Evaluating Cloudflare Access security stack


we’re in the market for a SASE (or security as a service) solution. We’re currently playing around with Cloudflare Teams and really like what we see, however, we can’t really assess how good (or bad) the security features really are.

How do things like malware scanning, phishing detection (URL filtering), etc. stack up against well known security brands like Check Point, Palo Alto Networks, etc.? How good is the “intelligence”?

Does the Cloudflare product team want to share some details?


Cloudflare uses a combination of 3rd party threat feeds along with threat intelligence based on operating Cloudflare’s core services (26m+ domains) along with, which I believe the last public number disclosed for queries a year or so ago was > 30B DNS queries a day. A recent estimate I saw had Cloudflare serving > 10% of the world’s internet traffic on a daily basis. We see a lot of different threat vectors that inform all of our security products / features, not just Teams.

Tools and capabilities are always evolving in the industry and within a specific vendor. Security is a defense in depth area. Combining the phishing detection in product A, with the phishing mitigations in most corporate level email solutions, combined with end user education is how I recommend my customers think about that particular threat. Multiple bites at the apple from different vendors, with the ability to potentially block / mitigate risk at multiple levels (email flagging, DNS filtering, URL filtering and Layer 8 filtering).


Thanks @cs-cf,

I was hoping to get some more in-depth details about particular mechanisms and also the third-party threat feeds. I appreciate that Cloudflare sees a lot of traffic, but seeing a lot of traffic doesn’t necessarily translate to seeing all the threats, let alone recognizing and understanding them.

I would be interested to understand how your malware scanning works, for example. Is it a simple pattern based AV like you would find in traditional AV scanners? How good is the detection rate compared to other vendors? Is there any sandboxing involved?

Does Cloudflare operate its own threat hunting unit, like the big boys do (like Cisco Talos, etc.)?

I understand the “bite the apple from different angles” approach and I completely agree, but I guess my point is I need some comparisons to the competition. Unfortunately, I have yet to find a third party that tested Cloudflare Team security, like NSS Labs etc.


1 Like

Sam from the Product Team here.

We use the data from our network in several different ways. One example of that is how we detect DNS tunneling (you can read about in more detail here). We have a high-degree of confidence in what a DNS query should look like, and we build models to detect anomalous ones.

We do have our own team focused on threat research, called the Intel team, and you can read more about their work in the blog post linked above or on other cases like SolarWinds (blog) and SUNBURST (blog).

That team is separate from our Research team, who performs parallel work on improving security and cryptography (some examples here and here) - and on advancing the standards we use in these products like the example here.

We combine their research with partnerships we have with institutional researchers and other partners to augment what we review, but all of that is built on the models that our Intel and Resarch teams create to detect threats, anomalies, and known security risks like the dns tunneling example above.

1 Like

Thanks @SamRhea. I have no doubt CLoudflare knows DNS inside out. Could you also adress my other questions pertaining malware scanning, sandboxing, etc.?

Really just trying to get a better understanding. Other security vendors are very detailed in their descriptions and technical documentations and I would love to compare.


I doubt you will get much more information. Part of what makes AVs and other security vendors safe is the obscurity behind their analysis/scanners, business secrets and CF IP also take a huge role in this.

Anyways, CF does not focus on the detection that much because in the end, it’s “pointless”. It doesn’t matter how effective your detection approach is, if an unknown malware pops up, you won’t detect it unless it’s crafted poorly.
CF instead invests in isolating the browsing experience.

The idea behind CF Gateway is that everything you receive has been rendered/executed elsewhere, meaning that even if any code was malicious, the actions took on a server and not on your computer or the computer of your employee. Remote Browser Isolation (RBI).


Other security vendors are very detailed in their descriptions and technical documentations and I would love to compare.

I honestly doubt that, just because they add more layers of complexity and fancy words to their product or presentations, doesn’t mean that you have any meaningful insight into the security behind the product.
Most security products are obscure to the customer, they don’t care about the internals because it doesn’t affect them, they want results and the sentiment of feeling safe.


I strongly disagree here. There are various methods to detect and prevent zero day and novel malware, like sandboxing, behavioral analysis, crowd intelligence and much more. There is an entire industry delivering products and technologies that do this. Take CrowdStrike or Palo Alto Networks as an example.

It’s that very industry Cloudflare competes with.

As for RBI, it’s a good idea in theory, but just an “add-on” according to CF’s marketing and pricing. They explicitly advertise SSL decryption and scanning of traffic for malware as one of the main features of Gateway.

I don’t know about you, but I’ve been working as a security engineer for 20+ years and I deal with these products (and vendors) on a daily basis. I deploy these technologies, manage them and have a very deep understanding of them. When I say that other vendors have detailed technical documentation about it, I am not wrong.

Hi everyone,
On similar journey and would like to get some more info on security features - are there any updated docs breaking down how each service is implemented?
So far looks like it’s mostly DNS analysis.
What about SWG, DLP and I’m seeing references of sandbox but can’t find any documentation.

I’m going to disagree with you here. Cloudflare is more web based than either of these companies. CrowdStrike has a program that you install (Falcon), Cloudflare does not, it instead monitors web, DNS and other forms of traffic. Palo Alto has firewalls and physical hardware, I am unsure about any AV monitoring they offer, but I know they are getting more into IR and Cybersecurity with network monitoring.

Cloudflare is more for monitoring your network traffic to find patterns and is not looking on each host machine for malicious files.

There is documentation available for SWG here: https://developers.cloudflare.com/cloudflare-one/policies/filtering/

Cheers, I’ve seen those but there’no mention of how AV works or what IDS features are enabled

There is no IDS (and no real DLP, either, in case you’re still wondering). The SWG is pretty barebones from a feature perspective. It comes with URL filtering and malware scanning, and that’s it. The latter isn’t documented in detail, so nobody really knows what’s under the hood. I guess they expect us to just take their word for it.

I was talking about the underlying technology that is being used to detect malware. Not the delivery of those mechanisms. Yes, Crowdstrike is on the endpoint, but it scans for malware. Cloudflare scans for malware in the network traffic, and the question was how they do it, what kind of engines they use, etc.

Palo Alto has one of the largest malware scanning operations on the planet, through their Cortex XDR product line (which also feeds intelligence into the firewall’s AV engine).

Cloudflare is absolutely scanning for malicious files, as per their product documentation and marketing material. The difference is they are scanning the network traffic, but they are scanning nonetheless:


Gateway will scan files inbound from the Internet as they pass through the Cloudflare edge at the nearest data center.