-click option to generate a custom security rule.
Instant rule creation from the Threat Events dashboard
If you’re already leveraging the Threat Intelligence Dashboard to analyze trends, there’s no need to manually copy and paste IP lists. You can set up Saved Views tailored to your specific criteria, such as “IPs observed targeting the Financial sector over the past week.” With just one click, you can export these filters straight into a WAF rule.
Saved Views now let users quickly generate WAF rules that align with the saved view’s configuration.
Worldwide intelligence spanning our entire network
Clear visibility and a smooth user experience are only achievable when the engine behind them is fast. So how do we process millions of threat indicators without introducing any delay to your traffic?
These threat intelligence datasets are compressed into a highly efficient format and pushed out to every Cloudflare data center around the world. When a request reaches our network, the Cloudflare WAF runs an O(1) constant-time lookup against these locally stored datasets. This means that whether we’re checking ten indicators or ten million, the added latency stays virtually zero — measured in microseconds.
Since a single IP can be linked to multiple threat categories, our engine doesn’t stop after the first match. It evaluates all signals tied to that IP at the same time. This way, a rule targeting “Attacker = RU” AND “Target Industry = Banking” will fire correctly by assessing the overlap of these attributes in one pass — delivering maximum protection against multi-vector attackers without adding any computational overhead.
This feature is available right now for all customers with an active Cloudforce One subscription:
Cloudforce One Essentials gives customers access to the default datasets in Threat Events, the ability to search for indicators, and tools for conducting threat-hunting investigations
Cloudforce One Advantage provides customers with access to custom insights from our Threat Intelligence Analysts through requests for information
Cloudforce One Elite — our most comprehensive package — includes brand protection, a generous number of requests for information, and access to all Threat Events datasets
Ready to transform global threat insights into local protection? Navigate to Threat Events or the WAF section of your Cloudflare Dashboard to begin building your first Threat Intel rule, or reach out to your account team to find out more about subscribing to Cloudforce One.
