Cloudflare has unveiled its new threat events platform for Cloudforce One customers, offering a comprehensive solution to one of the most significant challenges in cybersecurity today: contextualizing threat intelligence data.
The platform provides security practitioners with actionable insights by analyzing indicators of compromise (IoCs), including IP addresses, ASNs, domains, URLs, and file hashes, with critical contextual information about why these indicators represent potential threats.
The new platform capitalizes on Cloudflare’s extensive global network data, processing an average of 71 million HTTP requests and 44 million DNS queries per second.
.png
)
This enormous traffic volume provides the platform with unparalleled visibility into real-time threat activities occurring across the internet.
“The sheer volume of threat activity observed across Cloudflare’s network would overwhelm any system or SOC analyst,” explained Cloudflare in their announcement.
Instead, the platform curates this activity into a stream of events that includes both IoCs and contextual information, making the data immediately actionable.
Technical Architecture and Implementation
Cloudflare built the threat events platform using its own Developer Platform, implementing Cloudflare Workers with SQLite-backed Durable Objects for data storage.
This architectural choice offers several advantages over traditional database solutions.
The platform maps threat events to the MITRE ATT&CK framework and cyber kill chain stages, providing security teams with standardized contextual information about attack methodologies.
Cloudforce One customers can access threat events through the Cloudflare Dashboard in the Security Center or via a dedicated API.
The platform includes an Attacker Timelapse view for strategic analysis and a detailed events table for tactical investigation.
A recent practical application involved the Black Basta ransomware group, whose leaked chats revealed infrastructure details.
The platform incorporated this intelligence, allowing analysts to filter events by the “BlackBasta” attacker attribute to discover verified IP addresses, domains, and file hashes associated with this threat actor, as shown below.
The platform has already received significant validation from industry professionals.
A Fortune 20 threat intelligence team ranked it as their #1 threat intelligence source after comparing it against 110 other sources, describing it as “very much a unicorn” in the threat intelligence space.
Cloudflare plans to expand the platform’s capabilities with enhanced visualizations, including attacker timelines, campaign overviews, and attack graphs.
Integration with existing SIEM platforms and cross-system indicator sharing functionalities are also on the roadmap.
By providing contextual information about cyber threats instead of isolated indicators, Cloudflare’s Cloudforce One threat events platform represents a significant advancement in operational threat intelligence, enabling security teams to respond more effectively to emerging threats.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
