← Back
Cloudflare
Cloudflare launches redesigned Threat Intelligence Platform with edge-native GraphQL queries and ETL-less architecture
Cloudflare WorkersCloudflare · featureplatformapiperformance · blog.cloudflare.com ↗

Cloudflare Threat Intelligence Platform Redesign

Cloudflare has announced a major evolution of its Threat Intelligence Platform, designed to solve the industry's "data gravity" problem—where security teams are overwhelmed with telemetry but starved for actionable insights. The redesigned platform eliminates the need for complex Extract, Transform, Load (ETL) pipelines by using a sharded SQLite-backed architecture distributed across thousands of logical shards.

Key Architectural Improvements

Edge-native design: The platform runs GraphQL queries directly on the edge using Cloudflare Workers, enabling sub-second latency even when aggregating millions of threat events across global datasets. Rather than centralizing data in a single massive database, the sharded architecture distributes Threat Events across thousands of logical shards for optimal performance.

Real-time intelligence synthesis: The GraphQL endpoint is built directly into the Worker handling the Threat Events platform, ensuring data is always live with no ingestion-to-availability delays. As Workers runtime evolves, the TIP automatically inherits optimizations like Smart Placement (which co-locates query Workers near Durable Objects) and Hyperdrive support for higher-performance connection pooling at the edge.

Complementary to SIEM, Not Replacement

The TIP acts as a dedicated intelligence layer that complements traditional SIEM systems. While SIEMs focus on real-time log aggregation and immediate alerting, the TIP provides long-term, structured storage for Threat Events with the specialized schema needed for deep adversary tracking, actor correlation, and historical context enrichment.

Integration with Managed Defense

The Threat Intelligence Platform operates in a symbiotic loop with Cloudflare Managed Defense, creating a powerful force multiplier:

  • Immediate enrichment: SOC analysts see alerts with instant historical context—actor associations, campaign roles, risk scores, and indicators of compromise (IOCs)—eliminating manual research
  • Continuous feedback: Intel analysts' findings feed new IOCs back into the TIP, enriching the platform for all users and enhancing automated defenses
  • Proactive posture: This continuous loop shifts security teams from reactive to proactive threat response

Developer-First Foundation

Built on Cloudflare Workers infrastructure, the platform enables rapid innovation and scaling while maintaining sub-second query performance across millions of events. The unified ecosystem unifies global telemetry with manual investigations to create a single source of truth for threat intelligence.