--- title: Cloudflare Security Center description: Cloudflare Security Center brings together our suite of security products, our security expertise, and unique Internet intelligence as a unified security intelligence solution. Security Center enables you to strengthen your security posture by: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare Security Center Cloudflare Security Center brings together our suite of security products, our security expertise, and unique Internet intelligence as a unified security intelligence solution. Security Center enables you to strengthen your security posture by: * Mapping your cyber attack surface * Providing asset inventory and discovery * Identifying potential security risks, misconfigurations, and vulnerabilities * Helping you to mitigate these risks through remediation in a few clicks ## Main features * **Security Insights**: Review and manage potential security risks and vulnerabilities associated with your IT infrastructure. * **Infrastructure**: Review and manage your IT infrastructure. * **Investigate**: Investigate threats using data from Cloudflare's global network. * **Security Reports (beta)**: Gain visibility into requests blocked or challenged by the Cloudflare Application Security suite of products. * **Brand Protection (beta)**: Search for new domains that may be attempting to impersonate your brand. [ Get started ](https://developers.cloudflare.com/security-center/get-started/) --- ## Availability Cloudflare Security Center is available to customers on all plans. If you have any comments, questions, or bugs to report, create a post in the [Cloudflare Community forum ↗](https://community.cloudflare.com/c/security/security-center/65). The frequency of security scans depends on your Cloudflare plan. Refer to [Scan frequency](https://developers.cloudflare.com/security-center/security-insights/how-it-works/#scan-frequency) for more information. ## Limitations * Users with an [Administrator Read Only](https://developers.cloudflare.com/fundamentals/manage-members/roles/#account-scoped-roles) role cannot access the Cloudflare Security Center. * Only Cloudflare accounts with at least one Business or Enterprise zone, or accounts on the Teams Standard or Teams Enterprise plans, can manually start a new scan. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}}]} ``` --- --- title: Get started description: This guide covers the steps you need to take to set up Security Center in your Cloudflare account for the first time. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/get-started.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Get started This guide covers the steps you need to take to set up Security Center in your Cloudflare account for the first time. ## Prerequisites * A Cloudflare account * At least one zone onboarded to Cloudflare ## Enable Security Insights and start initial scan Security Insights start scans by default. Security Insights will scan your Cloudflare environment and provide you with a list of detected [insights](https://developers.cloudflare.com/security-center/security-insights/). Refer to [How it works](https://developers.cloudflare.com/security-center/security-insights/how-it-works/) to learn more about how Security Insights perform a scan. The initial scan time depends on the number of IT assets in all the domains of your Cloudflare account. When the scan is complete, the status of the page will change from **Scan in Progress** to **Last scan performed on: ``**. You can decide to stop a scan, and restart a scan later. To disable scans: 1. In the Cloudflare dashboard, go to the **Security Insights** page. [ Go to **Security insights** ](https://dash.cloudflare.com/?to=/:account/security-center) 2. Go to **Disable Security Center scans**, select **Disable scans**. To restart a scan: 1. In the Cloudflare dashboard, go to the **Security Insights** page. [ Go to **Security insights** ](https://dash.cloudflare.com/?to=/:account/security-center) 2. Select **Scan now**. ### Start a new scan To manually start a scan: 1. In the Cloudflare dashboard, go to the **Infrastructure** page. [ Go to **Infrastructure** ](https://dash.cloudflare.com/?to=/:account/security-center/inventory) 2. Select **Scan now**. ### Scan Frequency Once you enable Security Insights, Cloudflare performs scans at a [regular frequency](https://developers.cloudflare.com/security-center/security-insights/how-it-works/#scan-frequency), according to your Cloudflare plan. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/get-started/","name":"Get started"}}]} ``` --- --- title: Threat Intelligence APIs description: Cloudflare provides a series of endpoints covering various areas of internet security and insights. Based on your Cloudflare plan type, the limit of API calls will vary per month. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/intel-apis/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Threat Intelligence APIs Cloudflare provides a series of endpoints covering various areas of internet security and insights. Based on your Cloudflare plan type, the [limit](https://developers.cloudflare.com/security-center/intel-apis/limits/) of API calls will vary per month. | Intelligence Endpoint | Definition | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [ASN Intelligence](https://developers.cloudflare.com/api/resources/intel/subresources/asn/methods/get/) | Provides an overview of the Autonomous System Number (ASN) and a list of subnets for it. | | [Custom Indicator Feed Download](https://developers.cloudflare.com/api/resources/intel/subresources/indicator%5Ffeeds/subresources/downloads/) | Provides the ability to download any custom indicator feeds that users create. | | [Domain Intelligence](https://developers.cloudflare.com/api/resources/intel/subresources/domains/methods/get/) | Provides security details and statistics about a domain. | | [Domain History](https://developers.cloudflare.com/api/resources/intel/subresources/domain%5Fhistory/methods/get/) | Provides historical security threat and content categories that are currently and previously assigned to a domain. | | [IP Intelligence](https://developers.cloudflare.com/api/resources/intel/subresources/ips/methods/get/) | Provides the geolocation, ASN, infrastructure type of the ASN, and any security threat categories of an IP address. | | [Passive DNS by IP](https://developers.cloudflare.com/api/resources/intel/subresources/dns/methods/list/) | Provides a list of all the domains, including first seen and last seen dates, that have resolved to a specific IP address. | | [Phishing Intelligence](https://developers.cloudflare.com/api/resources/brand%5Fprotection/methods/url%5Finfo/) | Provides phishing details about a URL. | | [Miscategorization Intelligence](https://developers.cloudflare.com/api/resources/intel/subresources/miscategorizations/methods/create/) | Enables users to submit requests for modifying a domain's category, subsequently undergoing review by the Cloudflare Intelligence team. | | [Priority Intelligence Requirements](https://developers.cloudflare.com/api/resources/cloudforce%5Fone/subresources/requests/subresources/priority/methods/create/) | Provides a structured approach to identifying intelligence gaps, formulating precise requirements, and organizing them into categories. | | [Request for Information](https://developers.cloudflare.com/api/resources/cloudforce%5Fone/subresources/requests/methods/create/) | Creates a targeted inquiry for specific intelligence insights to help organizations understand and respond to imminent security threats and vulnerabilities. | | [Threat Events](https://developers.cloudflare.com/api/resources/cloudforce%5Fone/subresources/scans/subresources/results/methods/get/) | Allows customers to look into the Cloudflare telemetry and threat actor activity on the Cloudflare network. | | [WHOIS](https://developers.cloudflare.com/api/resources/intel/subresources/whois/methods/get/) | Provides the WHOIS registration information for a specific domain. | | [DDoS Botnet Threat Feed](https://developers.cloudflare.com/ddos-protection/botnet-threat-feed/)(early access) | Provides information to service providers about their own IP addresses that have participated in HTTP DDoS attacks as observed from Cloudflare's global network. | | [Cloudforce One](https://developers.cloudflare.com/api/resources/cloudforce%5Fone/subresources/requests/subresources/assets/methods/create/) | Enable users to list, delete, get, or update a request asset. | | [Brand Protection API](https://developers.cloudflare.com/api/resources/brand%5Fprotection/) | Provides the ability to create and delete queries, download matches for logo and string queries, read matches for logo and string queries. | ## API Examples Below you can find examples of Threat Intelligence API calls. Make sure you are using an [API Token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) with the appropriate edit permissions. For comprehensive details, navigate to the respective API documentation using the links above. ### ASN Intelligence Get ASN Overview Terminal window ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/intel/asn/13335" \ --header "Authorization: Bearer " | jq . # Example response: { "result": { "asn": 13335, "description": "CLOUDFLARENET", "country": "US", "type": "isp" }, "success": true, "errors": [], "messages": [] } ``` ### Custom Indicator Feed Download Download Custom Indicator Feed Terminal window ``` curl "https://api.cloudflare.com/client/v4/accounts/10d79d097895ae7ed7942a2b3832186c/intel/indicator-feeds/31/download" \ --header "Authorization: Bearer " | jq . # Example response: { "result": [ { "type": "bundle", "id": "bundle--f4a735b7-b330-465d-8e6e-87b3c6a01287", "objects": [ { "type": "indicator", "spec_version": "2.1", "id": "indicator--3d0ad6e0-3d49-4575-a0cb-d0e5c8b81f08", "created": "2024-07-18T00:00:00Z", "modified": "2024-07-18T00:00:00Z", "name": "Malicious domain ahilesopolker.com", "description": "This domain is associated with malicious activity.", "pattern": "[domain-name:value = 'ahilesopolker.com']", "pattern_type": "stix", "valid_from": "2024-07-18T00:00:00Z" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--b252f8d7-5b63-4b59-9d58-8f313db76c35", "value": "ahilesopolker.com", "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], "created": "2024-07-18T00:00:00Z", "modified": "2024-07-18T00:00:00Z" } ], }, "success": true, "errors": [], "messages": [] } ``` ### Domain Intelligence Get Domain Details Terminal window ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/intel/domain?domain=cloudflare.com" \ --header "Authorization: Bearer " | jq . # Example response: { "result": { "domain": "cloudflare.com", "resolves_to_refs": [ { "id": "ipv4-addr--71f6bb54-e0c5-5e7d-b939-5698fc15a102", "value": "104.16.133.229" }, { "id": "ipv4-addr--015b0df4-7fcd-5409-9b56-cfd300c662f6", "value": "104.16.132.229" }, { "id": "ipv6-addr--4a7455cd-e8d0-5bfb-8bdb-f6ebb1759508", "value": "2606:4700::6810:85e5" }, { "id": "ipv6-addr--68f89579-7204-5ebd-a851-e91b3a86fc6d", "value": "2606:4700::6810:84e5" } ], "application": {}, "content_categories": [ { "id": 155, "super_category_id": 26, "name": "Technology" }, { "id": 26, "name": "Technology" } ], "additional_information": {}, "type": "Apex domain", "notes": "Apex domain given." }, "success": true, "errors": [], "messages": [] } ``` ### Domain History Get Domain History Terminal window ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/intel/domain-history?domain=cloudflare.com" \ --header "Authorization: Bearer " | jq . { "result": [ { "domain": "cloudflare.com", "categorizations": [ { "categories": [ { "id": 155, "name": "Technology" } ], "start": "2020-12-16T19:49:30.533482Z", "end": "2023-05-31T08:12:53.547029Z" }, { "categories": [ { "id": 115, "name": "Login Screens" }, { "id": 155, "name": "Technology" } ], "start": "2023-05-31T08:12:53.547029Z" } ] } ], "success": true, "errors": [], "messages": [] } ``` ### IP Intelligence Get IP Overview Terminal window ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/intel/ip?ipv4=1.1.1.1" \ --header "Authorization: Bearer " | jq . # Example response: { "result": [ { "ip": "1.1.1.1", "belongs_to_ref": { "id": "autonomous-system--2fa28d71-3549-5a38-af05-770b79ad6ea8", "value": 13335, "type": "isp", "country": "US", "description": "CLOUDFLARENET" }, "ip_lists": null, "ptr_lookup": { "ptr_domains": [ "one.one.one.one." ], "ptr_lookup_errors": "" }, "iana_reservations": [] } ], "success": true, "errors": [], "messages": [] } ``` ### Passive DNS by IP Get Passive DNS by IP Terminal window ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/intel/dns?ipv4=1.1.1.1&start=2023-07-15&end=2023-07-18&per_page=5" \ --header "Authorization: Bearer " | jq . # Example response: { "result": { "reverse_records": [ { "first_seen": "2023-07-15T00:00:00Z", "last_seen": "2023-07-18T00:00:00Z", "hostname": "internet-ping.svc.starlink.com" }, { "first_seen": "2023-07-15T00:00:00Z", "last_seen": "2023-07-18T00:00:00Z", "hostname": "one.one.one.one" }, { "first_seen": "2023-07-15T00:00:00Z", "last_seen": "2023-07-18T00:00:00Z", "hostname": "ping.ui.com" }, { "first_seen": "2023-07-15T00:00:00Z", "last_seen": "2023-07-18T00:00:00Z", "hostname": "ping.ubnt.com" }, { "first_seen": "2023-07-15T00:00:00Z", "last_seen": "2023-07-18T00:00:00Z", "hostname": "bflow.tiki.video" } ], "count": 778, "page": 1, "per_page": 5 }, "success": true, "errors": [], "messages": [] } ``` ### Phishing Intelligence Get results for a URL scan Terminal window ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/brand-protection/url-info?url=http://worcester-realistic-ellen-portland.trycloudflare.com/login.html" \ --header "Authorization: Bearer " | jq . # Example response: { "errors": [], "messages": [], "result": [ { "categorizations": [], "model_results": [ { "model_name": "MACHINE_LEARNING_v2", "model_score": 0.999 } ], "rule_matches": [ { "description": "Match frequently used phishing kit (Discord, Facebook, Instagram, Twitter)", "name": "phishkit.social" } ], "scan_status": { "last_processed": "Wed, 19 Jul 2023 14:15:28 GMT", "scan_complete": true, "status_code": 200, "submission_id": 23098147 }, "url": "http://worcester-realistic-ellen-portland.trycloudflare.com/login.html" } ], "success": true } ``` ### Miscategorization Intelligence Create Miscategorization Terminal window ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/intel/miscategorization" \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "content_adds": [ 82 ], "content_removes": [ 82 ], "indicator_type": "url", "ip": null, "security_adds": [ 117, 131 ], "security_removes": [ 117 ], "url": "https://wrong-category.example.com" }' # Example response: { "result": "", "success": true, "errors": [], "messages": [] } ``` ### WHOIS Get WHOIS Record Terminal window ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/intel/whois?domain=cloudflare.com" \ --header "Authorization: Bearer " | jq . # Example response: { "result": { "domain": "cloudflare.com", "created_date": "2009-02-17", "updated_date": "2017-05-24", "registrant": "DATA REDACTED", "registrant_org": "DATA REDACTED", "registrant_country": "United States", "registrant_email": "https://domaincontact.cloudflareregistrar.com/cloudflare.com", "registrar": "CloudFlare, Inc.", "nameservers": [ "ns3.cloudflare.com", "ns4.cloudflare.com", "ns5.cloudflare.com", "ns6.cloudflare.com", "ns7.cloudflare.com" ] }, "success": true, "errors": [], "messages": [] } ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/intel-apis/","name":"Threat Intelligence APIs"}}]} ``` --- --- title: Limits description: Limits image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/intel-apis/limits.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Limits ## API request limits All API calls made to Threat Intelligence endpoints will contribute to the monthly quota. Additionally, utilizing features within the Security Center such as Investigate and Brand Protection, or other products, such as client-side security, which also leverage the Security Intelligence APIs, will also contribute to the consumption of the quota. These request limits currently do not apply to the DDoS Botnet Threat Feed API. | Cloudflare Plan | Calls per month | | ---------------------- | --------------- | | Free | 100 | | Pro | 100 | | Business | 100 | | Enterprise | 2,500 | | Cloudforce One Core | 10,000 | | Cloudforce One Premier | 50,000 | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/intel-apis/","name":"Threat Intelligence APIs"}},{"@type":"ListItem","position":4,"item":{"@id":"/security-center/intel-apis/limits/","name":"Limits"}}]} ``` --- --- title: Manage miscategorization reports description: This guide will show you how to manage miscategorization of reports. To complete this guide, you will need to generate an API token. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/intel-apis/manage-miscategorization-reports.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Manage miscategorization reports This guide will show you how to manage miscategorization of reports. To complete this guide, you will need to generate an [API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/). 1. Create an [API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) if you do not have one already. 2. Choose **Custom Token**. 3. Name the token, and grant permissions. 4. Send a `POST` request to the miscategorization [API endpoint ↗](https://developers.cloudflare.com/api/resources/intel/subresources/miscategorizations/methods/create/). You can find an example below: Example of a POST request to miscategorization API ``` export URL="https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/intel/miscategorization" curl -X POST "$URL" \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type:application/json" \ --data '{ "content_adds": [ ], "content_removes": [ ], "indicator_type": "domain", "ip": null, "security_adds": [ 115 ], "security_removes": [ ], "url": "cloudflare.com" }' ``` You should receive a response with the value `"success": true`: ``` { "result": "", "success": true, "errors": [], "messages": [] } ``` Once you send the request, the Cloudflare Support team will receive it and will be able to take action. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/intel-apis/","name":"Threat Intelligence APIs"}},{"@type":"ListItem","position":4,"item":{"@id":"/security-center/intel-apis/manage-miscategorization-reports/","name":"Manage miscategorization reports"}}]} ``` --- --- title: Security Insights description: Security Insights provides you with a list of insights, covering different areas of your Cloudflare environment, such as: Cloudflare account settings, DNS record configurations, SSL/TLS certificates configurations, Cloudflare Access configurations and Cloudflare WAF configurations. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/security-insights/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Security Insights User permission Ensure your user has one of the necessary roles to access Security Insights. Refer to [Roles and permissions](https://developers.cloudflare.com/security-center/security-insights/roles-and-permissions/) for more information. Security Insights provides you with a list of insights, covering different areas of your Cloudflare environment, such as: Cloudflare account settings, DNS record configurations, SSL/TLS certificates configurations, Cloudflare Access configurations and Cloudflare WAF configurations. Listed below are the specific insights currently available: | Insight Name | Description | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [CASB integration status](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/troubleshooting/) | We detect unhealthy CASB integrations. | | [Dangling A Records](https://developers.cloudflare.com/dns/manage-dns-records/reference/dns-record-types/#a-and-aaaa) | A record is pointing to an IPv4 address that you might no longer control. You are at risk of a subdomain takeover. | | [Dangling AAAA Records](https://developers.cloudflare.com/dns/manage-dns-records/reference/dns-record-types/#a-and-aaaa) | A record is pointing to an IPv6 address that you might no longer control. You are at risk of a subdomain takeover. | | [Dangling CNAME Records](https://developers.cloudflare.com/dns/manage-dns-records/reference/dns-record-types/#a-and-aaaa) | A record is pointing to a resource that cannot be found. You are at risk of a subdomain takeover. | | [DMARC Record Errors](https://developers.cloudflare.com/dns/manage-dns-records/reference/dns-record-types/#dmarc) | We detect an incorrect or missing DMARC record. | | [Domains missing TLS Encryption](https://developers.cloudflare.com/ssl/get-started/) | We detect that there is no TLS encryption for this domain. | | [Domains supporting older TLS version](https://developers.cloudflare.com/ssl/reference/protocols/) | This domain supports older versions of the TLS protocol. | | [Domains without 'Always Use HTTPS'](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/always-use-https/) | HTTP requests to this domain may not redirect to its HTTPS equivalent. | | [Domains without HSTS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/http-strict-transport-security/) | HTTP Strict Transport Security (HSTS), is a header which allows a website to specify and enforce security policy in client web browsers. This policy enforcement protects secure websites from downgrade attacks SSL stripping and cookie hijacking. | | [Exposed RDP Servers](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/) | We detect an RDP server that is exposed to the public Internet. | | [Get notified of malicious client-side scripts](https://developers.cloudflare.com/client-side-security/alerts/) | We detect that client-side security alerts are not configured. You will not receive notifications when we detect potential malicious scripts executing in your client-side environment. | | [Increased body response size detected on API endpoints](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-labels/) | Investigate changes, abuse, or successful attacks that may have led to this increase in response body size. | | [Increased errors detected on API endpoints](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-labels/) | Investigate changes, abuse, or successful attacks that may have led to this increase in errors. | | [Increased latency detected on API endpoints](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-labels/) | Investigate changes, abuse, or successful attacks that may have led to this increase in response latency. | | [Managed Rules not deployed](https://developers.cloudflare.com/waf/managed-rules/reference/cloudflare-managed-ruleset/) | No managed rules deployed on a WAF protected domain. | | [Upgrade to new Managed Rules](https://developers.cloudflare.com/waf/reference/legacy/old-waf-managed-rules/upgrade/) | Upgrade to new Managed Rules system required for optimal protection. | | [Mixed-authentication API endpoints detected](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-labels/#managed-labels) | Not all of the successful requests against API endpoints carried session identifiers. | | [New API endpoints detected](https://developers.cloudflare.com/api-shield/security/api-discovery/) | API Discovery detects new API endpoints in your zone's traffic. | | [New CASB integrations found](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) | New CASB integrations have been found. | | [Overprovisioned Access Policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) | We detect an Access policy to allow everyone access to your application. | | [Client-side security not enabled](https://developers.cloudflare.com/client-side-security/get-started/) | Client-side security (formerly known as Page Shield) helps meet PCI DSS v4.0 compliance regarding requirement 6.4.3. | | [SPF Record Errors](https://developers.cloudflare.com/dns/manage-dns-records/reference/dns-record-types/#spf) | We detect an incorrect or missing SPF record. | | [Schema Validation missing from eligible API endpoints](https://developers.cloudflare.com/api-shield/security/schema-validation/) | Apply the learned schema to protect your API against fuzzing attacks. | | [Sensitive data in API response](https://developers.cloudflare.com/api-shield/management-and-monitoring/#sensitive-data-detection) | Sensitive data in API responses detected. | | [Turn on JavaScript Detection](https://developers.cloudflare.com/bots/additional-configurations/javascript-detections/) | One or more of your Bot Management enabled zones does not have JavaScript Detection enabled, which is a critical part of our bot detection suite. | | [Unassigned Access seats](https://developers.cloudflare.com/cloudflare-one/) | We detect a Zero Trust subscription that is not configured yet. | | [Unauthenticated API endpoints detected](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-labels/#managed-labels) | None of the successful requests against API endpoints carried session identifiers. | | [Unprotected Cloudflare Tunnels](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/#4-connect-your-origin-to-cloudflare) | We detect an application that is served by a Cloudflare Tunnel but not protected by a corresponding Access policy. | | [Unproxied A Records](https://developers.cloudflare.com/dns/manage-dns-records/reference/dns-record-types/#a-and-aaaa) | This DNS record is not proxied by Cloudflare. Cloudflare can not protect this origin because it is exposed to the public Internet. | | [Unproxied AAAA Records](https://developers.cloudflare.com/dns/manage-dns-records/reference/dns-record-types/#a-and-aaaa) | This DNS record is not proxied by Cloudflare. Cloudflare can not protect this origin because it is exposed to the public Internet. | | [Unproxied CNAME Records](https://developers.cloudflare.com/dns/proxy-status/#dns-only-records) | This DNS record is not proxied by Cloudflare. Cloudflare can not protect this origin because it is exposed to the public Internet. | | [Users without MFA](https://developers.cloudflare.com/fundamentals/user-profiles/2fa/) | We detect that a Cloudflare administrative user has not enabled multifactor authentication. | | [Zones without WAF Managed Rules](https://developers.cloudflare.com/waf/managed-rules/) | We detect that this domain does not have the WAF's Managed Rules enabled. You are at risk from zero-day and other common vulnerabilities. | | [No Turnstile enabled](https://developers.cloudflare.com/turnstile/) | We detect that there is no Turnstile widget configured on the account. | For more information on available operations for Security Insights, refer to [Review Security Insights](https://developers.cloudflare.com/security-center/security-insights/review-insights/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/security-insights/","name":"Security Insights"}}]} ``` --- --- title: How it works description: Once you enable Security Insights, Cloudflare runs regular security scans on the infrastructure associated with your Cloudflare account. These scans perform a series of checks on your Cloudflare account settings and on the configurations of different Cloudflare products for the domains in your Cloudflare account. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/security-insights/how-it-works.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # How it works Once you [enable Security Insights](https://developers.cloudflare.com/security-center/get-started/), Cloudflare runs regular security scans on the infrastructure associated with your Cloudflare account. These scans perform a series of checks on your Cloudflare account settings and on the configurations of different Cloudflare products for the domains in your Cloudflare account. The performed checks take into account a set of ideal product configurations and states that indicate a good security posture. If your current configuration does not meet this ideal configuration for one or more checks, the Security Center will report these situations as **Security Insights**. The list of insights may include potential security threats, vulnerabilities, compliance risks, insecure configurations, or any other identified risks. Note Security Insights will check non-proxied hostnames. ## Scan properties Each insight will have the following properties assigned to them: * **Severity**: The security risk of the insight. The severity values are: _Moderate_, _High_, and _Critical_. The higher the severity level, the higher the risk of threat to your environment. * **Insight**: The insight description detailing the current configuration that is causing the risk or vulnerability. * **Risk**: A description of the risk associated with not addressing the issue. * **Type**: The insight category. ## Scan frequency Once you enable Security Insights, Cloudflare performs scans automatically. Paying customers (as defined in the table below) are re-scanned daily and can trigger a scan manually: | Plan | Scan Frequency | On-Demand | | ----------------------------------------- | -------------- | --------- | | Accounts on a Free, Pro, or Business plan | Every 7 days | Yes | | Accounts on an Enterprise plan | Every 3 days | Yes | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/security-insights/","name":"Security Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/security-center/security-insights/how-it-works/","name":"How it works"}}]} ``` --- --- title: Review Security Insights description: After enabling Security Insights and letting the first scan run, check the Security Insights tab for a list of detected insights that you should address. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/security-insights/review-insights.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Review Security Insights After [enabling Security Insights](https://developers.cloudflare.com/security-center/get-started/) and letting the first scan run, check the **Security Insights** tab for a list of detected insights that you should address. For each detected insight, you can resolve it or archive it, after understanding its risks. 1. In the Cloudflare dashboard, go to the **Security Insights** page. [ Go to **Security insights** ](https://dash.cloudflare.com/?to=/:account/security-center) 2. Next to the insight you wish to address, select **Details** to review it. ## Resolve an insight Insights will not be automatically removed from your dashboard when you address them. You must either manually [archive insights](#archive-insights), manually trigger another scan or wait for the automatic scan to run as per [scan frequency](https://developers.cloudflare.com/security-center/security-insights/how-it-works/#scan-frequency). In the Resolve insights page, if you choose to update a configuration based on the recommendation actions, follow the instructions on the insight details page. The following insights follow a different yet straightforward workflow to be resolved: * **Minimum Version of TLS 1.2 not enforced**: To resolve this insight: * Go to **SSL/TLS** \> **Edge Certificates**. * Select **TLS 1.2**. * **Domains without "Always use HTTPS"**: To resolve this insight: * Go to **SSL/TLS** \> **Edge Certificates**. * Select **Always Use HTTPS**. * **Turn on JavaScript Detections**: To resolve this insight: * Go to **Security** \> **Bots** \> Select **Configure Bot Management**. * Select **JavaScript Detections**. ## Export insights You can export security insights to a CSV format directly from the dashboard. To export security insights: 1. In the Cloudflare dashboard, go to the **Security Insights** page. [ Go to **Security insights** ](https://dash.cloudflare.com/?to=/:account/security-center) 2. Select **Export insights**. Exporting security insights allow you to perform a deeper analysis of your insights. The exported CSV file includes information such as the severity of your data, insight type scan date, issue class and additional optional fields, such as insight details, risk assessment, detection method, and recommended actions. ## Archive insights You can archive one or more insights from the dashboard. To archive insights: 1. In the Cloudflare dashboard, go to the **Security Insights** page. [ Go to **Security insights** ](https://dash.cloudflare.com/?to=/:account/security-center) 2. Select the insight(s) you want to archive, then select **Archive selected**. Alternatively, to archive an insight: 1. Select the insight you want to archive and select **Details**. The dashboard will open a page where you will be able to review [insight properties](https://developers.cloudflare.com/security-center/security-insights/how-it-works/#scan-properties). 2. Select **Archive insight**. ## Enable alerts You can enable alerts for critical insights. To enable alerts: 1. In the Cloudflare dashboard, go to the **Security Insights** page. [ Go to **Security insights** ](https://dash.cloudflare.com/?to=/:account/security-center) 2. Select the security insight(s) you want to create an alert for, then select **Create alert for selected classes**. 3. Enter the notification name, and choose one or more insights classes to filter a notification. 4. Select **Add email recipient** and enter an email address to receive the alert. 5. Select **Save**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/security-insights/","name":"Security Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/security-center/security-insights/review-insights/","name":"Review Security Insights"}}]} ``` --- --- title: Roles and permissions description: Cloudflare users with the following roles have access to Security Insights in the Cloudflare dashboard: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/security-insights/roles-and-permissions.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Roles and permissions Cloudflare users with the following [roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/) have access to Security Insights in the Cloudflare dashboard: * Administrator * Administrator Read Only * Super Administrator - All Privileges * SSL/TLS, Caching, Performance, Page Rules, and Customization * DNS * Page Shield * Page Shield Read * Firewall ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/security-insights/","name":"Security Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/security-center/security-insights/roles-and-permissions/","name":"Roles and permissions"}}]} ``` --- --- title: Cloudforce One description: Cloudforce One is an actionable, cloud-native Threat Intelligence Platform (TIP) that transforms global telemetry into instant security posture. By integrating visualization, automation, and human-in-the-loop analysis, Cloudforce One allows SOC teams to go from data management to active threat hunting. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/cloudforce-one/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudforce One Note You must have a Cloudforce One subscription to access Cloudforce One on the dashboard. Cloudforce One is an actionable, cloud-native Threat Intelligence Platform (TIP) that transforms global telemetry into instant security posture. By integrating visualization, automation, and human-in-the-loop analysis, Cloudforce One allows SOC teams to go from data management to active threat hunting. ## Access Cloudforce One Note You must have a **Cloudforce One subscription** to access the platform. To access Cloudforce One: 1. In the Cloudflare dashboard, go to the **Threat intelligence** page. [ Go to **Threat intelligence** ](https://dash.cloudflare.com/?to=/:account/security-center/threat-intelligence) You can also use Cloudforce One via [REST API ↗](https://developers.cloudflare.com/api/resources/cloudforce%5Fone/subresources/requests/subresources/assets/). Cloudforce One Threat Intelligence displays the following information: * **Threat Events** to analyze threat intelligence data. * **Priority Intelligence Requirements** to review and manage Cloudforce One Priority Intelligence Requirements (PIRs). PIRs are a structured approach to identifying intelligence gaps. * **Requests for Information** to submit specific queries and requests directly into Cloudforce One's analysis queue. * **Reports** to get the latest Cloudforce One Threat reports. ## Analyze threat events Threat events allow you to protect your assets and respond to emerging threats. To access and analyze threat intelligence data on the Cloudflare dashboard, go to the **Threat intelligence** page. [ Go to **Threat intelligence** ](https://dash.cloudflare.com/?to=/:account/security-center/threat-intelligence) You can also access threat events via the [API](https://developers.cloudflare.com/api/resources/cloudforce%5Fone/subresources/threat%5Fevents/). Cloudforce One customers have access to the following existing datasets: * APTs (default) * DDoS attacks * Cybercrime * Compromised devices * Residential Proxies * WAF attacks ### Identify the adversary The Cloudflare dashboard presents you with dynamic visualizations that include: * Sankey diagrams: Diagrams that allow you to trace attack flows from origin infrastructure to targets. * Industry distribution: Identify if campaigns are targeting your specific sector (for example, finance or retail). ### Search for indicators Search across global datasets for specific indicators, including: * IP addresses and domains * File hashes * [JA3 fingerprints](https://developers.cloudflare.com/bots/additional-configurations/ja3-ja4-fingerprint/) * Threat insights: Correlate threat insights by linking events to specific campaigns or industry aliases (for example, APT28). ### Receive alerts * Threat events saved views: Save custom filters for recurring investigations. * Automated rules: Generate security rules directly from threat data and push them to your Cloudflare [WAF](https://developers.cloudflare.com/waf/) or Firewall. * [STIX2 exports ↗](https://www.cloudflare.com/en-gb/learning/security/what-is-stix-and-taxii/): Export intelligence for seamless integration with third-party SIEM/SOAR platforms. ## Use Cloudy to analyze threat events You can use Cloudy, Cloudflare's AI Agent, to receive an analysis and summary of threat events. To analyze threat events using Cloudy: 1. In the Cloudflare dashboard, go to the **Threat intelligence** page. [ Go to **Threat intelligence** ](https://dash.cloudflare.com/?to=/:account/security-center/threat-intelligence) 2. Go to **Threat Events** \> **Analyze with Cloudy**. Cloudy will show you the top threat events, analyze them, and give you a summary of threat events. You can also decide to receive an analysis based on **Attacker**, **Indicator**, and more. For example, you can enter "Give me a summary of threat events for ABC Attacker". Cloudy will then summarize threat events for ABC attacker. ## Submit RFIs To submit RFIs (Request for Information): 1. In the Cloudflare dashboard, go to the **Threat Intelligence** page. [ Go to **Threat intelligence** ](https://dash.cloudflare.com/?to=/:account/security-center/threat-intelligence) 2. Select **Requests for Information**. 3. Select **New Request**. 4. Fill in the required fields, then select **Save**. List of RFI types The Cloudflare dashboard presents the following request types when you want to configure a Cloudforce One Requests for Information: * **Binary Analysis - IOCs**: Conduct high level malware analysis to produce [indicators ↗](https://www.cloudflare.com/en-gb/learning/security/what-are-indicators-of-compromise/) such as a call-back domain or IP address. * **Binary Analysis - Report**: A thorough analysis of a malware sample to produce an attribution assessment and extract the configuration of the sample for further analysis. Useful for customers that are investigating a problem or trying to develop detection logic in an [EDR ↗](https://en.wikipedia.org/wiki/Endpoint%5Fdetection%5Fand%5Fresponse) or network sensor. * **DDoS Attack**: Confirm if an attack is happening against a specific website to share any available indicators and potential attribution. * **Indicator Analysis - IOCs**: Conduct DNS lookups, origin pivots, and account pivots to provide indicators such as DNS resolutions, origin IPs, and subdomains. Analysis can include account registration patterns and victimology. * **Indicator Analysis - Report**: A thorough analysis of indicators written in a formal, structured format. In addition to listing [Indicator of compromise (IOCs) ↗](https://www.cloudflare.com/en-gb/learning/security/what-are-indicators-of-compromise/), the report explains how IOCs function within the attack chain, and adds context by linking IOCs to specific campaigns and/or threat actors and their TTPs. * **Passive DNS Resolution**: Research the pair of an IP address to the domain it resolved to during a specified period of time. * **Strategic Threat Research**: Strategic Threat Research goes beyond simple indicators to analyze broader, long-term trends, threat actors, and industries — often supplemented by open-source intelligence to inform high-level management and planning rather than providing immediately actionable intelligence. * **Threat Detection Signature - IOCs**: Develop a rule such as Yara that will detect a sample, behavior, or network observable such as an IP address, domain, file hash, or attribute of a file or HTTP request. * **Threat Detection Signature - Report**: A thorough analysis report that investigates the details of a threat detection alert or report for the benefit of customers that are trying to prioritize their response effort or to attribute activity to a threat actor. * **Traffic Analysis - IOCs**: Review HTTP telemetry of IOCs in question and provide relevant, sanitized traffic which can include victim country and in some cases victim ASNs. Identify malicious files/payloads, and unusual file paths or request patterns. * **Traffic Analysis - Report**: Report that analyzes HTTP telemetry to identify patterns, anomalies, and data pointing to malicious behavior. Provides context for observed network behaviors and maps them to known TTPs of specific threat groups. * **Vulnerability**: Investigation to attribute vulnerability exploitation to a threat actor or investigation of IPs, domains, or threat actor groups exploiting the vulnerability. Response can include relevant, sanitized traffic demonstrating exploitation and identification of victim countries and industries. Once you select **Save**, the dashboard will display an overview of the shared information consisting of: * **Status**: When you submit the RFI, the status is `Open`. Once the team accepts the RFI, the status changes to `Accept`. When the team commits to answer your RFI, the status changes to `Complete`. * **Priority**: Priority of request. * **Request type**: Choose among a selection of request types, such as DDos Attack, Passive DNS Resolution, and more. * **Request content**: The content of the request. The **Responses** section allows you to add clarifying questions and comments. To view your RFI, select **Cloudforce One Requests** on the sidebar, locate your RFI, then select **View**. From here, you can also choose to edit your existing RFI by selecting **Edit**. To delete your RFI, the status must be `Open`. Go to the RFI you want to delete, and select **Delete**. On the pop-up, select **Delete** to confirm deletion. Once Cloudflare accepts and begins processing RFIs, you will not be able to delete RFIs. ### Upload and download attachment You can also choose to upload and download an attachment. Under **Attachments**, select the file you want to upload, then select **Save**. To download an attachment, select **Download** on the attachment. ## Receive help for an incident Cloudforce One allows you to receive help to improve your security posture or recover from a past incident. This allows you to easily report security incidents directly within the Cloudflare dashboard. 1. In the Cloudflare dashboard, go to the **Threat Intelligence** page. [ Go to **Threat intelligence** ](https://dash.cloudflare.com/?to=/:account/security-center/threat-intelligence) 2. Go to **Incident response services** then complete the following instructions: * **Choose service**: * Select among **Receive post-incident support**, **Request penetration tests**, **Conduct table-top exercises**, **Ask for general security advice**. * Once you have chosen your desired service, select **Next**. * **Provide request details**: * Fill in the information needed based on the service you previously selected. Once you entered all the information, select **Next**. * Review and submit your request. Then, select **Submit**. * Once you submit your request, Cloudforce One will reply to you as soon as possible. ## Request help for active attack If you want to stop an active cyber attack, you can request assistance via the Cloudflare dashboard. 1. In the Cloudflare dashboard, go to the **Account home** page and select your account. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 1. On the top bar, select **Support** \> **Get help** \> **Under attack**. 2. Under **Request help to stop active cyberattacks**, select **Request help**. 3. The dashboard will show you a pop-up where you will need to enter and confirm your phone number. 4. Once you have entered your phone number, select **Confirm number and request help**. Requesting help from the dashboard will page an incident responder and you can expect a call-back as soon as possible. We advise you to wait for the call-back, and only use the phone-line in case you have not heard back from the team within 10 minutes. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/cloudforce-one/","name":"Cloudforce One"}}]} ``` --- --- title: Cloudforce One image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/cloudforce-one/cloudforce-one.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudforce One ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/cloudforce-one/","name":"Cloudforce One"}},{"@type":"ListItem","position":4,"item":{"@id":"/security-center/cloudforce-one/cloudforce-one/","name":"Cloudforce One"}}]} ``` --- --- title: Open Port Scanning description: Open Port Scanning allows Magic Transit and Bring your Own IPs users to efficiently monitor IP ranges for security vulnerabilities. This API enables users to scan their designated IP ranges, detect any open ports, and receive daily notifications regarding newly opened ports. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/cloudforce-one/open-port-scanning.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Open Port Scanning Open Port Scanning allows [Magic Transit](https://developers.cloudflare.com/magic-transit/) and [Bring your Own IPs](https://developers.cloudflare.com/byoip/) users to efficiently monitor IP ranges for security vulnerabilities. This API enables users to scan their designated IP ranges, detect any open ports, and receive daily notifications regarding newly opened ports. You can access this feature via the [API](https://developers.cloudflare.com/api/resources/cloudforce%5Fone/subresources/scans/subresources/config/). ## Prerequisites * Cloudforce One Administrator, Administrator and Super Administrator roles. * Account token: **Custom API Token** \> **Cloudforce One:Edit**. To create a custom API token: 1. From the [Cloudflare dashboard ↗](https://dash.cloudflare.com/profile/api-tokens/), go to **My Profile** \> **API Tokens** for user tokens. Go to **Create Custom Token** \> **Get started**. 2. Enter a **Token name**, for example, `Open Port Scanning`. 3. In **Permissions**: * Choose **Account**. * Select **Cloudforce One** as the account. * Choose **Edit** access. 4. In Client IP Address Filtering: * In **Operator**, select `is in`. * In **Value**, enter a valid IP address. 5. Select **Continue to summary**. 6. Review the token, then select **Create Token**. Note The Open Port Scanner will run from a predetermined set of IPs. The Cloudforce One team recommends you to allowlist these IPs in your rules. ## Configure Open Port Scanning To configure Open Port Scanning, follow these steps: 1. **Create a new scan config**: * **IPs**: Enter the IP ranges you wish to monitor. Ensure that the ranges are correctly formatted to avoid scanning errors. The API will validate if the IPs requested are onboarded to Cloudflare and associated to the account belonging to the API token used. * **Frequency**: Enter the scan frequency in days. * **Ports**: Select the ports to scan. Choose among: * All * Default (refer to [Default ports](https://developers.cloudflare.com/security-center/cloudforce-one/open-port-scanning/#default-ports) for a comprehensive list) * List of specific ports 2. **Scan IPs**: Initiate the scanning process. The system will analyze the specified IP ranges to identify any open ports. 3. **Generate list of open ports**: Once the scan is complete, the API will generate a list of detected open ports for review and action. 4. **Select open ports to list**: Choose which open ports you would like to be notified about. You can exclude any ports that do not require immediate attention. 5. **View differences from previous scan**: The API will highlight any changes in open ports since the last scan, allowing you to quickly assess new vulnerabilities. 6. **Stop scanning**: If necessary, you can stop the scanning process at any time. 7. **Set up alerts**: Configure alerts for specific ports of interest. You will be notified immediately via email or webhook if any of these designated ports become newly open. Beta feature notice Open Port Scanning feature is currently in closed beta. The Cloudforce One team appreciates your feedback as the team works to enhance its functionality and user experience. If you want to subscribe to this feature or participate in the beta program, [join our closed beta for Port Scanning ↗](https://www.cloudflare.com/lp/open-port-scanning-beta/). ## Default ports List of default ports * `80` * `631` * `161` * `137` * `123` * `138` * `1434` * `445` * `135` * `67` * `23` * `53` * `443` * `21` * `139` * `22` * `500` * `68` * `520` * `1900` * `25` * `4500` * `514` * `49152` * `162` * `69` * `5353` * `111` * `49154` * `3389` * `110` * `1701` * `998` * `996` * `997` * `999` * `3283` * `49153` * `445` * `1812` * `136` * `139` * `143` * `53` * `2222` * `135` * `3306` * `2049` * `32768` * `5060` * `8080` * `1025` * `1433` * `3456` * `80` * `1723` * `111` * `995` * `993` * `20031` * `1026` * `7` * `5900` * `1646` * `1645` * `593` * `1025` * `518` * `2048` * `626` * `1027` * `587` * `177` * `1719` * `427` * `497` * `8888` * `4444` * `1023` * `65024` * `199` * `19` * `9` * `49193` * `1029` * `1720` * `49` * `465` * `88` * `1028` * `17185` * `1718` * `49186` * `548` * `113` * `81` * `6001` * `2000` * `10000` * `31337` ## Frequently Asked Questions 1. What IPs will the scan come from? * `2a09:bac0:1008:5000:1000:0000:0000:0050/104.30.128.13` * `2a09:bac0:1008:5000:1000:0000:0000:0048/104.30.129.33` * `2001:19f0:1000:2941:5400:4ff:fe70:2a7a/140.82.60.241` 2. Can the Port Scanner bypass other security rules configured? * The Cloudforce One team asks customers to ensure they allow the IPs for the scanner to run correctly. 3. How long do scans take? * Depending on the number of IP addresses and number of ports scanned, scans can take between a few minutes and up to 10 hours. 4. Can I stop automatic scanning? * Yes, you can decide at any point to stop scan and restart scans when it is convenient for you. 5. What are the limitations for the scans? * Scans are limited to ranges of up to 5,000 IPs. * The API scans both IPv4 and IPv6 IP addresses. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/cloudforce-one/","name":"Cloudforce One"}},{"@type":"ListItem","position":4,"item":{"@id":"/security-center/cloudforce-one/open-port-scanning/","name":"Open Port Scanning"}}]} ``` --- --- title: Infrastructure description: After enabling Security Insights and letting the first scan run, the Infrastructure tab displays an overview of the infrastructure associated with your Cloudflare account. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/infrastructure/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Infrastructure User permission Only Super Admin users with edit permissions can start scans, turn scans off, or manage issues. After [enabling Security Insights](https://developers.cloudflare.com/security-center/get-started/) and letting the first scan run, the **Infrastructure** tab displays an overview of the infrastructure associated with your Cloudflare account. To open the **Infrastructure** tab, go to Account Home > **Security Center** \> **Infrastructure**. You can perform the following actions: * Filter the displayed information * Print or download a PDF report * Manage your security.txt file ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/infrastructure/","name":"Infrastructure"}}]} ``` --- --- title: Set up your security.txt file description: You can manage your security.txt file via the dashboard or the API. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/infrastructure/security-file.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Set up your security.txt file You can manage your [security.txt ↗](https://en.wikipedia.org/wiki/Security.txt) file via the dashboard or the [API](https://developers.cloudflare.com/api/resources/security%5Ftxt/). Note When using the API, the preferred languages field name is `preferred_languages` (snake\_case). For example: `"preferred_languages": "en, de"`. To manage your security.txt file via the Cloudflare dashboard: * [ New dashboard ](#tab-panel-6510) * [ Old dashboard ](#tab-panel-6511) 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), select your account and domain. 2. Go to **Security** \> **Settings** and filter by **Web application exploits**. 3. Under **Security.txt** \> **Configurations**, select the edit icon. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), select your account and domain. 2. Go to **Security** \> **Settings**. 3. Next to **Enable Security.txt**, select **Edit Security.txt**. From here, you can create and manage your `security.txt` file to provide the security research team with a standardized way to report vulnerabilities. Fill in the following information: * **(Required) Contact**: You can enter one of the following to contact you about security issues: * An email address: The email address must start with `mailto:` (for example, `mailto:help@example.com`). * A phone number: The phone number must start with `tel:` (for example, `tel:+1 1234567890`). * A URL link: The URL link must start with `https://` (for example, `https://example.com`). Select **Add more** to add multiple contacts. * **(Required) Expires at**: Enter the expiration date and time of the `security.txt` file. * **Encryption**: A link to a key which security researchers can use to communicate with you. * **Acknowledgements**: A link to your acknowledgements page. * **Canonical**: Links to your `security.txt` file. * **Hiring**: A link to your security-related job openings. * **Policy**: A link to a policy describing what security researchers should do when searching for or reporting security issues. * **Preferred languages**: A list of language codes that your security team speaks. Once you have entered the necessary information, select **Save**. To edit your security.txt file: * Old dashboard: Select **Security** \> **Settings** \> **Edit Security.txt**. * New security dashboard: 1. Go to **Security** \> **Settings** and filter by **Web application exploits**. 2. Under **Security.txt** \> **Configurations**, select the edit icon. To download your security.txt file: * Old dashboard: Select **Security** \> **Settings** \> **Download Security.txt**. * New security dashboard: 1. Go to **Security** \> **Settings** and filter by **Web application exploits**. 2. Under **Security.txt** \> **Configurations**, select the download icon. To delete your security.txt file: * Old dashboard: * Select **Security** \> **Settings** \> **Delete Security.txt**. * New security dashboard: 1. Select **Security** \> **Settings** and filter by **Web application exploits**. 2. Under **Security.txt** \> **Configurations**, select the edit icon. 3. Select **Delete**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/infrastructure/","name":"Infrastructure"}},{"@type":"ListItem","position":4,"item":{"@id":"/security-center/infrastructure/security-file/","name":"Set up your security.txt file"}}]} ``` --- --- title: Security reports description: Application Security reports provide cyber attack insights and trends for all of the Enterprise zones in your Cloudflare account. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/app-security-reports.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Security reports Application Security reports provide cyber attack insights and trends for all of the Enterprise zones in your Cloudflare account. The reports are automatically generated on a monthly basis. You can access reports by going to the **Security reports** page or via the [API](#api). You can access reports from previous months by selecting the month from the dropdown. [ Go to **Security reports** ](https://dash.cloudflare.com/?to=/:account/security-center/reports) To download the report, select **Print report**. Reports from before April 2025 can be accessed through **Security reports** \> **Legacy reports**. Due to limitations in the legacy reports, some customers may not have reports for every month prior to April 2025. The current reports are curated by Cloudflare and will be expanded to include more insights. The option to create custom reports, filter by various fields, and schedule reports will be added in upcoming improvements. --- ## Report types Currently, only Application Security reports are available. They cover the entire suite of products such as [HTTP DDoS Protection](https://developers.cloudflare.com/ddos-protection/managed-rulesets/http/), [WAF](https://developers.cloudflare.com/waf/), and [Bot Management](https://developers.cloudflare.com/bots/). Reports for Application Performance, [Cloudflare One](https://developers.cloudflare.com/cloudflare-one/), and Network Services, such as [Magic Transit](https://developers.cloudflare.com/magic-transit/), will be made available in future improvements. --- ## Report layout Each report includes the following sections: * Executive summary * Distribution of allowed and mitigated requests * [Industry benchmarks](#industry-benchmarks) that show how you compare to your peers by selecting your industry * Top five source countries of allowed traffic and mitigated traffic including a map visualization * Top five most targeted hostnames * Top five most effective mitigation rules To view more details, apply filters, analyze the data, and generate ad-hoc reports, use the [Security Analytics dashboard](https://developers.cloudflare.com/waf/analytics/security-analytics/) or [Log Explorer](https://developers.cloudflare.com/log-explorer/). ### Industry benchmarks Industry benchmarks provide additional context for your mitigated traffic by comparing your organization's attack activity against others in the same industry. These benchmarks help you understand whether the volume and frequency of attacks you experience are typical, higher, or lower than your peers — offering a clear sense of where your organization stands within its threat landscape. Beyond providing context, benchmarks can also help demonstrate value to stakeholders by quantifying the scale of threats your organization faces and how effectively Cloudflare mitigates them. This information can be useful when communicating your security posture internally or when prioritizing future security investments. To ensure fairness and accuracy, Cloudflare normalizes your data before comparison. For each month, we calculate the percentage of mitigated requests relative to the total requests across your account and eligible zones. This normalization ensures that benchmarks are based on relative attack intensity rather than total traffic volume so larger or smaller organizations can be compared meaningfully. The result helps you interpret your mitigated traffic data in context. For example, you may see a statement such as "_You are in the top 25% most attacked companies in the Cosmetics industry._" This insight enables you to better understand your threat exposure, communicate results to stakeholders, and understand value of the protection Cloudflare provides. If your account is not assigned an industry or if the shown industry is incorrect, use the link within the report to select the correct industry. It may take a while for your new selection to take effect, and it may only be applied to future reports. If you have multiple Cloudflare accounts, select the industry that is most relevant for the specific account. --- ## Prerequisites You must have at least one Enterprise zone. Application Security reports are automatically enabled on your Enterprise zone. No action is required. If you do not have any Enterprise zones, a report will not be generated. If you have an account that is not older than one month, a report will not be generated yet. ### Required roles A Cloudflare user must have one of the following [roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/) to download Application Security reports: * Super Administrator * Administrator --- ## API List all report policies for a specific account ``` GET /accounts/{account_id}/reporting/policies ``` Retrieve the details of a single, specific report policy ``` GET /accounts/{account_id}/reporting/policies/{policy_id} ``` List all generated reports for a specific account ``` GET /accounts/{account_id}/reporting/reports ``` Retrieve a single, specific report, including its data and findings ``` GET /accounts/{account_id}/reporting/reports/{report_id} ``` Data returned by the API * Account ID * Account Name * Account Industry * Time range * Total zones * Total zones analyzed * Industry percentile (nullable float) * Total requests (count, percentage) * Total mitigated requests (count, percentage) * Total served requests (count, percentage) * Top 5 hostnames by mitigated requests (hostname, count) * Top 5 source countries by served requests (country, count) * Top 5 source countries by mitigated requests (country, count) * Top 5 rules by mitigated requests (rule name, rule type, count) Note The data's time range is independent of when the report is generated. ### Cross-account reports Each report is generated per account. You can use the [API](#api) to retrieve the reports for all of your accounts and aggregate the data. --- ## Availability This feature is available in closed beta to Enterprise customers. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/app-security-reports/","name":"Security reports"}}]} ``` --- --- title: Investigate description: Investigate allows you to view a domain’s category, the IP it belongs to, and whether the category has changed before. You can also see which records it points to, including the country of origin and passive DNS records. After searching with Investigate, you will get an API curl to retrieve the same search results. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/investigate/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Investigate User permission Investigate is available to all users. Every user can view existing URL scanner reports and initiate new URL scans. However, advanced intelligence features, including searching for IP and domain intelligence and passive DNS records, are restricted to users with the following roles: Super Admin, Administrator, Brand Protection, Cloudforce One Admin. Investigate allows you to view a domain’s category, the IP it belongs to, and whether the category has changed before. You can also see which records it points to, including the country of origin and passive DNS records. After searching with Investigate, you will get an API curl to retrieve the same search results. You can learn more about the IP addresses in your logs by searching via the IP address to view its category and threat data. Enter any IP address, domain name, and hostname to see how it has been categorized from a threat perspective. Investigate also shows [Web Application Firewall ↗](https://developers.cloudflare.com/waf/) analytics for your websites behind Cloudflare to help you discover what your vulnerabilities are, where attacks come from, and what to do about it. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/investigate/","name":"Investigate"}}]} ``` --- --- title: Change categorization description: Cloudflare sorts domains into categories based on their content and security type. You can request categorization changes via the dashboard, Cloudflare Radar, or the API. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/investigate/change-categorization.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Change categorization Cloudflare sorts domains into categories based on their content and security type. You can request categorization changes via the [dashboard](#via-the-cloudflare-dashboard), [Cloudflare Radar](#via-cloudflare-radar), or the [API](#via-the-api). For a detailed list of categories, refer to [Domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/). ## Via the Cloudflare dashboard To request a categorization change via the Cloudflare dashboard: 1. In the Cloudflare dashboard, go to the **Investigate** page. [ Go to **Investigate** ](https://dash.cloudflare.com/?to=/:account/security-center/investigate) 2. Search for the domain you want to change. 3. In **Domain overview**, select **Request to change categorization**. 4. Choose whether to change a [security category](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#security-categories) or a [content category](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/#content-categories). 5. Choose which categories you want to add or remove from the domain. Content category limit A domain cannot have more than two associated content categories. To propose changes to categories of a domain with more than two existing categories, remove one or more of the existing categories. 6. Select **Submit** to submit your request for review. Requesting a security category change will trigger a deeper investigation by Cloudflare to confirm that the submission is valid. Requesting a content category change also requires Cloudflare validation, but the turnaround time for these submissions is usually shorter as it requires less investigation. Your category change requests will be revised by the Cloudflare team depending on the type of change. If your requests have been reviewed and applied by the Cloudflare team, the new categories will be visible in the Cloudflare dashboard in **Security Center** \> **Investigate**, as well as in [Cloudflare Radar ↗](https://radar.cloudflare.com/). Warning Cloudflare does not guarantee the category change will be approved. ## Via Cloudflare Radar To request recategorization via Cloudflare Radar, submit feedback in [Radar Domain Categorization ↗](https://radar.cloudflare.com/domains/feedback). ## Via the API To request a categorization change via the API: 1. [Create an API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) with permission to edit your Intel account. | **Permissions** | | | | --------------- | ----- | ---- | | Account | Intel | Edit | | **Account Resources** | | | --------------------- | ------------ | | Include | All accounts | 2. Make a call to the [miscategorization endpoint](https://developers.cloudflare.com/api/resources/intel/subresources/miscategorizations/methods/create/) including the domain name and any categories you would like to add or remove. For example: Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/{account_id}/intel/miscategorization \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "content_adds": [ 82 ], "content_removes": [ 155 ], "indicator_type": "domain", "ip": null, "security_adds": [ 117, 131 ], "security_removes": [ 83 ], "url": "example.com" }' ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/investigate/","name":"Investigate"}},{"@type":"ListItem","position":4,"item":{"@id":"/security-center/investigate/change-categorization/","name":"Change categorization"}}]} ``` --- --- title: Investigate threats description: Users can investigate the details of an IP address, domain name, URL, or Autonomous System Number (ASN). You can find the Investigate feature in your Cloudflare account's Security Center and in Cloudflare Radar. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/investigate/investigate-threats.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Investigate threats Users can investigate the details of an IP address, domain name, URL, or Autonomous System Number (ASN). You can find the Investigate feature in your Cloudflare account's Security Center and in [Cloudflare Radar ↗](https://radar.cloudflare.com/scan). You can search with Investigate by [IP address](https://developers.cloudflare.com/security-center/investigate/investigate-threats/#ip-address), [domain](https://developers.cloudflare.com/security-center/investigate/investigate-threats/#domain), [URL](https://developers.cloudflare.com/security-center/investigate/investigate-threats/#url) and [AS number](https://developers.cloudflare.com/security-center/investigate/investigate-threats/#as-number). Note Search methods are also available through the [API](https://developers.cloudflare.com/security-center/intel-apis/). ## IP Address An [IP address ↗](https://www.cloudflare.com/learning/dns/glossary/what-is-my-ip-address/) is a unique address that identifies a server. It stands for [Internet Protocol ↗](https://www.cloudflare.com/learning/network-layer/internet-protocol/), which is the set of rules that allows servers to communicate with each other. IP address search allows you to search both [IPv4 and IPv6 ↗](https://www.cloudflare.com/learning/dns/glossary/what-is-my-ip-address/) addresses and retrieve relevant information such as their pointer records, AS numbers and passive DNS records. ## Domain A [domain name ↗](https://www.cloudflare.com/learning/dns/glossary/what-is-a-domain-name/) is a string of text that maps to an IP address. Domain names are used to help people remember where websites are hosted. Domain names are purchased through [registrars](https://developers.cloudflare.com/registrar/) and can be acquired easily by anyone. When you search for a domain name, Cloudflare will provide an overview of the domain's [category](#domain-categories) and IP addresses it currently resolves to. ### Domain categories For a detailed list of categories, refer to [Domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/). A domain can have multiple categories. Cloudflare displays both the parent category and the detailed child category. You can [request category changes](https://developers.cloudflare.com/security-center/investigate/change-categorization/) for a domain. Miscategorized domains can also request to have a category added. This request goes through an approval process with the Cloudflare team. As part of the domain search results, Cloudflare show the WHOIS details and a history of its category changes over time. ## AS Number An [AS number ↗](https://www.cloudflare.com/learning/network-layer/what-is-an-autonomous-system/) is a group of IP addresses belonging to and controlled by a single organization. The entire group of networks have a single unified routing policy. The [Internet Assigned Numbers Authority ↗](https://www.iana.org/) (IANA) is the organization responsible for managing the assignment and distribution of AS numbers. The AS number's routing policies are used by [BGP ↗](https://www.cloudflare.com/learning/security/glossary/what-is-bgp/) which is how Cloudflare's [anycast network ↗](https://www.cloudflare.com/learning/cdn/glossary/anycast-network/) works. When you search for an AS number, Cloudflare will return registration data such as its country, description and type. It will also display data such as domain count, top 10 domains and subnets. With sufficient data, AS number search results will also return the geographical distribution of traffic in its network, application level attacks and network level attacks, each broken down by Cloudflare mitigation techniques and network protocols, respectively. ## Hash When you search for a hash, the Cloudflare dashboard will provide a URL report for that specific hash. To search using a hash: 1. In the Cloudflare dashboard, go to the **Investigate** page. [ Go to **Investigate** ](https://dash.cloudflare.com/?to=/:account/security-center/investigate) 2. Enter the hash, then select **Search**. 3. Select **View report** to view the report for your URL. ## URL When you search for a URL, Cloudflare will provide a list of recent scan reports for that specific URL, limited to the past 30 days. You can view previously generated reports or scan again to generate a new report. Different Cloudflare plans will have different [scan limitations](https://developers.cloudflare.com/security-center/investigate/scan-limits/). If you want to scan a URL: 1. In the Cloudflare dashboard, go to the **Investigate** page. [ Go to **Investigate** ](https://dash.cloudflare.com/?to=/:account/security-center/investigate) 2. Enter the URL, then select **Search**. Alternatively, to scan a URL, go to [Cloudflare Radar ↗](https://radar.cloudflare.com/) \> **URL scanner**. Enter the URL, then select **Publish**. Note You can use [Cloudflare Radar API](https://developers.cloudflare.com/radar/investigate/url-scanner/#use-the-api) to investigate threats. ### Visibility When generating a new scan report, the default visibility is set to `Unlisted`, but you have the option to set it to `Public`. By choosing `Public`, the generated scan will be available to all Cloudflare dashboard and Cloudflare Radar users alike, which will increase awareness of potentially malicious websites for others. We recommend choosing `Unlisted` if you are scanning infrastructure that is not intended to be shared with the wider Cloudflare community. ### Filters While viewing the most recent scans, you can use the filtering options. Selecting `All account scans` will display both `Unlisted` or `Public` scans initiated from your Cloudflare account. However, by selecting `All global scans`, only `Public` scans are displayed. ### Downloads You can download a report of your scan in HAR or JSON format. To download a report: 1. In the Cloudflare dashboard, go to the **Investigate** page. [ Go to **Investigate** ](https://dash.cloudflare.com/?to=/:account/security-center/investigate) 2. Enter your domain and select **Search**. 3. Once the report has been generated, select **Download** and choose between **Download HAR** or **Download JSON**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/investigate/","name":"Investigate"}},{"@type":"ListItem","position":4,"item":{"@id":"/security-center/investigate/investigate-threats/","name":"Investigate threats"}}]} ``` --- --- title: Scan limits description: Limits image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/investigate/scan-limits.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Scan limits URL scans are limited by search history, Public and Unlisted visibility, and requests per second across different Cloudflare plans. | Cloudflare Plan | Search history | Public scans (per month) | Unlisted scans (per month) | Rate limit | | ------------------ | -------------- | ------------------------ | -------------------------- | ---------------- | | **Free / Radar** | last 50 scans | 5,000 | none | 1 per 10 seconds | | **Self serve** | 30 days | 5,000 | 500 | 1 per 10 seconds | | **Enterprise** | 12 months | 10,000 | 5,000 | 12 per second | | **Cloudforce One** | Unlimited | 75,000 | 20,000 | 12 per second | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/investigate/","name":"Investigate"}},{"@type":"ListItem","position":4,"item":{"@id":"/security-center/investigate/scan-limits/","name":"Scan limits"}}]} ``` --- --- title: Brand Protection description: Brand Protection allows you to proactively identify and mitigate domain impersonation and phishing attacks. By monitoring newly registered domains and visual assets across the Internet, Cloudflare helps protect your brand's reputation and prevents your customers or employees from submitting sensitive information to fraudulent sites. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/brand-protection.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Brand Protection Brand Protection allows you to proactively identify and mitigate domain impersonation and phishing attacks. By monitoring newly registered domains and visual assets across the Internet, Cloudflare helps protect your brand's reputation and prevents your customers or employees from submitting sensitive information to fraudulent sites. Common threats include: * [Typosquatting ↗](https://en.wikipedia.org/wiki/Typosquatting): For example, typing `cloudfalre.com` instead of `cloudflare.com`. * Concatenation of services (`cloudflare-service.com`) often registered by attackers to trick unsuspecting victims into submitting private information such as passwords. * [Homoglyph attacks ↗](https://en.wikipedia.org/wiki/IDN%5Fhomograph%5Fattack) that use lookalike characters to trick unsuspecting victims. User permission Access to Brand Protection is managed through [Cloudflare RBAC](https://developers.cloudflare.com/fundamentals/manage-members/roles/). Only users with the following roles can access and configure Brand Protection: * Super Admin * Admin * Brand Protection (custom role) ## Types of queries Cloudflare Brand Protection offers two distinct methods for monitoring impersonation: domain search and logo search. ### Domain search Search for domains based on text patterns, misspellings, or service combinations. To start searching for new domains that might be trying to impersonate your brand: 1. In the Cloudflare dashboard, go to the **Brand Protection** page. [ Go to **Brand protection** ](https://dash.cloudflare.com/?to=/:account/security-center/brand-protection) 2. In **String query**, provide a name for your query. You can add multiple brand phrases on the same query, and the results will generate matches for all of those. Once you entered the string queries, select **Search matches**. 3. In the **Character distance**, select from `0-3`. This defines how many characters a result can differ from your string (for example, a distance of 1 would catch `clpudflare.com`). The number of characters the results can differ from your domain. Note If a brand phrase or search term has less than five characters, you can only choose a max distance of `0` (zero). 4. You can select **Save query** to monitor it in the future and perform other actions, such as delete, clone and set up alerts, according to your Paid plan limits. 5. To export all matches from a saved query, select your **Query name** \> select the three dots > **Export matches**. In the section **Monitor Strings**, you can check all the string queries that you selected to monitor. You can delete, clone, or create notifications for a string query. Refer to [Brand Protection Alerts](#brand-protection-alerts) to set up notifications. ### Logo search (AI-powered) Logo search uses computer vision to detect domains using your visual assets, even if the domain name does not contain your brand string. To set up a new logo query: 1. Select **Monitor Logos** and select **Add logo**. 2. Add a name for your query and upload your logo. Only the `.png`, `.jpeg`, and `.jpg` file extensions are supported. 3. Set the threshold: Set a match threshold (the minimum is 75%). A higher score ensures high-precision matches, while a lower score catches remixed or slightly altered versions of your logo. 4. Select **Save logo**. The system will now scan newly detected infrastructure for visual matches. The browser will return to the **Monitored Logos** page, where you can access your query and configure notifications. ## Investigate a query In this section, the dashboard displays: * **Domain overview** where you can request to [change categorization](https://developers.cloudflare.com/security-center/investigate/change-categorization/) and view the resolution history of your domain for up to seven days. * **WHOIS** that provides details about the date the domain was created, registrant and nameservers. * **Domain history** that provides information on the domain category and when it was last changed. Refer to [Investigate threats](https://developers.cloudflare.com/security-center/investigate/investigate-threats/) for more details. * **URL Reports** that provides information on any reported URL. To investigate a string query: 1. Go to the **Monitor Strings** or **Monitor Logos** section to view all your queries. 2. Select a monitored query to inspect all the domains that matched your query. 3. Next to the domain, select **Domain** or **URL**. This will trigger a search on the [**Investigate**](https://developers.cloudflare.com/security-center/investigate/) section in a separate tab. URL scanner will also be triggered from **Brand Protection** through **Security Center** \> **Investigate**. You will also have access to a report which will be generated automatically. The report will display screenshots of the matched domain, and the registrar of your domain. ## Report abuse Submit abuse report You can only submit an abuse report if your domain is with [Cloudflare Registrar ↗](https://www.cloudflare.com/products/registrar/), or if the IP used by the domain is hosted by Cloudflare. To submit abuse reports directly from the dashboard: 1. In the Cloudflare dashboard, go to the **Brand Protection** page. [ Go to **Brand protection** ](https://dash.cloudflare.com/?to=/:account/security-center/brand-protection) 2. Go to **Monitor Strings**, select the query you want to report. 3. Select **Report to Cloudflare**. 4. Fill in the details to submit an abuse report. 5. Select **Submit**. To view abuse reports, in the Cloudflare dashboard, go to the **Abuse Reports** page. [ Go to **Abuse reports** ](https://dash.cloudflare.com/?to=/:account/abuse-reports) You can review abuse reports against your zones and any mitigations taken against reports in response. You can also **Request review** of most mitigations. ## Brand Protection API The [Brand Protection API](https://developers.cloudflare.com/api/resources/brand%5Fprotection/) allows for programmatic management and integration with your [SOC ↗](https://www.cloudflare.com/en-gb/learning/security/glossary/what-is-a-security-operations-center-soc/) or [SIEM ↗](https://www.cloudflare.com/en-gb/learning/security/what-is-siem/). Using the Brand Protection API, you can: * Manage queries: Create, edit, or delete string and logo queries. * Data retrieval: Read and download matches for automated ingestion. * Query editing: Update existing query parameters without losing historical data. ## Notifications and alerts Brand Protection integrates with Cloudflare's ANS (Alerts Notification Service) to provide configurable alerts when new domains are detected. Any matches that are found during the new domain search are then inserted into an internal alerts table which triggers an alert for the user. This allows you to receive real-time notifications and take immediate action to investigate and potentially block any suspicious domains that may be attempting to impersonate your brand. Brand Protection Alerts **Who is it for?** Customers who want a summary of activity related to [Brand Protection](https://developers.cloudflare.com/security-center/brand-protection/). **Other options / filters** You can set up Brand Protection Alerts on individual monitored queries. For more details, refer to [Brand Protection Alerts](https://developers.cloudflare.com/security-center/brand-protection/#brand-protection-alerts). **Included with** Professional plans or higher. **What should you do if you receive one?** Investigate and potentially block any suspicious domains that may be trying to impersonate your brand. Brand Protection Digest **Who is it for?** Customers who want a summary of activity related to [Brand Protection](https://developers.cloudflare.com/security-center/brand-protection/). **Other options / filters** You can set up Brand Protection Digest on individual monitored queries. For more details, refer to [Brand Protection Alerts](https://developers.cloudflare.com/security-center/brand-protection/#brand-protection-alerts). **Included with** Professional plans or higher. **What should you do if you receive one?** Investigate and potentially block any suspicious domains that may be trying to impersonate your brand. Logo Match Alerts **Who is it for?** Customers who want to receive a notification when the [Brand Protection](https://developers.cloudflare.com/security-center/brand-protection/) system detects a new domain which is using the uploaded logo and might be infringing copyright. **Other options / filters** You can select the query that you want to be alerted on. **Included with** Enterprise plans. **What should you do if you receive one?** Review the domains and URLs that are potentially impersonating your brand. Security Insights **Who is it for?** Customers who want to receive notifications based on security insights findings. **Other options / filters** You can select the insight(s) you want to be alerted on. **Included with** All Cloudflare plans. **What should you do if you receive one?** Review the insight and decide whether you want to resolve it, archive it, or export it. Abuse report **Who is it for?** Customers who want to be alerted in the event that an abuse report is filed against their website. **Other options / filters** You can filter the reports based on date, report status, report type, and domain. **Included with** All Cloudflare plans. **What should you do if you receive one?** View our guidance on [customer abuse report obligations](https://developers.cloudflare.com/fundamentals/reference/report-abuse/abuse-report-obligations/) and more information on how to [view and submit abuse reports](https://developers.cloudflare.com/fundamentals/reference/report-abuse/submit-report/). To set up a Brand Protection Alert: 1. Go to **Monitor Strings** and locate the query for which you would like to create notifications. 2. Select **alerts**. This should redirect you to the **Add Notification** page, where you can configure what you want to be notified about, and how. Note You can also set up the alerts from your [Notifications](https://developers.cloudflare.com/notifications/) menu. 3. Create a notification name, add a description (optional), and select the monitored queries. You can also add a Webhook, and a notification email. You can add multiple email addresses. 4. Select **Save**. Manage your notifications in the **All notifications** tab. You can disable, edit, delete, or test them. ## Subscriptions and limitations * Self-serve users can subscribe directly to add monitoring capacity to their account. * You may only use the Brand Protection search tools to search for domains that may be attempting to impersonate your brand or a brand that has authorized you to conduct such search on its behalf. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/brand-protection/","name":"Brand Protection"}}]} ``` --- --- title: Blocked Content description: If your domain has content that has been blocked, Blocked Content on the dashboard gives you the ability to request the Trust and Safety team to remove a block. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/blocked-content.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Blocked Content If your domain has content that has been blocked, Blocked Content on the dashboard gives you the ability to request the Trust and Safety team to remove a block. To view Blocked Content on the dashboard: 1. In the Cloudflare dashboard, go to the **Blocked Content** page. [ Go to **Blocked content** ](https://dash.cloudflare.com/?to=/:account/blocked-content) Note You must have Admin, Super Admin, or Trust and Safety [role](https://developers.cloudflare.com/fundamentals/manage-members/roles/) to access Blocked Content. The Security Center dashboard displays three statuses for blocked content: active, pending, or resolved blocks. ## Active blocks An active block is a block that is in effect on blocking content. When you select **Request Review**, the status changes to **In Review**, and the block will be reviewed by the Trust and Safety team. ## Pending blocks A pending block represents a blocking action Cloudflare will take at the scheduled time. You can view all your pending blocks by selecting **Pending** on the dashboard. Selecting **Request Review** cancels the pending delayed action. This means that the block will not be placed. ## Resolved blocks Resolved blocks list your recently resolved blocks. Resolved blocks are limited to 30 days of recently resolved blocks. Resolved blocks require no action. You can only sort and/or filter the list. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/blocked-content/","name":"Blocked Content"}}]} ``` --- --- title: Custom Indicator Feeds description: Cloudflare's threat intelligence team crowdsources attack trends and protects users automatically, such as from zero-day vulnerabilities like the HTTP/2 Rapid Reset attack. However, in some cases, Cloudflare will partner with external entities that have their own feeds which can be shared with eligible Cloudflare users. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/indicator-feeds.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Custom Indicator Feeds Cloudflare's threat intelligence team crowdsources attack trends and protects users automatically, such as from zero-day vulnerabilities like the [HTTP/2 Rapid Reset attack ↗](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/). However, in some cases, Cloudflare will partner with external entities that have their own feeds which can be shared with eligible Cloudflare users. With Custom Indicator Feeds, Cloudflare provides a threat intelligence feed based on data received from various Cyber Defense Collaboration groups. The security filtering capabilities are available to eligible public and private sector organizations. ## Publicly available feeds Cloudflare provides some feeds to Gateway users without the need to establish a provider relationship. | Name | Description | Availability | | ------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | | [Treasury Early Indicator Feed ↗](https://www.cloudflare.com/press-releases/2024/us-department-of-treasury-pnnl-finserv-threat-intel-feed/), Feed ID 14 | Threat data for financial institutions provided by the US Department of Treasury and Pacific Northwest National Laboratory (PNNL). For more information, contact your account team. | Approved financial services organizations | | [UK NCSC Public Threat Indicators ↗](https://www.ncsc.gov.uk/information/pdns) Feed ID 24 | Recursive DNS service supplied by the UK National Cyber Security Centre (NCSC) to block DNS-based malware. | All users | | Cloudforce One - Public Feed Feed ID 34 | Feed of indicators. | All users | ## Get started Cloudflare threat intelligence data consists of a data exchange between providers and subscribers. A provider is an organization that has a set of data that they are interested in sharing with other Cloudflare organizations. Any organization can be a provider. Examples of current providers are Government Cyber Defense groups. Subscribers can be any Cloudflare customer that wants to secure their environment further by creating rules based on provider datasets. Subscribers must be authorized by a provider. Authorization is granted using the [Grant permission to indicator feed endpoint](https://developers.cloudflare.com/api/resources/intel/subresources/indicator%5Ffeeds/subresources/permissions/methods/create/). If your organization is interested in becoming a provider or a subscriber, contact your account team. ### Create a Custom Indicator Feed Providers can create and manage a Custom Indicator Feed with the [Custom Indicator Feeds API endpoints](https://developers.cloudflare.com/api/resources/intel/subresources/indicator%5Ffeeds/methods/list/): 1. Contact your account team to configure your account as an indicator feed provider. 2. Create a feed with the [Create new indicator feed endpoint](https://developers.cloudflare.com/api/resources/intel/subresources/indicator%5Ffeeds/methods/create/). Make note of the `feed_id` generated for your feed. For example: Create new indicator feed ``` curl "https://api.cloudflare.com/client/v4/accounts//intel/indicator-feeds" \ --header 'Content-Type: application/json' \ --header 'X-Auth-Email: ' \ --header 'X-Auth-Key: ' \ --data '{ "description": "Custom indicator feed to detect threats", "name": "threat_indicator_feed" }' ``` ``` { "result": { "id": 10, "name": "threat_indicator_feed", "description": "Custom indicator feed to detect threats", "created_on": "2024-09-17T21:16:09.412Z", "modified_on": "2024-09-17T21:16:09.412Z" }, "success": true, "errors": [], "messages": [] } ``` 3. Upload data to the feed with the [Update indicator feed data endpoint](https://developers.cloudflare.com/api/resources/intel/subresources/indicator%5Ffeeds/subresources/snapshots/methods/update/). Uploaded indicator data must be in a [.stix2 ↗](https://oasis-open.github.io/cti-documentation/stix/intro) formatted file. The [maximum upload file size](https://developers.cloudflare.com/r2/platform/limits/) is 4.995 GiB. Update indicator feed data ``` curl --request PUT \ "https://api.cloudflare.com/client/v4/accounts//intel/indicator-feeds//snapshot" \ --header 'Content-Type: multipart/form-data' \ --header 'X-Auth-Email: ' \ --header 'X-Auth-Key: ' \ --form 'source=@/path/to/file' ``` ``` { "result": { "file_id": 1, "filename": "snapshot_file.unified", "status": "unified" }, "errors": [], "messages": [], "success": true } ``` Note Indicator feeds use a snapshot system. To update feeds with new data, providers must upload a file containing all previous and new indicators. 4. (Optional) Verify the status of your feed upload with the [Get indicator feed data endpoint](https://developers.cloudflare.com/api/resources/intel/subresources/indicator%5Ffeeds/methods/data/). For example: Get indicator feed data ``` curl --request GET \ "https://api.cloudflare.com/client/v4/accounts//intel/indicator-feeds//data" \ --header 'Content-Type: application/json' \ --header 'X-Auth-Email: ' \ --header 'X-Auth-Key: ' ``` ``` { "result": { "id": 10, "name": "threat_indicator_feed", "description": "Custom indicator feed to detect threats", "created_on": "2023-08-01T18:00:26.65715Z", "modified_on": "2023-08-01T18:00:26.65715Z", "latest_upload_status": "Complete" }, "success": true, "errors": [], "messages": [] } ``` 5. Grant access to subscribers with the [Grant permission to indicator feed endpoint](https://developers.cloudflare.com/api/resources/intel/subresources/indicator%5Ffeeds/subresources/permissions/methods/create/). You can add subscribers to the feed's allowed subscribers list using their [account IDs](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/). For example: Update indicator feed data ``` curl --request PUT \ "https://api.cloudflare.com/client/v4/accounts//intel/indicator-feeds//snapshot" \ --header 'Content-Type: multipart/form-data' \ --header 'X-Auth-Email: ' \ --header 'X-Auth-Key: ' \ --data '{ "account_tag": "823f45f16fd2f7e21e1e054aga4d2859", "feed_id": 10 }' ``` ### Use a feed in Gateway Once an account is granted access to a feed, it will be available to match traffic as a [selector in Gateway DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/#indicator-feeds). 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Traffic policies** \> **Firewall policies**. Select **DNS**. 2. To create a new DNS policy, select **Add a policy**. 3. Name your policy. 4. In **Traffic**, add a condition with the **Indicator Feeds** selector. If your account has been granted access to a Custom Indicator Feed, Gateway will list the feed in **Value**. For example, you can block sites that appear in a feed: | Selector | Operator | Value | Action | | --------------- | -------- | ------------------- | ------ | | Indicator Feeds | in | _Threat Intel Feed_ | Block | 5. Select **Create policy**. For more information on creating Gateway policies, refer to [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/indicator-feeds/","name":"Custom Indicator Feeds"}}]} ``` --- --- title: Changelog description: We are introducing Logo Match Preview, bringing the same pre-save visibility to visual assets that was previously only available for string-based queries. This update allows you to fine-tune your brand detection strategy before committing to a live monitor. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/security-center/changelog.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Changelog [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/security-center.xml) ## 2026-03-18 **Real-time logo match preview** We are introducing **Logo Match Preview**, bringing the same pre-save visibility to visual assets that was previously only available for string-based queries. This update allows you to fine-tune your brand detection strategy before committing to a live monitor. #### What’s new: * Upload your brand logo and immediately see a sample of potential matches from recently detected sites before finalizing the query * Adjust your similarity score (from 75% to 100%) and watch the results refresh in real-time to find the balance between broad detection and noise reduction * Review the specific logos triggered by your current settings to ensure your query is capturing the right level of brand infringement If you are ready to test your brand assets, go to the [Brand Protection dashboard ↗](https://developers.cloudflare.com/security-center/brand-protection/) to try the new preview tool. ## 2026-03-06 **Dismiss and filter matches in Brand Protection** We have introduced new triage controls to help you manage your Brand Protection results more efficiently. You can now clear out the noise by dismissing matches while maintaining full visibility into your historical decisions. #### What's new * **Dismiss matches**: Users can now mark specific results as dismissed if they are determined to be benign or false positives, removing them from the primary triage view. * **Show/Hide toggle**: A new visibility control allows you to instantly switch between viewing only active matches and including previously dismissed ones. * **Persistent review states**: Dismissed status is saved across sessions, ensuring that your workspace remains organized and focused on new or high-priority threats. #### Key benefits of the dismiss match functionality: * Reduce alert fatigue by hiding known-safe results, allowing your team to focus exclusively on unreviewed or high-risk infringements. * Auditability and recovery through the visibility toggle, ensuring that no match is ever truly "lost" and can be re-evaluated if a site's content changes. * Improved collaboration as your team members can see which matches have already been vetted and dismissed by others. Ready to clean up your match queue? Learn more in our [Brand Protection documentation](https://developers.cloudflare.com/security-center/brand-protection/). ## 2026-02-23 **Saved views for Threat Events** **TL;DR:** You can now create and save custom configurations of the Threat Events dashboard, allowing you to instantly return to specific filtered views — such as industry-specific attacks or regional Sankey flows — without manual reconfiguration. #### Why this matters Threat intelligence is most effective when it is personalized. Previously, analysts had to manually re-apply complex filters (like combining specific industry datasets with geographic origins) every time they logged in. This update provides material value by: * Analysts can now jump straight into "Known Ransomware Infrastructure" or "Retail Sector Targets" views with a single click, eliminating repetitive setup tasks * Teams can ensure everyone is looking at the same data subsets by using standardized saved views, reducing the risk of missing critical patterns due to inconsistent filtering. Cloudforce One subscribers can start saving their custom views now in [Application Security > Threat Intelligence > Threat Events ↗](https://dash.cloudflare.com/?to=/:account/security-center/threat-intelligence/threat-events). ## 2026-02-19 **Cloudforce One Threat events graphs are now visible in the dashboard** We have introduced dynamic visualizations to the Threat Events dashboard to help you better understand the threat landscape and identify emerging patterns at a glance. What's new: * **Sankey Diagrams**: Trace the flow of attacks from country of origin to target country to identify which regions are being hit hardest and where the threat infrastructure resides. ![Sankey Diagram](https://developers.cloudflare.com/_astro/2026-02-19-sankey-diagram.VZMSmdZL_Z1dxq3E.webp) * **Dataset Distribution over time**: Instantly pivot your view to understand if a specific campaign is targeting your sector or if it is a broad-spectrum commodity attack. ![Events over time](https://developers.cloudflare.com/_astro/2026-02-19-events-over-time.CqD7VKqA_Z20JNi0.webp) * **Enhanced Filtering**: Use these visual tools to filter and drill down into specific attack vectors directly from the charts. Cloudforce One subscribers can explore these new views now in [Application Security > Threat Intelligence > Threat Events ↗](https://dash.cloudflare.com/?to=/:account/security-center/threat-intelligence/threat-events). ## 2026-02-12 **Enhanced Logo Matching for Brand Protection** We have significantly upgraded our Logo Matching capabilities within Brand Protection. While previously limited to approximately 100% matches, users can now detect a wider range of brand assets through a redesigned matching model and UI. #### What's new * **Configurable match thresholds**: Users can set a minimum match score (starting at 75%) when creating a logo query to capture subtle variations or high-quality impersonations. * **Visual match scores**: Allow users to see the exact percentage of the match directly in the results table, highlighted with color-coded lozenges to indicate severity. * **Direct logo previews**: Available in the Cloudflare dashboard — similar to string matches — to verify infringements at a glance. #### Key benefits * **Expose sophisticated impersonators** who use slightly altered logos to bypass basic detection filters. * **Faster triage** of the most relevant threats immediately using visual indicators, reducing the time spent manually reviewing matches. Ready to protect your visual identity? Learn more in our [Brand Protection documentation](https://developers.cloudflare.com/security-center/brand-protection/). ## 2026-02-03 **Threat actor identification with "also known as" aliases** Identifying threat actors can be challenging, because naming conventions often vary across the security industry. To simplify your research, **Cloudflare Threat Events** now include an **Also known as** field, providing a list of common aliases and industry-standard names for the groups we track. This new field is available in both the Cloudflare dashboard and via the API. In the dashboard, you can view these aliases by expanding the event details side panel (under the **Attacker** field) or by adding it as a column in your configurable table view. #### Key benefits * Easily map Cloudflare-tracked actors to the naming conventions used by other vendors without manual cross-referencing. * Quickly identify if a detected threat actor matches a group your team is already monitoring via other intelligence feeds. For more information on how to access this data, refer to the [Threat Events API documentation ↗](https://developers.cloudflare.com/api/resources/cloudforce%5Fone/subresources/threat%5Fevents/). ## 2026-01-14 **URL Scanner now supports PDF report downloads** We have expanded the reporting capabilities of the Cloudflare URL Scanner. In addition to existing JSON and HAR exports, users can now generate and download a **PDF report** directly from the Cloudflare dashboard. This update streamlines how security analysts can share findings with stakeholders who may not have access to the Cloudflare dashboard or specialized tools to parse JSON and HAR files. **Key Benefits:** * Consolidate scan results, including screenshots, security signatures, and metadata, into a single, portable document * Easily share professional-grade summaries with non-technical stakeholders or legal teams for faster incident response **What’s new:** * **PDF Export Button:** A new download option is available in the URL Scanner results page within the Cloudflare dashboard * **Unified Documentation:** Access all scan details—from high-level summaries to specific security flags—in one offline-friendly file To get started with the URL Scanner and explore our reporting capabilities, visit the [URL Scanner API documentation ↗](https://developers.cloudflare.com/api/resources/url%5Fscanner/). --- ## 2026-01-12 **Cloudflare Threat Events now support STIX2 format** We are excited to announce that **Cloudflare Threat Events** now supports the **STIX2 (Structured Threat Information Expression)** format. This was a highly requested feature designed to streamline how security teams consume and act upon our threat intelligence. By adopting this industry-standard format, you can now integrate Cloudflare's threat events data more effectively into your existing security ecosystem. #### Key benefits * Eliminate the need for custom parsers, as STIX2 allows for "out of the box" ingestion into major **Threat Intel Platforms (TIPs)**, **SIEMs**, and **SOAR** tools. * STIX2 provides a standardized way to represent relationships between indicators, sightings, and threat actors, giving your analysts a clearer picture of the threat landscape. For technical details on how to query events using this format, please refer to our [Threat Events API Documentation ↗](https://developers.cloudflare.com/api/resources/cloudforce%5Fone/subresources/threat%5Fevents/methods/list/). --- ## 2025-11-21 **Threat insights are now available in the Threat Events platform** The threat events platform now has threat insights available for some relevant parent events. Threat intelligence analyst users can access these insights for their threat hunting activity. Insights are also highlighted in the Cloudflare dashboard by a small `lightning icon` and the insights can refer to multiple, connected events, potentially part of the same attack or campaign and associated with the same threat actor. For more information, refer to [Analyze threat events](https://developers.cloudflare.com/security-center/cloudforce-one/#analyze-threat-events). ## 2025-10-31 **Report logo misuse to Cloudflare directly from the Brand Protection dashboard** The Brand Protection logo query dashboard now allows you to use the **Report to Cloudflare** button to submit an Abuse report directly from the Brand Protection logo queries dashboard. While you could previously report new domains that were impersonating your brand before, now you can do the same for websites found to be using your logo wihtout your permission. The abuse reports wiull be prefilled and you will only need to validate a few fields before you can click the submit button, after which our team process your request. Ready to start? Check out the [Brand Protection docs](https://developers.cloudflare.com/security-center/brand-protection/). ## 2025-10-27 **Cloudforce One RFI tokens are now visible in the dashboard** The Requests for Information (RFI) dashboard now shows users the number of tokens used by each submitted RFI to better understand usage of tokens and how they relate to each request submitted. ![Cloudforce One RFI tokens](https://developers.cloudflare.com/_astro/2025-10-24RFITokens.DPm1e8uC_2g3fE3.webp) What’s new: * Users can now see the number of tokens used for a submitted request for information. * Users can see the remaining tokens allocated to their account for the quarter. * Users can only select the Routine priority for the `Strategic Threat Research` request type. Cloudforce One subscribers can try it now in [Application Security > Threat Intelligence > Requests for Information ↗](https://dash.cloudflare.com/?to=/:account/security-center/threat-intelligence/requests). ## 2025-10-17 **New Application Security reports (Closed Beta)** Cloudflare's new **Application Security report**, currently in Closed Beta, is now available in the dashboard. [ Go to **Security reports** ](https://dash.cloudflare.com/?to=/:account/security-center/reports) The reports are generated monthly and provide cyber security insights trends for all of the Enterprise zones in your Cloudflare account. The reports also include an industry benchmark, comparing your cyber security landscape to peers in your industry. ![Application Security report mock data](https://developers.cloudflare.com/_astro/2025-10-17-application-security-report-mock-data.Cz0-WuoX_15MbLt.webp) Learn more about the reports by referring to the [Security Reports documentation](https://developers.cloudflare.com/security-center/app-security-reports/). Use the feedback survey link at the top of the page to help us improve the reports. ![Application Security report survey](https://developers.cloudflare.com/_astro/2025-10-17-report-feedback-survey.DPmUlWh2_Z1nYBN6.webp) ## 2025-08-15 **Save time with bulk query creation in Brand Protection** [Brand Protection](https://developers.cloudflare.com/security-center/brand-protection/) detects domains that may be impersonating your brand — from common misspellings (`cloudfalre.com`) to malicious concatenations (`cloudflare-okta.com`). Saved search queries run continuously and alert you when suspicious domains appear. You can now create and save multiple queries in a single step, streamlining setup and management. Available now via the [Brand Protection bulk query creation API](https://developers.cloudflare.com/api/resources/brand%5Fprotection/subresources/queries/methods/bulk/). ## 2025-07-18 **New APIs for Brand Protection setup** The Brand Protection API is now available, allowing users to create new queries and delete existing ones, fetch matches and more! What you can do: * **create new string or logo query** * **delete string or logo queries** * **download matches for both logo and string queries** * **read matches for both logo and string queries** Ready to start? Check out the [Brand Protection API](https://developers.cloudflare.com/api/resources/brand%5Fprotection/) in our documentation. ## 2025-05-08 **URL Scanner now supports geo-specific scanning** Enterprise customers can now choose the geographic location from which a URL scan is performed — either via [Security Center](https://developers.cloudflare.com/security-center/investigate/) in the Cloudflare dashboard or via the [URL Scanner API](https://developers.cloudflare.com/api/resources/url%5Fscanner/subresources/scans/methods/create/). This feature gives security teams greater insight into how a website behaves across different regions, helping uncover targeted, location-specific threats. **What’s new:** * Location Picker: Select a location for the scan via **Security Center → Investigate** in the dashboard or through the API. * Region-aware scanning: Understand how content changes by location — useful for detecting regionally tailored attacks. * Default behavior: If no location is set, scans default to the user’s current geographic region. Learn more in the [Security Center documentation](https://developers.cloudflare.com/security-center/). ## 2025-02-03 * Security Center now has a role called Brand Protection. This role gives you access to the Brand Protection feature on the API and Cloudflare dashboard. Brand Protection role also gives you access to the Investigate platform, where you can consume the Threat Intel API and URL scanner API calls. ## 2025-01-20 * On the URL scanner, customers who search for a report will now get a list of all reports related to that specific hostname. A hash is also available in the security report. By selecting the hash, the dashboard will list reports containing the same hash. ## 2024-09-23 * Customers can now export all matches from a saved query. Select your **Query name** \> select the three dots > **Export matches**. ## 2024-09-19 * Customers can now create a `security.txt` file file to provide the security research team with a standardized way to report vulnerabilities. ## 2024-07-22 * Customers can now archive multiple Security Insights at the same time. Go to **Security Center** \> **Security Insights** and select the insights to archive. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security-center/","name":"Security Center"}},{"@type":"ListItem","position":3,"item":{"@id":"/security-center/changelog/","name":"Changelog"}}]} ```