Cloudflare Blog Engineering Blog

Cloudflare has integrated Moonshot AI's Kimi K2.5 model into its Workers AI platform, enabling large models to power developer agents. The model's 256k context window and support for multi-turn tool calling make it suitable for various agentic tasks. By serving large models directly within the Cloudflare Developer Platform, the company aims to facilitate efficient and cost-effective agent development. The integration of Kimi K2.5 has resulted in significant cost savings, with a 77% reduction in costs for one particular agent that processes over 7B tokens per day. Cloudflare has also optimized its inference stack to serve large models efficiently, using custom kernels and advanced techniques to improve performance and GPU utilization. To support agentic workloads, Cloudflare has released new features, including prefix caching and surfacing cached tokens, as well as a new session affinity header to improve cache hit rates and reduce inference costs. These improvements make it easier for developers to build and deploy efficient and cost-effective agents using

Cloudflare introduces Custom Regions for precision data control, allowing customers to define their own geographical boundaries for traffic processing. This feature provides customers with more control over data localization and compliance, particularly useful for multinational companies with complex regional requirements. Cloudflare's Custom Regions use a flexible expression-based membership system, enabling customers to specify region membership and routing decisions.

Cloudflare is appealing a €14 million fine imposed by the Italian communications regulator, AGCOM, for resisting a "Piracy Shield" regulation that forces online service providers to block websites without oversight or due process. The Piracy Shield system is criticized for its lack of transparency, judicial oversight, and effective redress mechanisms, leading to repeated overblocking of innocent websites and essential services. Cloudflare continues to challenge the legality of Piracy Shield and the flawed fine, pushing for full access to records and transparency in the system.

Cloudflare and Technology Solutions Provider CDW have developed a roadmap to help organizations transition from legacy architecture to a more modern, Zero Trust platform. By categorizing applications based on technical complexity and prioritizing a tiered methodology, CDW ensures a successful migration without downtime, ultimately leading to a secure and agile security posture. The partnership combines Cloudflare's global Zero Trust platform with CDW's expertise in navigating complex deployment failures. CDW's process involves a pre-migration audit to assess architectural readiness, identify potential issues, and categorize applications. This is followed by a phased rollout that prioritizes coexistence over replacement, starting with a pilot rollout, and then scaling to the entire organization, allowing for a seamless and secure transition. By leveraging Cloudflare Access and CDW's expertise, organizations can modernize their security posture and achieve "escape velocity" from legacy hardware.

Cloudflare introduces Account Abuse Protection, a suite of fraud prevention capabilities to stop account abuse before it starts. This includes new features such as Disposable email check and email risk, which help identify fake account creation and promotion abuse. Additionally, Hashed User IDs provide customers with better insight into suspicious account activity and greater ability to mitigate potentially fraudulent traffic.

Cloudflare now returns RFC 9457-compliant structured error responses for AI agents, replacing heavyweight HTML pages with machine-readable instructions. This change slashes agent token costs by 98% and provides actionable guidance for errors, such as rate limits and access denials. The structured responses are available in Markdown and JSON formats, with stable YAML frontmatter and fields for automation.

Cloudflare's AI Security for Apps is now generally available, detecting and mitigating threats to AI-powered applications by discovering, detecting, and mitigating malicious behavior through a reverse proxy and WAF rule builder. The platform automatically identifies AI-powered endpoints across web properties and includes new capabilities such as custom topics detection and prompt extraction. Cloudflare is partnering with IBM and Wiz to expand AI security offerings and provide a unified view of AI security posture for mutual customers.

Cloudflare Log Explorer integrates 14 new datasets to provide 360-degree visibility for security teams to investigate multi-vector attacks. By correlating telemetry from HTTP requests, network-layer DDoS and Firewall logs, and Zero Trust Access events, analysts can significantly reduce Mean Time to Detect (MTTD) and effectively unmask sophisticated attacks. Log Explorer centralizes logs into a unified interface for rapid investigation, including datasets such as HTTP Requests, Firewall Events, and DNS logs.

Cloudflare introduced a revamped Security Overview dashboard to empower security teams with proactive control, reducing noise and increasing actionable insights. The new dashboard features Security Action Items, ranked by criticality, to guide teams in addressing urgent risks and triaging vulnerabilities effectively. By integrating detection tools and surfacing vulnerabilities directly, the dashboard eliminates the "configuration gap" and focuses on ensuring that security tools are actively protecting organizations.

Cloudflare and Mastercard are partnering to provide automatic security posture visibility and remediation of Internet-facing blind spots. The integration will enable the continuous discovery and monitoring of vulnerabilities in an organization's internet footprint using Mastercard's RiskRecon attack surface intelligence capabilities. This will proactively close security gaps before they can be exploited by attackers.

Cloudflare's Pingora open source framework had three request smuggling vulnerabilities (CVE-2026-2833, CVE-2026-2835, and CVE-2026-2836) that could be exploited by attackers. The vulnerabilities allowed bypassing proxy-layer security controls and enabled desync attacks for cross-user hijacking, credential theft, and poisoning proxy-layer caches. Cloudflare's engineering team patched the issues in Pingora 0.8.0 and recommends users to upgrade as soon as possible. The vulnerabilities were not exploitable in Cloudflare's CDN due to its architecture, but they affected standalone Pingora deployments exposed to the internet.

Cloudflare introduces a stateful vulnerability scanner for APIs, designed to actively hunt for logic flaws that traditional security measures often miss. The scanner targets Broken Object Level Authorization (BOLA), the most pervasive API threat, and uses a DAST (Dynamic Application Security Testing) approach to simulate valid requests to detect vulnerabilities. This proactive approach enables security teams to identify and fix flaws without relying on passive scanning or user traffic context.

Cloudflare's agile SASE platform, Cloudflare One, enables partners to migrate to zero trust architecture in as little as six weeks, compared to the traditional 18-month timeline. This is achieved through a unified connectivity cloud that decouples security policy from physical networks, simplifying the migration process. Cloudflare's platform automates many tasks, eliminating the need for manual configurations and reducing complexity.

Here's a 2-3 sentence summary of the Cloudflare Blog post: Cloudflare One has evolved to provide a unified data security vision, spanning network, endpoint, and SaaS applications. The company's vision involves a single model that follows data across all its movements, applying protection in transit, visibility and control at rest, enforcement in use, and now, coverage at the prompt as AI interfaces become common. New features include clipboard controls for browser-based RDP, operation mapping in logs, on-device DLP in the Cloudflare One Client, and AI security scanning for Microsoft 365 Copilot, all aimed at reducing the risk of data breaches and sensitive data leaving organizations.

Cloudflare has implemented Path MTU Discovery (PMTUD) in the Cloudflare One Client to improve network resilience. This involves active, end-to-end interrogation of the network path to dynamically adjust packet sizes, ensuring stable connections on diverse networks with varying MTUs. The client proactively sends encrypted packets of varying sizes to the Cloudflare edge, acknowledging or rejecting them to establish the optimal packet size.

Here's a summary of the post in 3 concise sentences: Cloudflare rebuilt their proxy mode for the SASE platform, Cloudflare One, to improve performance by bypassing an inefficient TCP implementation and leveraging modern QUIC features. The new approach keeps traffic at Layer 4, eliminating IP packet handling and allowing for tunability to optimize performance. As a result, download and upload speeds doubled, and latency decreased significantly for users who require zero-trust security without sacrificing performance.

Cloudflare introduces Automatic Return Routing (ARR), a solution to prevent IP overlap conflicts in enterprise networks. ARR uses stateful tracking to remember the originating tunnel for each flow, bypassing the need for routing tables and eliminating administrative overhead. This zero-touch solution allows overlapping networks to coexist seamlessly without Network Address Translation (NAT) or complex Virtual Routing and Forwarding (VRF) configurations.

Cloudflare has introduced Attack Signature Detection, an always-on feature that eliminates the traditional Web Application Firewall (WAF) trade-off between logging and blocking malicious traffic. This feature provides complete visibility into every request for malicious payloads without sacrificing protection or performance, allowing security teams to tune and strengthen their defenses. The detection metadata is accumulated and can be used to build precise mitigation policies based on past traffic.

Cloudflare introduced two new tools to modernize remote access and eliminate network security "dark corners" - mandatory authentication and independent multi-factor authentication (MFA). Mandatory authentication enables a user to access the internet only after authenticating with the Cloudflare One Client, closing the gap between installation and enforcement. Cloudflare's independent MFA adds an additional layer of verification, remaining separate from the primary identity provider (IdP) to prevent session hijacking and social engineering.

Cloudflare addresses the growing threat of "remote IT worker" fraud, where attackers use stolen identities and laptop farms to infiltrate companies and steal intellectual property. To combat this, Cloudflare partners with Nametag to integrate identity-verified onboarding and continuous identity assurance into its SASE platform, Cloudflare One. This allows organizations to verify the identity of users before granting access to sensitive resources, preventing bad actors from using deepfake IDs and selfies. Cloudflare One's integration with Nametag uses OpenID Connect to verify users through a selfie and government-issued ID scan, preventing deepfake injection attacks and presentation attacks. This provides an additional layer of security against insider threats, complementing existing features such as data loss prevention and remote browser isolation. The partnership aims to evolve security defenses to prioritize cryptographic identity verification, enabling organizations to safely trust their workforce despite the threat of sophisticated AI-powered attacks.