Cloudflare, the internet infrastructure company that handles roughly 20% of all global web traffic, is making an aggressive move to redefine how organizations consume and act on threat intelligence. The San Francisco–based firm recently unveiled what it calls the Cloudflare Threat Intelligence Platform, a set of tools and data products designed to give security teams direct access to the vast trove of threat data the company collects from its worldwide network. The announcement signals a clear strategic pivot: Cloudflare no longer wants to be viewed solely as a content delivery and DDoS mitigation provider. It wants to be the intelligence backbone for enterprise cybersecurity.
The timing is notable. Cyberattacks continue to surge in both volume and sophistication, and organizations are drowning in alerts from disparate security tools. According to Cloudflare’s own data, its network processes over 60 million HTTP requests per second on average and blocks approximately 209 billion cyber threats each day. That scale of visibility is difficult for any single vendor to match, and Cloudflare is now betting that packaging that visibility into consumable intelligence products will become a significant revenue driver.
What the Threat Intelligence Platform Actually Does
At its core, the new platform consolidates several capabilities that Cloudflare has been building incrementally over the past few years. As detailed in the company’s engineering blog post, the platform includes threat intelligence APIs, a threat investigation portal called Investigate, and integrations with existing security workflows. The APIs allow security teams to query Cloudflare’s data on IP addresses, domains, URLs, and autonomous system numbers (ASNs) to determine whether they are associated with malicious activity. The Investigate portal provides a graphical interface for analysts who want to research threats without writing code.
Cloudflare is also introducing what it calls “threat events” — curated intelligence reports that describe active campaigns, malware families, and phishing operations that the company’s analysts have identified through its network telemetry. These reports are designed to go beyond raw indicators of compromise (IOCs) and provide contextual analysis that security operations teams can use to prioritize their response efforts. The company says it will update these threat events continuously as campaigns evolve, rather than publishing static reports that quickly become stale.
A Data Advantage Built on Network Scale
The fundamental argument Cloudflare is making to the market is straightforward: no one sees more internet traffic than it does, and therefore no one can produce better threat intelligence. The company operates data centers in over 310 cities across more than 120 countries. It provides DNS resolution through its popular 1.1.1.1 service, runs one of the largest authoritative DNS platforms in the world, and proxies traffic for millions of websites through its reverse proxy and WAF (web application firewall) services. Each of these touchpoints generates signals about malicious behavior — from botnet command-and-control communications to phishing domain registrations to API abuse patterns.
This is a meaningful differentiator compared to traditional threat intelligence vendors like Recorded Future, Mandiant (now part of Google Cloud), or CrowdStrike’s Falcon Intelligence. Those companies rely heavily on a combination of open-source intelligence (OSINT), dark web monitoring, and endpoint telemetry. Cloudflare’s intelligence, by contrast, is derived primarily from network-layer and application-layer traffic at a scale that few organizations can replicate. As the company noted in its blog announcement, “We don’t need to go looking for threats — they come to us.”
The Competitive Landscape Is Getting Crowded
Cloudflare’s entry into the dedicated threat intelligence market puts it in direct competition with some well-established players. CrowdStrike has long offered threat intelligence as a premium add-on to its Falcon platform, drawing on data from millions of endpoints. Palo Alto Networks operates Unit 42, a well-known threat research division that feeds intelligence into its Cortex XSIAM and XSOAR products. Microsoft, with its Defender Threat Intelligence offering, has been aggressively packaging the signals it collects from Windows, Azure, and Office 365 into actionable intelligence feeds.
What sets Cloudflare apart — and what could also limit its appeal — is the nature of its data. The company’s intelligence is strongest when it comes to web-based threats: phishing, DDoS, bot activity, API abuse, and malicious domain infrastructure. It has less visibility into endpoint-level threats like ransomware execution chains or lateral movement within corporate networks. Security teams evaluating the platform will need to consider whether Cloudflare’s network-centric intelligence complements or overlaps with the endpoint and cloud-focused intelligence they may already be receiving from other vendors.
Pricing, Packaging, and the Enterprise Sales Strategy
Cloudflare has historically used a freemium model to attract developers and small businesses before upselling enterprise features. The threat intelligence platform appears to follow a similar pattern. Basic threat intelligence lookups are available to customers on Cloudflare’s free and Pro plans, while the full platform — including the Investigate portal, advanced API access, and curated threat events — is reserved for Enterprise and Enterprise Advanced customers. The company has not publicly disclosed specific pricing for the intelligence platform, but it is expected to be bundled with broader enterprise security contracts.
This bundling strategy could prove effective. Many organizations already use Cloudflare for CDN, DNS, or Zero Trust network access. Adding threat intelligence to those existing contracts reduces procurement friction and gives security teams a single vendor for both protection and intelligence. It also creates a flywheel effect: the more customers use Cloudflare’s services, the more traffic flows through its network, and the richer its intelligence becomes. That virtuous cycle is difficult for competitors to disrupt once it gains momentum.
Integration With Zero Trust and SASE Architectures
The threat intelligence platform does not exist in isolation. Cloudflare has been building out its Zero Trust and Secure Access Service Edge (SASE) offerings under the Cloudflare One brand for several years. The intelligence platform feeds directly into these products, enabling automated policy enforcement based on real-time threat data. For example, if Cloudflare’s intelligence identifies a domain as hosting a phishing kit, its Gateway product can automatically block access to that domain for all users enrolled in a customer’s Zero Trust deployment.
This tight integration between intelligence and enforcement is something that pure-play threat intelligence vendors cannot easily replicate. Companies like Recorded Future and Flashpoint produce excellent intelligence, but they rely on customers to ingest that intelligence into separate security tools — firewalls, SIEMs, endpoint detection platforms — and configure enforcement rules manually. Cloudflare’s ability to both generate the intelligence and act on it within the same infrastructure reduces the time between detection and response, which is often the critical variable in preventing a breach.
Privacy Considerations and Data Handling
Any company that processes 20% of global web traffic and then packages observations from that traffic into intelligence products will face questions about privacy. Cloudflare has addressed this directly, stating in its blog post that the intelligence platform is built on aggregated and anonymized data. The company says it does not inspect the content of encrypted traffic for intelligence purposes and that its threat signals are derived from metadata — DNS queries, HTTP headers, traffic patterns, and reputation scores — rather than payload inspection.
Still, the tension between visibility and privacy is real. Cloudflare has previously faced scrutiny over its decisions about which websites to serve and which to terminate, most notably in the cases of 8chan and The Daily Stormer. As the company monetizes its network visibility through intelligence products, it will need to maintain clear boundaries between what it observes for security purposes and what it does with that data commercially. Enterprise customers, particularly those in regulated industries like finance and healthcare, will want detailed assurances about data handling before subscribing.
What This Means for the Broader Security Market
Cloudflare’s move into threat intelligence reflects a broader trend: infrastructure providers are increasingly absorbing security functions that were once the domain of specialized vendors. Amazon Web Services offers GuardDuty and Detective. Google Cloud has Chronicle and Mandiant. Microsoft has Sentinel and Defender. Now Cloudflare is following the same playbook, using its infrastructure position to offer security intelligence as a natural extension of its core services.
For security teams, this consolidation has both benefits and risks. On the positive side, integrated platforms reduce the number of tools that analysts need to manage and can accelerate response times. On the negative side, relying on a single vendor for both infrastructure and intelligence creates concentration risk. If Cloudflare experiences an outage — as it has on occasion — customers could lose both their protective controls and their threat visibility simultaneously. Diversification of intelligence sources will remain a best practice even as platforms like Cloudflare’s become more capable.
The threat intelligence market is projected to grow from approximately $11.6 billion in 2023 to over $24 billion by 2028, according to industry estimates. Cloudflare’s entry, backed by unmatched network visibility and an existing base of millions of customers, positions it to capture a meaningful share of that growth. Whether it can execute on the promise — delivering intelligence that is not just voluminous but genuinely actionable — will determine whether this bet pays off.


WebProNews is an iEntry Publication