Cloudflare Puts Threat Feeds Inside the WAF

The funniest security control in the room is still the spreadsheet full of IP addresses. It gets exported from one dashboard, pasted into another tool, argued over in a ticket, approved after lunch, and finally deployed right around the time the attacker has wandered off to a different host.

Cloudflare is trying to make that little ritual look old. On June 8, the company announced that its WAF can now use live threat-intelligence fields from Cloudforce One directly in rule expressions. The new family of fields sits under cf.intel.ip, which means a rule can ask questions such as: is this source tied to a known actor, has it been seen targeting banking, did it show up in a DDoS dataset, or is it associated with a particular attacker country?

The useful part is not that Cloudflare has another threat feed. The useful part is that the feed is becoming executable at the edge.

The New WAF Ingredient

Cloudflare says the WAF now enriches requests early with threat context, then exposes that context as normal fields in the rules engine. Security teams can build custom WAF rules, rate-limiting rules, API-driven rules, or Terraform-managed rules around those fields instead of maintaining separate blocklists.

The field names are very literal, which is a gift to anyone who has ever decoded a security product setting at 2 a.m. The first batch includes:

• cf.intel.ip.attacker_names, for named threat groups tied to an IP.
• cf.intel.ip.target_industries, for industries that IP has been observed targeting.
• cf.intel.ip.attacker_countries, for the source country of a threat event.
• cf.intel.ip.target_countries, for countries seen as targets.
• cf.intel.ip.datasets, for the feed category, such as DDoS or WAF activity.

Because an IP can belong to more than one bucket, the fields behave like arrays. That pushes rules toward expressions that test any matching value rather than assuming one neat label per source. A simplified version looks like this:

any(cf.intel.ip.target_industries[*] == "Banking & Financial Services")
and any(cf.intel.ip.attacker_names[*] == "BLACKBASTA")

That is where the feature gets interesting. A WAF rule no longer has to say only, block this IP. It can say, block this kind of actor when the actor is behaving around this kind of target. The difference sounds small until you are running a fleet of applications where crude blocking creates noise, exemptions, and the slow paperwork smell of security theater.

Less Clipboard, More Circuit Breaker

Cloudflare frames this as a bridge between Threat Events, Security Analytics, Saved Views, and the WAF. Analysts can inspect trends, save filters such as IPs seen attacking financial services in the past week, and turn that view into a WAF rule. For teams that live in infrastructure-as-code, the same fields are available through the API and Terraform-supported rule builder paths.

That matters because threat intelligence often dies in the last mile. A report may be good. A dashboard may be accurate. A list may be current. None of that matters if the only operational path is copy, paste, pray, forget to delete.

Putting the intelligence in the request pipeline changes the shape of the workflow. A SOC can validate a pattern in analytics, ship a narrow rule, log matches, and tune the rule without pretending a static IOC list is a living defense system. The WAF becomes less like a wall with sticky notes on it and more like a gate that knows why it is suspicious.

The Performance Claim Is the Whole Trick

Threat context at the edge is only useful if it does not turn every page load into a tiny committee meeting. Cloudflare says the datasets are compressed and distributed to its data centers, where the WAF performs constant-time local lookups against them. The company describes the latency cost as effectively zero, measured in microseconds.

That design claim is important. If every request had to phone home to a central threat-intel service, the feature would be dead on arrival for serious traffic. Local lookup makes the security decision feel like part of the edge dataplane, not a bolt-on oracle with a networking bill.

There is also a technical humility baked into the first release. Cloudflare says the current version focuses on IP-based matching, with future plans around JA3 fingerprints and domain-based matching. Good. IP reputation is useful, but attackers rotate infrastructure because it works. Fingerprints and payload-linked destinations would move the rules closer to attacker tooling rather than attacker parking spots.

What This Changes For Operators

For small teams, the immediate win is fewer brittle lists. For larger teams, the win is policy that can travel. A central security group can describe high-risk traffic in rule language, push it through Terraform, and let application owners monitor matches in Security Analytics before block mode gets spicy.

There are caveats. This is tied to Cloudforce One subscription tiers, so it is not a free universal WAF upgrade. Threat labels still need scrutiny. A rule that blocks because an IP has touched a risky industry may be smart in one environment and chaos in another. Context is power, but context without scoping is how you block a customer and invent a meeting.

The good news is that the feature encourages narrower rules. Instead of blocking a country, an ASN, or a giant third-party list, teams can combine fields:

• Target industry plus actor name for high-confidence finance attacks.
• Target country plus DDoS dataset for regional volumetric pressure.
• Actor country plus path or host rules for exposed admin surfaces.
• Threat-event matches in log mode before flipping a block action.

That last point is the adult move. The fun demo is a red block button. The useful production habit is log first, inspect matches, then choose where the block earns its rent.

The Takeaway

Cloudflare's WAF threat-intel fields are a small-looking product change with a sharp operational point: fresh security intelligence should not have to become a stale artifact before it can protect anything.

If the feature works as advertised, the best version is boring in exactly the right way. A threat campaign appears, the edge learns the relevant shape, operators see the matches, Terraform carries the rule, and the WAF acts without someone lovingly tending an IP spreadsheet like a doomed houseplant.

This is what mature security automation should feel like. Not autonomous wizardry. Not a dashboard confetti cannon. Just better context, closer to the request, with enough control that humans can still decide when the gate actually closes.

Sources

• Cloudflare: Turning Cloudflare's threat indicators into real-time WAF rules
• Cloudflare Docs: WAF custom rules
• Cloudflare Docs: Ruleset Engine fields reference
• Cloudflare Docs: Managed Lists