Analytics Updates & Release Notes

Radar now includes two new charts on the traffic page ↗ that provide deeper insights into the composition of HTTP traffic: a content type distribution chart and an API traffic share chart.

Content type distribution

The new Content type ↗ chart displays the distribution of HTTP response content types, grouped into high-level categories. A traffic type selector allows filtering by human, bot, or all traffic. The existing Bot vs. Human ↗ chart also gained a content type category filter, allowing users to see the bot/human split for specific content categories.

Content type categories:

• HTML — Web pages (text/html)
• Images — All image formats (image/*)
• JSON — JSON data and API responses (application/json, *+json)
• JavaScript — Scripts (application/javascript, text/javascript)
• CSS — Stylesheets (text/css)
• Plain Text — Unformatted text (text/plain)
• Fonts — Web fonts (font/, application/font-)
• XML — XML documents and feeds (text/xml, application/xml, application/rss+xml, application/atom+xml)
• YAML — Configuration files (text/yaml, application/yaml)
• Video — Video content and streaming (video/*, application/ogg, *mpegurl)
• Audio — Audio content (audio/*)
• Markdown — Markdown documents (text/markdown)
• Documents — PDFs, Office documents, ePub, CSV (application/pdf, application/msword, text/csv)
• Binary — Executables, archives, WebAssembly (application/octet-stream, application/zip, application/wasm)
• Serialization — Binary API formats (application/protobuf, application/grpc, application/msgpack)
• Other — All other content types

The CONTENT_TYPE dimension and contentType filter are available on the HTTP summary, timeseries groups, and timeseries endpoints.

API traffic share

The new API traffic ↗ chart shows the percentage of dynamic (non-cacheable) HTTP request traffic that is API-related. API traffic is identified by JSON or XML response content types (application/json, application/xml, text/xml) on HTTP requests that returned a 200 status code. A traffic type selector allows switching between human traffic, bot traffic, or all traffic.

The API_TRAFFIC dimension is available on the existing HTTP summary and timeseries groups endpoints. An apiTraffic filter (API or NON_API) can also be applied to HTTP timeseries requests to retrieve raw request counts for API-only or non-API traffic.

Visit the Radar traffic page ↗ to explore these new charts.

Loading a file

Radar now includes an MRT Explorer tool in the Routing section. Route collectors like RIPE RIS and RouteViews publish MRT (Multi-Threaded Routing Toolkit) dump files containing BGP announcements, withdrawals, and route attributes. The new tool parses these files entirely in the browser — nothing gets uploaded.

Paste a URL to fetch an MRT file remotely, drag and drop one onto the page, or browse for a local file. Gzip and bzip2 compressed files are supported. A sample file is also available to get started right away.

Inspecting events

Once parsed, the tool lists every BGP event with its timestamp, prefix, AS path, OTC (Only to Customer), and community attributes.

Event details

Clicking on the "View details" action opens a modal with additional properties and the full event JSON.

Shareable URLs

When loading a file by URL, the query string captures the source so the link can be shared directly — the recipient's browser immediately fetches and parses the same file.

Try the MRT Explorer on Cloudflare Radar.

Cloudflare has updated Logpush datasets:

New datasets

Email Security Post-Delivery Events: A new dataset with fields including AlertID, CompletedAt, Destination, FinalDisposition, Folder, From, FromName, MessageID, MessageTimestamp, MicrosoftTenantID, Operation, PostfixID, Reasons, Recipient, RequestedAt, RequestedBy, RequestedDisposition, Status, Subject, Success, and To.

Magic Network Monitoring Flow Logs: A new dataset with fields including AWSVPCFlowJSON, Bits, DestinationAS, DestinationAddress, DestinationPort, DeviceID, EgressBits, EgressPackets, Ethertype, FlowProtocol, FlowTimestamp, NumFlows, PacketID, Packets, Protocol, RuleIDs, SampleRate, SampleRateType, SamplerAddress, SourceAS, SourceAddress, SourcePort, TcpFlags, and Timestamp.

Updated fields in existing datasets

Firewall events (added): AISecurityInjectionScore, AISecurityPIICategories, AISecurityTokenCount, and AISecurityUnsafeTopicCategories.

HTTP requests (added): AISecurityInjectionScore, AISecurityPIICategories, AISecurityTokenCount, AISecurityUnsafeTopicCategories, and Subrequests.

For the complete field definitions for each dataset, refer to Logpush datasets.

You can now export your Requests for Information (RFI) history to a CSV document and customize your dashboard view by choosing how many RFI records to load per page.

Why this matters

These quality-of-life updates focus on data portability and dashboard performance, allowing power users to manage high volumes of requests more efficiently:

• The new CSV export allows you to move RFI data into external tools for custom reporting, internal auditing, or cross-referencing with other security projects without manual data entry
• With adjustable page density, you can now choose to load more records at once (10, 25 or 50) to scan through history faster

Cloudforce One subscribers can find these new options in Cloudflare Dashboard > Application Security > Threat Intelligence > Requests for Information .

Radar now provides TLD authoritative nameserver performance insights, measuring response time (latency) as observed from Cloudflare's 1.1.1.1 resolver infrastructure when forwarding queries upstream to TLD nameservers.

New widgets on TLD detail pages:

• Aggregate nameserver latency: Response time percentiles (p25/p50/p75) for all authoritative nameservers of the selected TLD.
• Latency per nameserver: Median response time (p50) broken down by each authoritative nameserver over time.
• Median latency geographic distribution: p50 response time by Cloudflare data center country, displayed on a choropleth map.
• TLD ranking over time: Daily DNS magnitude rank and magnitude value with a Rank/Magnitude toggle.
• Rank change deltas: 1 week, 4 weeks, and 3 months rank changes added to the TLD magnitude table and the TLD detail info panel.

The new TLD Performance API provides the following endpoints:

• /tlds/performance/summary/{dimension} — TLD nameserver performance summarized by dimension.
• /tlds/performance/timeseries_groups/{dimension} — TLD nameserver performance over time grouped by dimension.

Available dimensions: LATENCY (aggregate p25/p50/p75), NAMESERVER_LATENCY (per-nameserver p50), LOCATION_LATENCY (per-data-center-country p50).

TLD Performance is also available as a dataset in the Data Explorer.

Check out the updated TLD detail page.

The Cloudforce One Threat Events API now supports TAXII as an output format, enabling standardized, automated sharing of cyber threat intelligence with your existing security stack.

Why this matters

You can now ingest Cloudforce One threat data directly into your SIEM, TIP or SOAR tools that prefer TAXII-formatted streams without needing custom translation scripts.

By supporting the TAXII format parameter in our API, security teams can automate the synchronization of indicator data, reducing the manual overhead of updating blocklists and detection rules.

This alignment with industry standards ensures that your threat data remains consistent across different security ecosystems and partner integrations.

How to use it

When calling the Threat Events API, you can now specify taxii in the format query parameter:

GET /accounts/{account_id}/cloudforce_one/threat_events?format=taxii

You can find the updated documentation in the Cloudflare API Reference.

Top ASes by announced IP space on country pages

Radar is expanding its Routing section with two new widgets that give a deeper view into how networks announce address space and how RPKI ROA coverage evolves over time.

Country routing pages now include a Top ASes by announced IP space chart, breaking down the IPv4 and IPv6 address space announced from a country across the autonomous systems that originate it. The chart stacks the IPv4 and IPv6 views vertically, with the top contributing ASes called out by color and the remaining networks aggregated as Other.

RPKI ROA deployment timeseries

The RPKI sub-page adds an RPKI ROA deployment timeseries widget that tracks the share of announced BGP space covered by a valid Route Origin Authorization (ROA) over time, with separate IPv4 and IPv6 lines. A toggle switches the view between the share of covered prefixes and the share of covered IP address space. The widget is available on global, country, and AS views, so operators can monitor RPKI adoption progress and compare deployment trends across different scopes.

API endpoints

The data behind these widgets is also available through two new endpoints on the BGP API:

• /bgp/ips/top/ases - Returns the top autonomous systems by announced IP space (IPv4 /24s or IPv6 /48s), globally or filtered by country, snapped to the nearest 8-hour RIB boundary.
• /bgp/rpki/roas/timeseries - Returns RPKI ROA validation coverage over time, by share of prefixes or share of IP address space, split by IP version, with optional ASN or location filters.

Visit the Radar routing section to explore both widgets.

The Cloud Observatory on Radar now provides improved connection metric insights, offering new ways to explore TCP round-trip time, TCP handshake duration, TLS handshake duration, and response header receive duration across cloud provider origin servers.

The Cloud Observatory overview now shows connection metrics broken down by cloud provider, making it easy to compare connection performance across Amazon Web Services, Google Cloud, Microsoft Azure, and Oracle Cloud.

Each provider page now shows connection metrics for the top five regions, with a selector to rank by lowest or highest values.

Each region page now displays connection metrics as percentile distributions (25th percentile, median, and 75th percentile), providing insight into the range and variability of connection times.

These views are also available through the Origins API, using the timeseries_groups endpoint with the ORIGIN, REGION, or PERCENTILE dimension.

Key benefits

Cloudflare Web Analytics now supports Navigation Type reporting and filtering.

This update allows developers and performance analysts to see how users are navigating between pages — whether through a link click or form submission, a page reload, or using the browser's back/forward buttons — and whether a browser cache hit occurred for these behaviors.

Understanding navigation types is critical for optimizing user experience. For example, if a high volume of your traffic consists of "Back-forward" navigations versus "Back-forward Cache", those visitors are not benefiting from the Back/Forward Cache (bfcache) and therefore are experiencing higher load times due to potentially unnecessary network requests.

The same applies for regular "Navigate" entries — where "Navigate Cache", "Navigate Prefetch Cache" and "Prerender" would provide instant document retrieval — and "Reload", where "Reload cache" would be more optimal.

A high volume of "Reload" entries can also indicate a potential stability problem with your website.

By identifying these patterns, you can tune your browser caching strategies to ensure HTML documents are served instantaneously from local caches rather than requiring a roundtrip to the network.

For more information, refer to Navigation Types.

• Monitor Cache Effectiveness: See how often your site is served from the HTTP cache or bfcache.
• Identify Performance Bottlenecks: Filter by the different types to understand performance opportunity of improving browser cache hit ratio.

Analyze navigation types in the Cloudflare dashboard

You can now find the Navigation Type dimension in the Web Analytics dashboard. You can filter to include/exclude one or more specific types using "equals", "does not equal", "in", or "not in" matchers.

To check the list of popular navigation types, select Page views on the Web Analytics sidebar and scroll down to the bottom.

We have introduced a unified investigation workspace within Brand Protection to help analysts manage complex brand portfolios. Instead of jumping between individual queries, you can now consolidate your workflow into a single, cohesive view.

What's new

• You can now elect multiple saved queries from your dashboard to generate a consolidated "Combined Matches" view. This allows you to triage results from different brand queries in one unified table
• You can open query extended views in distinct tabs within the Brand Protection dashboard. This enables you to maintain multiple investigation contexts simultaneously and switch between them without losing your place.
• You can reset your workspace using the new "Clear Selection" action, making it easier to pivot between different investigation sets.

Key benefits

• Eliminate fragmented workflows by viewing all matches across different query buckets in a single table, reducing the need to click through dozens of individual query pages
• Correlate related campaigns by seeing similar domains or infrastructure patterns that appear across multiple saved queries

Learn more in our Brand Protection documentation.

Custom Dashboards are now available to all Cloudflare customers. Build personalized views that highlight the metrics most critical to your infrastructure and security posture, moving beyond standard product dashboards.

This update significantly expands the data available for visualization. Build charts based on any of the 100+ datasets available via the Cloudflare GraphQL API, covering everything from WAF events and Workers metrics to Load Balancing and Zero Trust logs.

Log Explorer integration

For Log Explorer customers, you can now turn raw log queries directly into dashboard charts. When you identify a specific pattern or spike while investigating logs, save that query as a visualization to monitor those signals in real-time without leaving the dashboard.

Key benefits

• Unified visibility: Consolidate signals from different Cloudflare products (for example, HTTP Traffic and R2 Storage) into a single view.
• Flexible monitoring: Create charts that focus on specific status codes, ASN regions, or security actions that matter to your business.
• Expanded limits: Log Explorer customers can create up to 100 dashboards (up from 25 for standard customers).

To get started, refer to the Custom Dashboards documentation.

When a Cloudflare Worker intercepts a visitor request, it can dispatch additional outbound fetch calls called subrequests. By default, each subrequest generates its own log entry in Logpush, resulting in multiple log lines per visitor request. With subrequest merging enabled, subrequest data is embedded as a nested array field on the parent log record instead.

What's new

• New subrequest_merging field on Logpush jobs Set "merge_subrequests": true when creating or updating an http_requests Logpush job to enable the feature.
• New Subrequests log field When subrequest merging is enabled, a Subrequests field (array) is added to each parent request log record. Each element in the array contains the standard http_requests fields for that subrequest.

Limitations

• Applies to the http_requests (zone-scoped) dataset only.
• A maximum of 50 subrequests are merged per parent request. Subrequests beyond this limit are passed through unmodified as individual log entries.
• Subrequests must complete within 5 minutes of the visitor request. Subrequests that exceed this window are passed through unmodified.
• Subrequests that do not qualify appear as separate log entries no data is lost.
• Subrequest merging is being gradually rolled out and is not yet available on all zones. Contact your account team for concerns or to ensure it is enabled for your zone.
• For more information, refer to Subrequests.