A Cloudflare team member has agreed this is a good guide describing the threat score:
> This field represents a risk score, 0 indicates low risk as determined by Cloudflare. Values above 10 may represent spammers or bots, and values above 40 point to bad actors on the Internet. It is rare to see values above 60, so tune your firewall rules to challenge those above 10, and to block those above 50.
So the lower your score (0 being the lowest) the more likely you will block bad actors, bots, scrapers etc. which some may be of little risk. However Cloudflare uses their own threat score. So what can that be compared to? I’ll give an example.
I have my threat score set to 2, to challenge any IP that falls within that score. This is pretty sensitive. So I got some hits for example: 18.104.22.168 was challenged. Now go and compare and lookup this IP on ProjectHoneyPot and you can see this report which they have it at a 47 threat score. This means that IP has sent nearly 10,000 spam emails as defined here. Also this IP is listed in only one of about 69 different blacklists.This might be different for other IPs but now you can have an example.
Just thought I would share this to help others try to understand Cloudflare’s threat score comparisons and get an idea how they work.