Analytics Updates & Release Notes

TL;DR

Brand Protection now features an Automated Cease & Desist (C&D) workflow. When you discover an infringing domain hosted outside of Cloudflare, you can instantly generate, review, and download a custom-branded, pre-filled legal notice in seconds.

Why this matters

This update introduces a major shift from pure detection to actionable enforcement, eliminating the manual burden for your Trust & Safety and Legal teams:

• Instant WHOIS and Recipient Lookup: We automatically scrape registrar data and WHOIS contact information (such as the registrant or registrar abuse email) behind the scenes, highlighting exactly where your notice needs to be sent
• Smart Template Automation: We pre-fill your custom-branded templates with essential metadata, including the infringing domain, registrar name, and discovery date.
• Tailored Enforcement Tones: Choose from three default layout strategies depending on the severity of the infrastructure match:
  • Exact Match: A formal demand for identical trademark infringements
  • Similar Match: A standard notice optimized for typosquatting (one-character distance matches)
  • Friendly Tone: An amicable initial outreach for potential unintentional or accidental infringements
• Full Editing Control: Before creating the final PDF, a real-time review screen allows you to fine-tune the messaging, modify placeholders, and ensure your text aligns perfectly with internal legal standards

How it works

When reviewing a malicious domain match inside your dashboard, your enforcement path splits depending on where the attacker is located:

1. On the Cloudflare Network: If the domain uses Cloudflare’s network or registrar, trigger our existing integrated abuse reporting flow with one click.
2. Hosted Elsewhere: If the domain is hosted on an external provider, click the Generate C&D Letter option to launch the new document builder, pick your template, verify the auto-populated recipient data, and download your finalized PDF.

You can manage your templates and enforce matches by going to the Cloudflare Dashboard > Application Security > Brand Protection and selecting your detected Brand Protection matches. For more information, read the Brand Protection documentation.

Note: Cloudflare does not represent you and cannot provide you with legal advice. Only you can decide whether your rights have been infringed, whether a cease and desist letter is appropriate, and what that letter should say.

Cloudforce One users can now turn Threat Events indicators into active defense. With this update, users can instantly generate a WAF rule that matches the dynamic list of IP addresses returned by any of their Saved Views.

Why this matters

Threat intelligence is most effective when it is immediately actionable. Previously, blocking threat actors required manually extracting indicators from threat events and copying them into your firewall rules. This new integration bridges the gap between threat discovery and threat mitigation:

• When you identify an active threat pattern - such as an ongoing campaign targeting a specific industry, or using a known indicator type - you can pivot from investigation to mitigation in a single click.
• Instead of writing complex, static IP rules, this functionality allows you to leverage the specific filtering logic you have already defined and saved within your Threat Events ecosystem.
• Automating the generation of the WAF rule expression from your threat views eliminates manual copying errors, ensuring that the right malicious infrastructure is blocked instantly.

How to use it

You can implement these rules through both the dashboard UI and via the API / Terraform.

Go to Cloudflare Dashboard > Application Security > Threat Intelligence > Manage Views, select your desired view, and select Create WAF Rule.

This will automatically pre-populate the WAF rule builder with the matching threat event IP indicators.

You can also automate this workflow by utilizing the WAF Rule Builder API alongside your Threat Events saved views endpoints.

TL;DR:

Weve launched Threat Actor Profiles directly inside the Threat Events dashboard. You can now immediately pivot from a generic alert or blocked event to a profile that unmasks the "Who, Why, and How" behind a threat event.

Why this matters

Security teams often suffer from a visibility gap. When an attack is blocked, it's difficult to know if it was a random automated bot or a sophisticated advanced persistent threat (APT) campaign specifically targeting your industry. Finding out usually means leaving your security dashboard to hunt through external OSINT feeds or static, out-of-date threat reports. Threat Actor Profiles solve this by sharing Cloudforce Ones deep adversary research directly inside your workflow:

• Cloudflare sees the traffic in real-time across approximately 20% of the web. This means actor profiles display active malicious infrastructure the moment it touches our global edge.
• Every profile provides clear strategic and tactical modules including alternative aliases, origin tracking, historical threat event volume, and MITRE ATT&CK mapping detailing the adversary's technical methods.
• You can search the dedicated threat actor directory or click an actor's name inside any threat event to view all details and related events to the specific threat actor.

How to use it

Adversary tracking is now available in the Cloudflare Dashbboard and ready to be included in your daily investigation workflow:

• Click on the Threat Actor name in the Threat Events table to open their full identity profile and review their aliases and attack stats.
• Navigate to Cloudflare Dashboard > Application Security > Threat Intelligence to explore the new Threat Actors tab. Here, you can browse a card-based directory of all established entities tracked by Cloudforce One.

Learn more in the Cloudforce One documentation 9.

Radar now provides finer-grained traffic charts for longer time ranges. Previously, selecting a 1-3 month view on HTTP and NetFlows charts defaulted to weekly aggregation, which was too coarse to surface meaningful trends. Views longer than 3 months defaulted to monthly aggregation, returning as few as 7 data points for a 6-month range.

The new defaults are:

• 1-3 months: daily granularity (7x more data points)
• Longer than 3 months (HTTP and NetFlows): weekly granularity (4x more data points)

For example, a 12-week traffic view previously showed weekly data:

Traffic trends chart with weekly granularity for a 12-week view

The same view now shows daily data:

Traffic trends chart with daily granularity for a 12-week view

Similarly, a 1-year HTTP traffic view that previously showed just 12 monthly data points now provides 52 weekly data points.

Visit Cloudflare Radar to explore the new granular views.

The Radar now also reports TLS bugs detected during the handshake test. When a scanned host exhibits compatibility issues, the results include details on the specific bugs detected, along with guidance on how to investigate and remediate each issue. The bugs section only appears for hosts where issues are found.

The following TLS bugs are detected:

• Split ClientHello — The connection fails with a fragmented post-quantum ClientHello but succeeds with classical handshakes. Typically caused by middleboxes or firewalls that cannot reassemble split TLS messages.
• HRR Failure — The server sends a HelloRetryRequest but fails to complete the handshake afterward.
• Unknown Keyshare — The server cannot handle unknown key exchange algorithms and fails instead of responding with a HelloRetryRequest as required by the TLS 1.3 specification.

Bug detection data is available through the existing /post_quantum/tls/support endpoint.

Visit the Post-Quantum Encryption page to test a host.

Security Insights scans now run more often. Cloudflare scans Free accounts every 7 days, Pro and Business accounts every 3 days, and Enterprise accounts daily.

In addition, all accounts and zones now receive scans by default. You no longer need to enable scans before Cloudflare checks your account for misconfigurations, vulnerabilities, and other security risks.

Granular on-demand scans are now available on any plan. You can trigger an on-demand scan for any zone, insight, insight type from the Cloudflare dashboard in order to quickly re-check your security posture after remediating an issue.

To learn more, refer to the Security Insights documentation.

Radar now includes two new charts on the traffic page that provide deeper insights into the composition of HTTP traffic: a content type distribution chart and an API traffic share chart.

Content type distribution

The new Content type chart displays the distribution of HTTP response content types, grouped into high-level categories. A traffic type selector allows filtering by human, bot, or all traffic. The existing Bot vs. Human chart also gained a content type category filter, allowing users to see the bot/human split for specific content categories.

Content type categories:

• HTML — Web pages (text/html)
• Images — All image formats (image/*)
• JSON — JSON data and API responses (application/json, *+json)
• JavaScript — Scripts (application/javascript, text/javascript)
• CSS — Stylesheets (text/css)
• Plain Text — Unformatted text (text/plain)
• Fonts — Web fonts (font/, application/font-)
• XML — XML documents and feeds (text/xml, application/xml, application/rss+xml, application/atom+xml)
• YAML — Configuration files (text/yaml, application/yaml)
• Video — Video content and streaming (video/*, application/ogg, *mpegurl)
• Audio — Audio content (audio/*)
• Markdown — Markdown documents (text/markdown)
• Documents — PDFs, Office documents, ePub, CSV (application/pdf, application/msword, text/csv)
• Binary — Executables, archives, WebAssembly (application/octet-stream, application/zip, application/wasm)
• Serialization — Binary API formats (application/protobuf, application/grpc, application/msgpack)
• Other — All other content types

The CONTENT_TYPE dimension and contentType filter are available on the HTTP summary , timeseries groups , and timeseries endpoints.

API traffic share

The new API traffic chart shows the percentage of dynamic (non-cacheable) HTTP request traffic that is API-related. API traffic is identified by JSON or XML response content types (application/json, application/xml, text/xml) on HTTP requests that returned a 200 status code. A traffic type selector allows switching between human traffic, bot traffic, or all traffic.

Visit the Radar traffic page to explore these new charts.

Cloudflare has updated Logpush datasets :

New datasets

• Email Security Post-Delivery Events: A new dataset with fields including AlertID , CompletedAt , Destination , FinalDisposition , Folder , From , FromName , MessageID , MessageTimestamp , MicrosoftTenantID , Operation , PostfixID , Reasons , Recipient , RequestedAt , RequestedBy , RequestedDisposition , Status , Subject , Success , and To .
• Magic Network Monitoring Flow Logs: A new dataset with fields including AWSVPCFlowJSON , Bits , DestinationAS , DestinationAddress , DestinationPort , DeviceID , EgressBits , EgressPackets , Ethertype , FlowProtocol , FlowTimestamp , NumFlows , PacketID , Packets , Protocol , RuleIDs , SampleRate , SampleRateType , SamplerAddress , SourceAS , SourceAddress , SourcePort , TcpFlags , and Timestamp .

Updated fields in existing datasets

• Firewall events (added): AISecurityInjectionScore , AISecurityPIICategories , AISecurityTokenCount , and AISecurityUnsafeTopicCategories .
• HTTP requests (added): AISecurityInjectionScore , AISecurityPIICategories , AISecurityTokenCount , AISecurityUnsafeTopicCategories , and Subrequests .

For the complete field definitions for each dataset, refer to Logpush datasets .

The /cdn-cgi/rum beacon endpoint now returns 405 Method Not Allowed for non-POST requests instead of 404 Not Found. The response includes an Allow: POST, OPTIONS header per RFC 9110 015.5.6.

Previously, sending a GET or other non-POST request to this endpoint returned a 404, which was misleading because it suggested the endpoint did not exist. The new 405 response clearly indicates that the endpoint exists but only accepts POST requests.

The Web Analytics beacon (beacon.min.js) already uses POST for all metric submissions, so this change does not affect normal beacon operation. OPTIONS requests for CORS preflight continue to work as before.

For more information, refer to the Web Analytics FAQ.

We’ve added a new Agent Readiness tab to URL Scanner reports accessible via the Cloudflare dashboard. This feature evaluates your site against emerging AI standards and provides six specialized scores to help you optimize for the next generation of AI agents and automated discovery.

The Internet is shifting from a human-read web to a machine-read web. AI agents now browse, interact with, and even perform transactions on websites. If a site isn't "agent-ready," these bots may consume excessive bandwidth, fail to find critical information, or be unable to navigate your services efficiently.

This update provides material value by breaking down readiness into six actionable categories:

• Basic Web Presence
• Discoverability
• Content Accessibility
• Bot Access Control
• Protocol Discovery
• Commerce

Accessing the report

You can view these scores for any scanned URL directly in the dashboard or via our API.

• Dashboard: Go to Protect & Connect > Application Security > Investigate. After running a scan, select the Agent Readiness tab in the report.
• API: Use the URL Scanner API to programmatically retrieve these scores for your infrastructure.

To learn more about the methodology behind these scores, refer to the blogpost.

You can now export your Requests for Information (RFI) history to a CSV document and customize your dashboard view by choosing how many RFI records to load per page.

Why this matters

These quality-of-life updates focus on data portability and dashboard performance, allowing power users to manage high volumes of requests more efficiently:

• The new CSV export allows you to move RFI data into external tools for custom reporting, internal auditing, or cross-referencing with other security projects without manual data entry
• With adjustable page density , you can now choose to load more records at once (10, 25 or 50) to scan through history faster

Cloudforce One subscribers can find these new options in Cloudflare Dashboard > Application Security > Threat Intelligence > Requests for Information .

Radar now provides TLD authoritative nameserver performance insights, measuring response time (latency) as observed from Cloudflare's 1.1.1.1 resolver infrastructure when forwarding queries upstream to TLD nameservers.

New widgets on TLD detail pages

• Aggregate nameserver latency : Response time percentiles (p25/p50/p75) for all authoritative nameservers of the selected TLD.
• Latency per nameserver : Median response time (p50) broken down by each authoritative nameserver over time.

Latency per nameserver chart

• Median latency geographic distribution : p50 response time by Cloudflare data center country, displayed on a choropleth map.
• TLD ranking over time : Daily DNS magnitude rank and magnitude value with a Rank/Magnitude toggle.
• Rank change deltas : 1 week, 4 weeks, and 3 months rank changes added to the TLD magnitude table and the TLD detail info panel.

TLD Rankings by DNS Magnitude table with rank change deltas

The new TLD Performance API provides the following endpoints:

• /tlds/performance/summary/{dimension} — TLD nameserver performance summarized by dimension.
• /tlds/performance/timeseries_groups/{dimension} — TLD nameserver performance over time grouped by dimension.

Available dimensions: LATENCY (aggregate p25/p50/p75), NAMESERVER_LATENCY (per-nameserver p50), LOCATION_LATENCY (per-data-center-country p50).

TLD Performance is also available as a dataset in the Data Explorer .

Check out the updated TLD detail page .

The Cloudforce One Threat Events API now supports TAXII as an output format, enabling standardized, automated sharing of cyber threat intelligence with your existing security stack.

Why this matters

• You can now ingest Cloudforce One threat data directly into your SIEM, TIP or SOAR tools that prefer TAXII-formatted streams without needing custom translation scripts.
• By supporting the TAXII format parameter in our API, security teams can automate the synchronization of indicator data, reducing the manual overhead of updating blocklists and detection rules.
• This alignment with industry standards ensures that your threat data remains consistent across different security ecosystems and partner integrations.

How to use it

When calling the Threat Events API, you can now specify taxii in the format query parameter:

GET /accounts/{account_id}/cloudforce_one/threat_events?format=taxii

You can find the updated documentation in the Cloudflare API Reference .