Cloudflare WAF Now Integrates Real-Time Threat Intelligence for Proactive Blocking
Cloudflare has enhanced its Web Application Firewall (WAF) by integrating its Threat Events intelligence, enabling security teams to create proactive rules based on live threat data.
Cloudflare is empowering security teams with a significant upgrade to its Web Application Firewall (WAF) by directly integrating its Threat Events intelligence. This new capability allows organizations to move beyond reactive security measures and proactively craft WAF rules based on real-time threat data. Previously, security analysts had visibility into global threats through Cloudflare's Threat Events platform but faced challenges in translating this intelligence into automated, granular blocking actions within their own WAF.
The integration addresses a common frustration: knowing that specific IP addresses are linked to known threat actors, such as Tycoon 2FA or RaccoonO365, or have been observed targeting particular industries, but being unable to easily automate blocking these high-risk IPs. The enhanced WAF now allows for the creation of rules that leverage this live intelligence, enabling the blocking of malicious traffic before it even reaches an organization's infrastructure.
This new functionality enriches HTTP requests with threat metadata by populating specialized fields during the early stages of request processing. Security teams can now screen traffic based on the identity of the attacker, matching specific threat actor names, and identify who they are targeting by using industry or country filters to understand an IP's past targets. Additionally, the WAF can categorize the type of attack by filtering based on enriched threat context, including attack type (DDoS, WAF, cybercrime) and the last time it was observed.
Built on the same always-on detection framework introduced for Attack Signature Detection, this system identifies common attack patterns in real time without requiring pre-configured rules. This separation of detection from mitigation ensures that threat intelligence continuously runs in the background, providing high-confidence data for robust security policies without the traditional "log vs. block" trade-off. This means security teams gain both visibility and protection simultaneously.
To facilitate this, Cloudflare has exposed new WAF fields, including cf.intel.ip.attacker_names for threat group identification, cf.intel.ip.target_industries to show targeted sectors, cf.intel.ip.attacker_countries and cf.intel.ip.target_countries for geographical context, and cf.intel.ip.datasets to indicate the source of the threat data. These fields are crucial for constructing precise WAF rules, such as blocking known DDoS participants targeting a specific region or protecting against specific threat actors targeting the finance sector.
These new threat intelligence fields are fully integrated into Cloudflare's WAF custom rules and rate limiting, accessible via the WAF rule builder, API, and Terraform. This allows for automated threat blocking across selected domains or entire accounts. Furthermore, all matches triggered by these threat intelligence fields are logged in Security Analytics, providing detailed context for faster auditing and postmortem analysis. Users can also create custom security rules directly from the Threat Events dashboard with a single click.
While the initial release focuses on IP-based matching, Cloudflare plans to extend these capabilities to JA3 fingerprints and domain-based matching. This future expansion will enable blocking malicious traffic even when attackers rotate IPs, by identifying unique software signatures or malicious destination links used in their payloads, further strengthening defenses against evolving threats.