Always-On Detection Framework

Cloudflare is introducing Attack Signature Detection, a new approach to Web Application Firewall (WAF) security that eliminates the traditional trade-off between logging and blocking. Traditional WAFs require extensive manual tuning before safely blocking traffic, forcing teams to choose between visibility (log mode) or protection (block mode). When a rule blocks a request, evaluation stops, losing valuable insight into how other signatures would have assessed it.

The new detection framework separates detection from mitigation entirely. Attack Signature Detection runs continuously on all traffic, with results immediately visible in Security Analytics. This means you get complete visibility into every signature match and detection metadata without sacrificing protection or performance. For requests where no blocking rule exists, the detection runs asynchronously after the request reaches the origin server, introducing zero additional latency.

Detection Capabilities and Classification

Attack Signature Detection provides the same coverage as Cloudflare's existing Managed Rules (700+ active rules covering SQL injection, XSS, RCE, and CVE-specific payloads) but operates within the new always-on framework. Each signature is identified by a Ref ID and tagged with:

• Category: The attack vector targeted (SQLi, XSS, RCE, specific CVE)
• Confidence level: Either "High" (low false positive risk, like Managed Ruleset defaults) or "Medium" (may cause false positives, disabled by default)

Detection results populate three accessible fields in Security Analytics and Edge Rules Engine:

• cf.waf.signature.request.confidence: Array of confidence scores for matched signatures
• cf.waf.signature.request.categories: Array of attack categories detected
• cf.waf.signature.request.ref: Array of Ref IDs (up to 10) for matched signatures

Full-Transaction Detection Coming Soon

Beyond request-only analysis, Cloudflare is developing Full-Transaction Detection, which analyzes both the HTTP request and response together. By correlating the full transaction context, this approach dramatically reduces false positives and uncovers threats request-only engines miss, including reflective SQL injection, subtle data exfiltration patterns, and dangerous misconfigurations that only reveal themselves in responses.

Getting Started

Attack Signature Detection is available now in Early Access. Interested users can sign up here. Full-Transaction Detection is under development, with registration available here for early access when ready. The detection enables simpler onboarding: traffic is analyzed automatically, data accumulates, and teams can build precise mitigation policies based on actual traffic patterns, significantly reducing false positive risk.