User Risk Scoring Now Available in Cloudflare One
Cloudflare has introduced User Risk Scoring to its SASE platform, enabling security teams to move beyond static identity verification to dynamic, behavior-based access control. Instead of asking only "Who is this user?" and "Is their device healthy?", administrators can now incorporate "How has this user been behaving lately?" into their zero trust network access (ZTNA) policies.
How Risk Scores Are Calculated
The risk engine continuously evaluates telemetry from across the Cloudflare One platform:
- Internal signals from Cloudflare Access (login attempts, geographic context) and Cloudflare Gateway (malware detections, risky browsing, DLP triggers)
- Third-party integrations with security partners like CrowdStrike and SentinelOne to ingest external device posture and threat data
The calculation follows a deterministic process: administrators select which risk behaviors to enable, the engine aggregates all risk events for a user, and scores are determined by the highest triggered risk level (low, medium, or high) during the period. Manual incident clearance resets scores while preserving history.
Adaptive Access Policies
Security teams can now build Adaptive Access policies using the new User Risk Score selector. Examples include:
- Blocking high-risk users from accessing sensitive applications like Finance Portal
- Requiring physical security key authentication for medium-risk users
- Automatically revoking access mid-session when risk scores increase
Access is automatically restored when risk scores drop after investigation and clearance.
Integration with Existing Security Tools
The system integrates with existing identity infrastructure, including Okta via the Shared Signals Framework (OpenID specification). Risk signals detected by Cloudflare One can be shared back to Okta SSO, ensuring coordinated threat response across authentication layers.
The feature is available now for Cloudflare customers and accessible free for up to 50 users.