The Problem: The Log-versus-Block Trade-off

Traditional Web Application Firewalls force security teams into a difficult choice: operate in logging-only mode for visibility, or enable blocking mode for protection. When a WAF rule blocks a request, evaluation stops immediately, eliminating visibility into how other signatures might have assessed it. This manual, slow process requires extensive tuning before rules can safely move to blocking mode, leaving organizations either under-protected or struggling with false positives.

Attack Signature Detection Framework

Cloudflare's new Attack Signature Detection solves this by introducing an "always-on" detection system that separates detection from mitigation. Traffic flowing through Cloudflare is continuously analyzed against all detection signatures, and rich metadata about triggered detections is immediately visible in Security Analytics without requiring blocking actions.

Key capabilities include:

• Continuous visibility: Every request is inspected for malicious payloads before any action is taken
• No performance impact: Detections run asynchronously after requests reach origin servers by default, introducing zero latency
• Structured metadata: Three new fields track signature matches—cf.waf.signature.request.confidence, cf.waf.signature.request.categories, and cf.waf.signature.request.ref—enabling custom policy creation
• Confidence scoring: Each signature is tagged with confidence levels (High/Medium) to help teams assess false positive risk

The system covers over 700 signatures for common attack vectors including SQL injection, cross-site scripting (XSS), remote code execution (RCE), and specific CVE patterns, with new rules released weekly by Cloudflare's analyst team.

Full-Transaction Detection Coming

Cloudflare is extending this capability further with Full-Transaction Detection, currently in development. Unlike request-only analysis, this feature correlates the entire HTTP transaction—both request and response—to dramatically reduce false positives and detect sophisticated threats that traditional engines miss, such as reflective SQL injection, data exfiltration patterns, and dangerous misconfigurations that only surface in application responses.

Getting Started

Attack Signature Detection is available now in Early Access. Organizations can sign up here to participate, while those interested in Full-Transaction Detection can register here to be notified when it launches.