User Risk Scoring Now Live

Cloudflare has launched User Risk Scores as a native component of its SASE platform, moving security from static identity verification to continuous behavioral analysis. Instead of checking only who a user is and device health at login, teams can now evaluate how users have been behaving and adjust access in real time.

How Risk Scoring Works

The system calculates risk scores through a deterministic four-step process:

• Selection: Administrators enable specific risk behaviors (impossible travel, multiple failed logins, DLP violations, malware detection, etc.)
• Aggregation: The engine collects all risk events associated with each user
• Scoring: Users receive a risk level (low, medium, or high) based on the highest-severity enabled behavior triggered
• Reset: Admins can manually clear incidents while preserving history

Cloudflare's risk engine ingests telemetry from Access (login patterns, geography) and Gateway (malware, risky categories, DLP triggers), plus third-party signals from partners like CrowdStrike and SentinelOne.

Adaptive Access Policies

The new User Risk Score selector in Access policies enables automatic enforcement without manual intervention. Security teams can now create rules such as:

• "High-risk users cannot access the Finance Portal"
• "Medium-risk users must authenticate with a physical security key"
• Automatic session revocation when risk scores increase mid-session

Access is automatically restored when risk scores drop after investigation.

Integration & Workflow

Cloudflare can share risk signals back to Okta and other identity providers via the Shared Signals Framework, ensuring flagged users face restrictions at both the network and SSO layers. The system is available today for existing Cloudflare One customers, with a free tier supporting up to 50 users.