← Back
Cloudflare
Cloudflare evolves Threat Intelligence Platform with ETL-less architecture, edge-native GraphQL queries
Cloudflare WorkersCloudflare · featureplatformapiintegrationperformance · blog.cloudflare.com ↗

Architecture Overview

Cloudflare has fundamentally redesigned its Threat Intelligence Platform to shift from centralized database architectures to a distributed, edge-native model. Rather than requiring complex Extract-Transform-Load (ETL) pipelines, the platform now uses a sharded SQLite-backed architecture with GraphQL endpoints running directly on Cloudflare Workers. This eliminates traditional bottlenecks and enables sub-second query latency even when aggregating millions of threat events across global datasets.

Key Technical Innovations

The platform leverages several Cloudflare technologies to achieve performance at scale:

  • GraphQL on the edge: Queries execute directly on Workers without backhauling to centralized datacenters, ensuring live data with zero ingestion-to-availability delays
  • Intelligent routing: Smart Placement automatically positions query-handling Workers near Durable Objects to minimize tail latency
  • Connection pooling: Hyperdrive enables high-performance database connection pooling at the edge rather than in a single datacenter
  • Distributed sharding: Threat events are distributed across thousands of logical shards rather than stored in one massive database

Use Cases and Integration

The TIP complements rather than replaces traditional SIEMs by providing dedicated long-term storage and structured intelligence for threat investigation. Security operations teams gain immediate enriched context—including historical actor patterns, campaign associations, and risk scores—for any alert. The platform creates a feedback loop where SOC findings generate new indicators of compromise (IOCs) that feed back into the platform, continuously improving defenses for all users.

Security teams can now:

  • Correlate threat actors to malware and link cases to indicators in a unified ecosystem
  • Visualize and automate threat response in real time through a command center interface
  • Query millions of events instantly across global datasets without traditional database latency
  • Shift from reactive to proactive defense by preemptively blocking threats across the Cloudflare network

Evolution from Internal Tools

What began as an internal Cloudforce One project in 2022 has evolved into a cloud-first, agentic-capable platform accessible to Cloudflare users. The motivation stems from core threat intelligence principles: relevance, accuracy, and actionability. By using Cloudflare Workers as the developer stack foundation, the platform can rapidly innovate while automatically inheriting performance improvements as the Workers runtime evolves.