Evaluating Cloudflare Access security stack


we’re in the market for a SASE (or security as a service) solution. We’re currently playing around with Cloudflare Teams and really like what we see, however, we can’t really assess how good (or bad) the security features really are.

How do things like malware scanning, phishing detection (URL filtering), etc. stack up against well known security brands like Check Point, Palo Alto Networks, etc.? How good is the “intelligence”?

Does the Cloudflare product team want to share some details?


Cloudflare uses a combination of 3rd party threat feeds along with threat intelligence based on operating Cloudflare’s core services (26m+ domains) along with, which I believe the last public number disclosed for queries a year or so ago was > 30B DNS queries a day. A recent estimate I saw had Cloudflare serving > 10% of the world’s internet traffic on a daily basis. We see a lot of different threat vectors that inform all of our security products / features, not just Teams.

Tools and capabilities are always evolving in the industry and within a specific vendor. Security is a defense in depth area. Combining the phishing detection in product A, with the phishing mitigations in most corporate level email solutions, combined with end user education is how I recommend my customers think about that particular threat. Multiple bites at the apple from different vendors, with the ability to potentially block / mitigate risk at multiple levels (email flagging, DNS filtering, URL filtering and Layer 8 filtering).


Thanks @cscharff,

I was hoping to get some more in-depth details about particular mechanisms and also the third-party threat feeds. I appreciate that Cloudflare sees a lot of traffic, but seeing a lot of traffic doesn’t necessarily translate to seeing all the threats, let alone recognizing and understanding them.

I would be interested to understand how your malware scanning works, for example. Is it a simple pattern based AV like you would find in traditional AV scanners? How good is the detection rate compared to other vendors? Is there any sandboxing involved?

Does Cloudflare operate its own threat hunting unit, like the big boys do (like Cisco Talos, etc.)?

I understand the “bite the apple from different angles” approach and I completely agree, but I guess my point is I need some comparisons to the competition. Unfortunately, I have yet to find a third party that tested Cloudflare Team security, like NSS Labs etc.


1 Like

Sam from the Product Team here.

We use the data from our network in several different ways. One example of that is how we detect DNS tunneling (you can read about in more detail here). We have a high-degree of confidence in what a DNS query should look like, and we build models to detect anomalous ones.

We do have our own team focused on threat research, called the Intel team, and you can read more about their work in the blog post linked above or on other cases like SolarWinds (blog) and SUNBURST (blog).

That team is separate from our Research team, who performs parallel work on improving security and cryptography (some examples here and here) - and on advancing the standards we use in these products like the example here.

We combine their research with partnerships we have with institutional researchers and other partners to augment what we review, but all of that is built on the models that our Intel and Resarch teams create to detect threats, anomalies, and known security risks like the dns tunneling example above.

Thanks @SamRhea. I have no doubt CLoudflare knows DNS inside out. Could you also adress my other questions pertaining malware scanning, sandboxing, etc.?

Really just trying to get a better understanding. Other security vendors are very detailed in their descriptions and technical documentations and I would love to compare.


I doubt you will get much more information. Part of what makes AVs and other security vendors safe is the obscurity behind their analysis/scanners, business secrets and CF IP also take a huge role in this.

Anyways, CF does not focus on the detection that much because in the end, it’s “pointless”. It doesn’t matter how effective your detection approach is, if an unknown malware pops up, you won’t detect it unless it’s crafted poorly.
CF instead invests in isolating the browsing experience.

The idea behind CF Gateway is that everything you receive has been rendered/executed elsewhere, meaning that even if any code was malicious, the actions took on a server and not on your computer or the computer of your employee. Remote Browser Isolation (RBI).


Other security vendors are very detailed in their descriptions and technical documentations and I would love to compare.

I honestly doubt that, just because they add more layers of complexity and fancy words to their product or presentations, doesn’t mean that you have any meaningful insight into the security behind the product.
Most security products are obscure to the customer, they don’t care about the internals because it doesn’t affect them, they want results and the sentiment of feeling safe.

1 Like

I strongly disagree here. There are various methods to detect and prevent zero day and novel malware, like sandboxing, behavioral analysis, crowd intelligence and much more. There is an entire industry delivering products and technologies that do this. Take CrowdStrike or Palo Alto Networks as an example.

It’s that very industry Cloudflare competes with.

As for RBI, it’s a good idea in theory, but just an “add-on” according to CF’s marketing and pricing. They explicitly advertise SSL decryption and scanning of traffic for malware as one of the main features of Gateway.

I don’t know about you, but I’ve been working as a security engineer for 20+ years and I deal with these products (and vendors) on a daily basis. I deploy these technologies, manage them and have a very deep understanding of them. When I say that other vendors have detailed technical documentation about it, I am not wrong.