Field notes from the edge.
What our engineers learned this week. Hands-on technical deep-dives, postmortems, and strategy frameworks.
Build your own vulnerability harness
A few weeks ago, we published our initial findings from Project Glasswing , looking at what happens when you point frontier security models at an enterprise codebase. We also explored how our defensive structures adapt to protect our infrastructure and customers from threats posed by frontier AI . Since then, the AI ecosystem has continued to shift rapidly — developers who've b
Celebrating 12 years of Project Galileo
Twelve years ago this month, Cloudflare launched an ambitious project built on a simple idea: people shouldn’t be knocked offline just because someone more powerful disagrees with them. Today, Project Galileo provides free access to cybersecurity services to more than 3,400 websites belonging to journalists, human rights defenders, and other nonprofit organizations in 120 count
AIBringing more agent harnesses and frameworks to Cloudflare, starting with Flue
Cloudflare is launching its Agents SDK as a foundational platform layer for production-grade AI agents, addressing distributed systems challenges like durable execution, state management, and secure code execution. The company introduces Flue, an open-source agent framework built on the Pi harness, which offers a declarative approach to building agents with built-in integrations for enterprise too
AIIntroducing the Cloudflare One stack: agent-powered deployment
Cloudflare has launched the Cloudflare One stack, an agent-powered toolkit designed to automate the configuration, deployment, and management of Zero Trust network architectures. The stack provides AI agents with structured knowledge and tools to handle complex migration tasks from legacy SASE vendors like Zscaler and Palo Alto Networks, reducing implementation timelines from months to hours. Buil
AICloudflare DMARC Management is now generally available
Cloudflare has made its DMARC Management solution generally available with enhanced features to help organizations achieve full email authentication enforcement. The platform addresses the growing requirement from major email providers like Google, Microsoft, and Yahoo for proper DMARC, SPF, and DKIM configuration, offering free tools that eliminate the need for costly consultants or manual XML re
AIGrowing the Cloudflare AI team with talent from Ensemble AI
Cloudflare has acquired key talent from Ensemble AI, a San Francisco-based startup focused on model compression and efficient inference, to strengthen its Workers AI platform. Ensemble AI developed innovative approaches like NdLinear, which reduces AI model size and computational requirements while preserving performance, addressing the growing challenge of inference costs as AI workloads scale. T
AIScaling Security Insights: how we achieved a 10x increase in global scanning capacity
Cloudflare's Security Insights team successfully scaled their global scanning capacity by 10x—from 10 to 100 scans per second—enabling more frequent security scans and automatic coverage for millions of previously unmonitored free-tier accounts. The engineering effort addressed critical bottlenecks including Kafka consumer limitations, database query inefficiencies, and API latency issues caused b
AIRoute public traffic to private applications with Cloudflare
Cloudflare is launching Application Services for Private Origins in closed beta, enabling enterprise customers to route public internet traffic to private applications without exposing them publicly. This capability extends Cloudflare's security, performance, and programmability services (WAF, bot management, rate limiting, caching, Workers) to private origins using existing private network connec
AIDefend against frontier cyber models: Cloudflare's architecture as customer zero
Cloudflare details its defense architecture against AI-powered cyber threats, emphasizing that architectural design matters more than patching speed when facing frontier AI models like Mythos. The company operates as 'customer zero' for its own security products, using its visibility into ~20% of global web traffic to detect and block threats in real-time through integrated WAF and threat intellig
AITurning Cloudflare’s threat indicators into real-time WAF rules
Cloudflare has introduced a new integration that allows security teams to automatically translate threat intelligence from its Threat Events platform into proactive WAF rules, eliminating the manual process of configuring blocks for known malicious IPs. The solution leverages an 'always-on' detection framework that enriches HTTP requests with real-time threat metadata, enabling organizations to fi
AIYour AI bill is out of control. Cloudflare can fix it now.
Cloudflare is addressing the growing challenge of uncontrolled AI spending with new spend management features in its AI Gateway service. The company is launching spend limits in open beta and identity-driven budgets in closed beta, enabling organizations to track, attribute, and control AI costs at the user, team, and model level. These tools aim to solve the common problem of shared API keys and
AIVoidZero is joining Cloudflare
Cloudflare has acquired VoidZero, the company behind popular JavaScript tooling including Vite, Vitest, Rolldown, and Oxc, with all team members joining Cloudflare. The company emphasizes that all VoidZero projects will remain open source, vendor-agnostic, and community-driven, with Cloudflare committing $1 million to a Vite ecosystem fund. The acquisition reflects Vite's growing importance as fou
AIEnforcing the First AS in BGP AS_PATHs
Recent BGP route hijacking incidents have exploited unused autonomous system numbers (ASNs) by forging AS_PATHs to misdirect traffic while concealing attacker identity. The attacks succeed when networks fail to implement basic 'First AS' verification, which confirms that a BGP peer's AS is correctly listed as the first hop in advertised routes. While ASPA (Autonomous System Provider Authorization)
AIHow we reduced core unit boot time from hours to minutes
Cloudflare reduced core datacenter server boot times from four hours to minutes after a firmware update caused systems to sequentially timeout through multiple network boot interfaces before finding the correct one. The issue affected nearly 2,000 Gen12 servers, with each failed boot attempt adding roughly five minutes of idle time that compounded during multi-reboot firmware upgrades. The solutio
AIIran's Internet is partially restored, Cloudflare Radar data shows
Cloudflare Radar data confirms partial restoration of Iran's internet on May 26, 2026, after a nearly three-month nationwide shutdown that began February 28 following military strikes. Traffic has returned to only 40% of pre-shutdown levels, concentrated primarily in Tehran (91.6% of requests), while IPv6 connectivity remains completely disrupted despite IPv4 address space remaining stable through
AIHow we built Cloudflare's data platform and an AI agent on top of it
Cloudflare built Town Lake, a unified data analytics platform, and Skipper, an AI agent, to address data sprawl across disparate systems processing over 1 billion events per second. The lakehouse architecture combines Apache Trino, R2 storage with Apache Iceberg, and DataHub for metadata, enabling SQL queries across multiple data sources while reducing costs and complexity. Skipper provides a natu
AICode Orange: Fail Small is complete. The result is a stronger Cloudflare network
Cloudflare has completed 'Code Orange: Fail Small,' a major engineering initiative to prevent incidents like the November and December 2025 global outages. The project introduced progressive configuration rollouts with health monitoring, better failure modes that preserve service continuity, and improved incident management procedures to enhance network resilience for all customers.
AIWhen DNSSEC goes wrong: how we responded to the .de TLD outage
On May 5, 2026, DENIC's incorrect DNSSEC signatures for the .de TLD caused widespread DNS resolution failures, potentially affecting millions of German domains. Cloudflare's 1.1.1.1 resolver mitigated the impact through 'serve stale' functionality (RFC 8767) and Negative Trust Anchors (RFC 7646), continuing to serve cached records and temporarily disabling DNSSEC validation for .de domains until D
Edge Compute is the New Branch Office
What happens when every retail store, oil rig, and hospital becomes its own micro-cloud.