SYSTEM Cited by 2 sources
Cloudflare WAF¶
Cloudflare WAF (Web Application Firewall) is Cloudflare's edge layer-7 request-filtering product — customer-configured and Cloudflare-managed rulesets that run on every request before the request reaches the origin or any paid product layer. Well-known outside this wiki; stub page here because it's a required reference point for downstream features.
Pipeline position (as surfaced by pay-per-crawl)¶
On a zone with pay-per-crawl enabled, the Cloudflare edge runs:
- WAF rules.
- Bot management / bot blocking.
- Pay-per-crawl rules engine.
Downstream features (like pay-per-crawl) explicitly run after WAF and bot-management so they never override an existing security decision — publishers keep their WAF posture unchanged and layer monetization / other policy on top, not through.
ML scoring layer: WAF Attack Score¶
Beyond signature-based managed rulesets, the WAF runs an ML model on every request that assigns a WAF Attack Score (1–99) based on structural similarity to historical attack traffic. Novel SQLi or RCE chains are caught because they rearrange shapes the model has already seen, even when the specific exploit is brand new. Lower score → more aggressive treatment. This implements the patterns/ml-anomaly-scoring-over-signature-matching pattern.
Same scoring methodology extended to AI prompts via "AI Security for Apps."
(Source: sources/2026-06-09-cloudflare-defend-against-frontier-cyber-models)
Operational numbers¶
- Sub-30-second global rule deployment (managed rulesets reach entire network)
- Traditional PoC-to-rule SLA: 12 hours (acknowledged as insufficient vs frontier models)
- React2Shell: managed rule live before official CVE advisory
(Source: sources/2026-06-09-cloudflare-defend-against-frontier-cyber-models)
Threat intelligence integration¶
Cloudforce One threat intelligence can now be used directly within WAF rules to block high-risk traffic — closes the gap between threat discovery and mitigation without an intermediate feed-ingestion step.
(Source: sources/2026-06-09-cloudflare-defend-against-frontier-cyber-models)
Seen in¶
- sources/2025-07-01-cloudflare-pay-per-crawl — explicit mention that pay-per-crawl's Allow / Charge / Block rules engine runs "only after existing WAF policies and bot management or bot blocking features have been applied".
- sources/2026-06-09-cloudflare-defend-against-frontier-cyber-models — first layer in the layered defence architecture; ML scoring + managed rulesets + Cloudforce One intel integration.