InCloud Bootcamp

CF1 Zero Trust Playbook for Cloudflare Enterprise

InCloud Bootcamp Zero Trust Playbook for Cloudflare Enterprise — your field guide to scoping, deploying, and operating Cloudflare One across Access, Gateway, CASB, DLP, SASE, and Magic WAN.

Status Current
Audience Partners & SEs
Scope Enterprise Zero Trust
Docs developers.cloudflare.com
~1B+
DNS queries processed daily through Cloudflare Gateway
330+
PoP cities — Zero Trust traffic never leaves the Cloudflare network
7
Core Zero Trust capability areas in this guide
01

Platform Overview

What Cloudflare One (CF1) delivers and why it matters for enterprise Zero Trust

📖 Official Docs
Zero Trust Overview Cloudflare One Docs Developer Hub
🔐
Identity-First Architecture
Cloudflare One replaces legacy VPN and perimeter-based models with continuous identity verification — every user, device, and application request is evaluated against policy before access is granted.
🌐
SASE on Global Edge
Security and networking converge at Cloudflare's global edge — applying Zero Trust access, DNS filtering, DLP, CASB, and threat inspection inline without backhauling traffic through a central data centre.
📡
Unified Connectivity Layer
Magic WAN, Cloudflare Tunnel, WARP client, and connector-based on-ramps create a consistent, policy-enforced network fabric for branch, cloud, remote, and on-premises workloads.
🔍
Inline Visibility and Control
HTTP and DNS inspection, CASB shadow IT discovery, DLP scanning, and CASB SaaS posture management give security teams complete visibility — and control — over data in motion and at rest in SaaS apps.
Eliminate implicit trust and enforce least-privilege access across users and workloads
Replace VPN with high-performance, policy-aware Cloudflare Tunnel connectivity
Prevent data exfiltration via inline DLP and CASB posture enforcement
Secure SaaS, IaaS, and private applications from a single dashboard
02

Core Product Categories

Seven capability areas mapped to use cases and official documentation

📖 Official Docs
Access Gateway CASB DLP Cloudflare Tunnel WARP / DEX
Category Key Products Typical Use Case Developer Docs
🔐 Zero Trust Access
Identity-aware app protection
 Cloudflare Access App Launcher Service Tokens Browser Isolation Replace VPN with identity-aware access to internal apps, SaaS, and APIs — policy enforced at Cloudflare's edge per user, device posture, and IdP group Access Policies
Applications
Identity & IdP
🌐 Secure Web Gateway
DNS, HTTP & Network filtering
 Gateway DNS Gateway HTTP Gateway Network TLS Inspection Inspect outbound web traffic, block malware, enforce acceptable-use policies, and decrypt TLS to apply DLP and threat detection inline — for both WARP-enrolled and agentless flows Gateway Policies
DNS Policies
HTTP Policies
☁️ CASB and SaaS Security
SaaS posture & shadow IT
 API-driven CASB Shadow IT Discovery SaaS Posture Discover unsanctioned SaaS usage via DNS/HTTP logs, audit misconfigured SaaS accounts (e.g. public Google Drive files, over-permissioned OAuth apps), and remediate posture findings via API-integrated scans. Note: free plan is limited to 2 CASB integrations; viewing finding details requires an Enterprise plan. CASB Overview
Shadow IT
SaaS Integrations
🔒 Data Loss Prevention
Inline data protection
 DLP Profiles Exact Data Match Document Fingerprinting Prevent exfiltration of PII, credentials, and sensitive documents over HTTP/S — inline DLP rules can block uploads to personal SaaS, enforce watermarking, and generate audit trails for compliance DLP Overview
DLP Profiles
Exact Data Match
🖥️ Browser Isolation
Remote & clientless browsing
 Remote Browser Isolation Clientless RBI Isolation Profiles Contain web threats by executing browser code remotely at Cloudflare's edge — protect unmanaged devices and third-party contractors accessing internal apps without installing any client-side agent Browser Isolation
Clientless RBI
📡 Connectivity and Magic WAN
SASE networking fabric
 Magic WAN Cloudflare Tunnel WARP Connector Magic Firewall Replace MPLS and site-to-site VPN with Cloudflare's global backbone — connect branch offices, cloud VPCs, and on-premises workloads with consistent security policy and low-latency routing via IPsec/GRE or Cloudflare Tunnel Magic WAN
Cloudflare Tunnel
Magic Firewall
📱 DEX and Device Posture
Endpoint health & experience
 WARP Client Device Posture Checks Digital Experience Monitoring Enforce device posture as an Access policy condition — validate OS version, disk encryption, EDR agent status, and serial number before granting access; monitor end-user network experience with DEX synthetic testing WARP Client
Device Posture
DEX
02.5

Competitive Positioning

How Cloudflare One compares — expand each capability for sharper competition insight and positioning talking points

Competition mode: expand each capability below for a sharper competition view, practical positioning insight, and real differentiators you can use in design and workshop conversations.
Access / ZTNA Zero Trust Network Access Cloudflare Access vs Zscaler ZPA, Palo Alto Prisma Access, Cisco Duo & AnyConnect
✦ Cloudflare Strength
  • No additional proxy infrastructure: Access runs on Cloudflare's existing global edge — there is no separate access gateway appliance to size, region, or failover. Competitors often require dedicated gateway VMs per region.
  • Cloudflare Tunnel as the connector: the lightweight cloudflared daemon creates an outbound-only tunnel with no inbound firewall rules. No public IP, no pinhole — a meaningful operational advantage over agent-based approaches like Zscaler ZPA's App Connectors.
  • Unified platform: Access, Gateway, DLP, CASB, and RBI are all configured in one dashboard with one policy engine — avoiding the multi-console sprawl common in Palo Alto Prisma or Zscaler's multi-product deployments.

Competitor Notes

  • Vs Zscaler ZPA: ZPA requires App Connectors deployed per application segment — operationally heavier. Cloudflare Tunnel is simpler to deploy and has no throughput tier limits on Enterprise plans.
  • Vs Palo Alto Prisma Access: Prisma requires GlobalProtect agent on most flows; Cloudflare offers fully clientless browser-based access as a first-class option — particularly useful for contractors and unmanaged devices.
  • Vs Cisco AnyConnect / Duo: AnyConnect is a VPN-first architecture with Duo bolted on for MFA. Cloudflare Access is policy-first by design, with device posture, IdP group, and geo as native conditions — not afterthoughts.
Secure Web Gateway DNS and HTTP Filtering (Gateway) Cloudflare Gateway vs Zscaler Internet Access, Palo Alto DNS Security, Cisco Umbrella
✦ Cloudflare Strength
  • DNS resolver scale: Cloudflare operates one of the world's largest DNS resolvers (1.1.1.1) — Gateway benefits from the same infrastructure, giving it broader passive threat intelligence than SWG-only vendors.
  • No separate proxy appliance: Gateway HTTP inspection runs inline at Cloudflare's edge. Umbrella requires a proxy node or PAC file for HTTP inspection; Gateway handles both DNS and HTTP from a single WARP connection.
  • Unified policy expression: DNS, HTTP, and Network policies all use the same rule builder and identity context — meaning a Gateway engineer and an Access engineer are working in the same mental model.

Competitor Notes

  • Vs Cisco Umbrella: Umbrella is DNS-focused; adding HTTP inspection requires the SIG Advantage tier and a proxy node. Cloudflare Gateway includes both DNS and HTTP filtering under a single Zero Trust subscription.
  • Vs Zscaler ZIA: ZIA is feature-rich but complex to tune and license. Cloudflare's simpler policy engine and unified dashboard can significantly reduce time-to-value for mid-market and partner-led deployments.
  • Vs Palo Alto DNS Security: DNS Security is an add-on to NGFW subscriptions — not a standalone SWG. Cloudflare Gateway is purpose-built for cloud-native SWG use cases without requiring an on-premises firewall anchor.
CASB & DLP Cloud Access Security Broker and Data Loss Prevention Cloudflare CASB / DLP vs Microsoft Defender for Cloud Apps, Netskope, Zscaler CASB
✦ Cloudflare Strength
  • CASB and DLP in the same platform as SWG and ZTNA: competitors like Netskope and Zscaler offer CASB and DLP, but they sit in a separate product layer. Cloudflare's inline DLP shares the same Gateway policy engine — reducing policy duplication.
  • Shadow IT from existing telemetry: Shadow IT discovery is derived from DNS/HTTP logs already flowing through Gateway — no additional sensor or CASB proxy required. Netskope and MCAS require separate log collection pipelines for shadow IT.
  • Exact Data Match: EDM allows customers to define a hashed dataset of specific values (employee IDs, card numbers) for high-precision DLP — a feature that typically requires enterprise-tier add-ons from Zscaler or Netskope.

Competitor Notes

  • Vs Microsoft Defender for Cloud Apps (MCAS): MCAS is deeply integrated into M365 but requires Conditional Access policies and MDA licensing to achieve inline inspection. Cloudflare CASB is SaaS-agnostic and doesn't require Microsoft licensing.
  • Vs Netskope: Netskope is a strong CASB/DLP platform but requires a dedicated Netskope proxy — a separate architecture from any existing Cloudflare investment. Cloudflare's single-vendor model avoids this complexity for existing CF1 customers.
  • Vs Zscaler CASB: Zscaler CASB is an add-on to ZIA; API-based CASB is an additional module. For customers already on Cloudflare One, CASB and DLP are included without a separate product negotiation.
Browser Isolation Remote Browser Isolation (RBI) Cloudflare RBI vs Menlo Security, Zscaler Cloud Browser Isolation, Symantec WSS
✦ Cloudflare Strength
  • Native integration with Access and Gateway: Cloudflare RBI is a policy action within Gateway HTTP rules and Access applications — not a separate proxy path. Adding isolation to a category or application is a single policy change.
  • Clientless RBI for unmanaged devices: Cloudflare's clientless isolation mode works via browser link — no agent, no client download. Menlo and Zscaler CBI typically require agent-side configuration for full isolation fidelity.
  • Performance on global edge: isolation rendering happens at the nearest Cloudflare PoP — not at a fixed data centre. This materially reduces latency compared to fixed-location isolation vendors like Menlo's US/EU cluster model.

Competitor Notes

  • Vs Menlo Security: Menlo is a purpose-built RBI vendor with a mature feature set, but it's a standalone product requiring separate deployment and licensing. Cloudflare RBI is bundled with Zero Trust — no separate contract or architecture needed.
  • Vs Zscaler Cloud Browser Isolation: Zscaler CBI is an add-on to the ZIA platform requiring a separate SKU. For existing CF1 customers, Cloudflare RBI avoids this additional purchase and consolidation complexity.
  • Vs Symantec WSS: Symantec's web security stack has complex licensing. Cloudflare RBI's policy-as-code approach and unified dashboard are a simpler operational model for lean IT teams.
Connectivity / SASE Magic WAN and Network Connectivity Cloudflare Magic WAN vs Zscaler Private Access, Palo Alto Prisma SD-WAN, Cato Networks
✦ Cloudflare Strength
  • Anycast on-ramps: Magic WAN tunnels terminate on Cloudflare's Anycast network — branches automatically connect to the nearest PoP with no manual PoP selection. Cato and Palo Alto require provisioning specific PoP capacity.
  • No separate SD-WAN CPE required: Magic WAN works with any IPsec/GRE-capable device. Customers don't need to replace CPE — just re-point tunnels to Cloudflare.
  • Convergence with Zero Trust policy: Magic WAN traffic passes through the same Gateway policy engine as WARP traffic — meaning a single set of security rules applies to branch, remote, and cloud-bound flows without duplication.

Competitor Notes

  • Vs Cato Networks: Cato is a strong single-vendor SASE competitor with a purpose-built SD-WAN overlay. The key differentiator is Cloudflare's broader global network (330+ PoPs vs Cato's ~85) and the fact that Cloudflare also operates the underlying internet infrastructure (peering, CDN, DNS).
  • Vs Zscaler Private Access + ZTNA: ZPA is ZTNA-focused and not a full WAN replacement. Customers needing true site-to-site connectivity still need an SD-WAN vendor alongside Zscaler. Cloudflare replaces both with a single platform.
  • Vs Palo Alto Prisma SD-WAN: Prisma SD-WAN requires Prisma-specific CPE hardware. Magic WAN works with any standards-based IPsec device — a lower barrier to entry and no hardware refresh cycle.
03

Implementation 101

A phased deployment sequence for Cloudflare One — from initial access to full SASE

📖 Official Docs
Initial Setup WARP Deployment Tunnel Setup IdP Integration
1
Foundation — Identity & Tenant Setup Day 0–1
  • Create Cloudflare Zero Trust organisation — provision the ZT tenant under your Cloudflare account, link billing, and assign admin roles.
  • Connect your Identity Provider — integrate Okta, Azure AD, Google Workspace, or SAML/OIDC IdP; configure device identity sync where supported.
  • Define user & group taxonomy — map business units and risk tiers to IdP groups that will back Access and Gateway policies.
  • Enrol first test devices via WARP — validate device registration, MDM-pushed config, and posture attribute collection before broad rollout.
Docs ZT Setup IdP Integration WARP Deployment
2
Cloudflare Access — Protect First Applications Week 1
  • Onboard a pilot internal application — deploy cloudflared connector and create an Access application pointing to an internal HTTP/SSH/RDP service.
  • Configure Access policies — apply allow rules based on IdP group membership, device posture checks, and country/IP conditions; set session duration appropriate to app sensitivity.
  • Enable App Launcher & Service Auth — publish the App Launcher portal and create service tokens for machine-to-machine access where required.
  • Test MFA, posture gates, and deny scenarios — confirm that unmanaged or non-compliant devices are correctly blocked.
Docs Applications Access Policies Cloudflare Tunnel
3
Gateway — DNS & HTTP Filtering Week 2–3
  • Enable Gateway DNS filtering — route device DNS through Cloudflare resolver; apply initial DNS policies to block malware, C2, and adult content categories.
  • Deploy TLS inspection certificate — push Cloudflare root CA via MDM/GPO; validate decryption works on pilot group before broad enforcement.
  • Build HTTP allow/block policies — configure content category blocks, application-specific controls (e.g. block personal file upload to Dropbox), and safe search enforcement.
  • Enable threat intelligence feeds — activate Cloudflare's bundled threat intel categories for phishing, malware, and cryptomining domains.
Docs DNS Policies HTTP Policies TLS Inspection Cert
4
DLP & CASB — Data Protection Layer Week 3–5
  • Create DLP profiles — define detection patterns for PII (credit card, SSN, passport), credentials, and custom data types using predefined or regex-based rules.
  • Apply inline DLP to HTTP policies — add DLP profiles as conditions on Gateway HTTP policies; start with log-only mode, then enforce block after baselining false positive rate.
  • Connect API-driven CASB integrations — authorise read-only API access to Google Workspace, Microsoft 365, Slack, and GitHub to surface posture findings (public files, MFA gaps, over-permissioned apps).
  • Review Shadow IT discovery — analyse DNS/HTTP logs for unsanctioned SaaS usage; classify applications and update Gateway policies to block or isolate high-risk apps.
Docs DLP Policies CASB Shadow IT
5
Magic WAN & Branch Connectivity Phase 2
  • Deploy IPsec/GRE tunnels for branch sites — configure Magic WAN on-ramps from physical or SD-WAN edge devices; use Anycast for automatic PoP failover.
  • Migrate site-to-site VPN to Magic WAN — replace legacy MPLS or hub-and-spoke VPN legs incrementally, validating routing and failover at each site.
  • Apply Magic Firewall policies — enforce network-layer east-west policies between branch segments and cloud workloads at Cloudflare's edge.
  • Integrate WARP Connector for private network subnets — extend Zero Trust routing to subnets that cannot run cloudflared via the WARP Connector on-ramp.
Docs Magic WAN Magic Firewall WARP Connector
03.1

Configuration Testing & Validation

Repeatable test scenarios for each major Zero Trust capability area

Partner guidance: Always test in a scoped pilot group before broad rollout. Use Cloudflare's Gateway activity logs and Access audit logs to validate policy behaviour — do not rely solely on client-side verification.
Access Zero Trust Access Policy Validation Verify identity, posture, and session enforcement for Access-protected applications.
✦ Cloudflare Strength
  • Policy at the edge: Access decisions are enforced before any traffic reaches the origin — no VPN split-tunnel gaps or firewall bypasses.
  • Device posture as a policy dimension: Cloudflare evaluates OS version, disk encryption, and EDR status natively without requiring a separate NAC vendor.
  • Per-session audit trail: every Access auth event is logged with user, device, IdP group, and policy outcome — directly in the Zero Trust dashboard.

Recommended test cases

  • Access from IdP-authorised user on compliant device → expect: allow
  • Access from authorised user on non-compliant device (e.g. disk encryption off) → expect: block
  • Access from unauthenticated user → expect: redirect to IdP login
  • Expired session re-authentication → expect: re-prompt after TTL
  • Service token machine-to-machine auth → expect: allow without user auth flow
Gateway DNS & HTTP Filtering Validation Confirm threat categories, TLS inspection, and application controls are working as expected.
✦ Cloudflare Strength
  • Unified DNS + HTTP + Network policy engine: consistent policy expression across all three inspection layers reduces misconfiguration risk from managing separate tools.
  • WARP-native enforcement: Gateway policies travel with the user regardless of network — remote, office, or cellular — without hairpinning via a central proxy.
  • Cloudflare threat intel built in: malware, phishing, C2, and botnet categories are maintained by Cloudflare's threat research team with no extra subscription.

Recommended test cases

  • DNS request to a known malware domain → expect: NXDOMAIN block
  • HTTP request to a blocked content category → expect: block page returned
  • TLS-inspected HTTPS upload to a personal file-share → expect: DLP trigger or block
  • Safe-search enforcement on Google → expect: SafeSearch active
  • Bypass test: direct DNS (8.8.8.8) from WARP device → expect: blocked by network policy
DLP Data Loss Prevention Rule Testing Validate that sensitive data patterns trigger correctly — without false-positive overload.
✦ Cloudflare Strength
  • Inline HTTP inspection: DLP scanning runs at Cloudflare's edge during the TLS-inspected session — no agent-side data collection or separate proxy appliance required.
  • Exact Data Match: upload a hashed dataset of specific PII values (e.g. employee IDs) for precision matching that dramatically reduces false positives versus pattern-only detection.
  • Log before block workflow: the audit-first approach lets teams baseline detection accuracy before committing to hard blocks — important for DLP deployments where false positives impact productivity.

How to test responsibly

  • Use synthetic test data (fake PAN numbers, generated SSNs) — never real production PII in test scenarios.
  • Start in Log mode, review Gateway activity log for DLP hit volume before switching to Block.
  • Test upload scenarios to: personal Gmail attachment, personal Dropbox, personal Google Drive — all common exfil vectors.
  • Validate that allowed SaaS destinations (e.g. corporate OneDrive) are excluded correctly from block rules.
CASB SaaS Posture & Shadow IT Checks API-driven scanning of SaaS misconfiguration and unsanctioned application discovery.
✦ Cloudflare Strength
  • Agentless SaaS scanning: CASB integrations use read-only API access — no SaaS configuration changes or software installation required on the SaaS side.
  • Shadow IT from existing Gateway telemetry: discovered via DNS/HTTP logs already flowing through Gateway — no additional sensor or network tap needed.
  • Cross-SaaS correlation: findings across Google Workspace, M365, Slack, and GitHub are surfaced in a unified findings view with severity and remediation guidance.

Key posture findings to validate

  • Publicly shared files in Google Drive / SharePoint → expect: High severity finding
  • Admin accounts without MFA in Microsoft 365 → expect: Critical finding
  • Over-permissioned OAuth third-party apps → expect: Medium finding
  • Inactive user accounts with active licenses → expect: Low finding with remediation link
Device Posture WARP Client & Device Posture Validation Confirm posture checks enforce correctly across managed and unmanaged device scenarios.
✦ Cloudflare Strength
  • Native posture checks without NAC: OS version, disk encryption, EDR (CrowdStrike, SentinelOne, Defender), and serial number checks run directly through WARP.
  • MDM integration: Cloudflare can read compliance status from Intune, Jamf, and Workspace ONE — allowing MDM-managed posture gates without duplicating logic.
  • Per-application posture granularity: higher-sensitivity apps can require stricter posture criteria than general Access policies — enabling tiered trust.

Recommended test cases

  • Managed device, all posture checks passing → expect: Access allowed
  • Managed device, disk encryption disabled → expect: Access blocked per policy
  • Unmanaged device attempting to reach internal app → expect: Clientless RBI or block
  • DEX synthetic test to internal app → expect: latency and availability metrics visible in dashboard
04

Best Practices

Field-validated guidance for deploying and operating Cloudflare One at scale

🏗️
Start with Access before Gateway
Onboarding Zero Trust Access first gives quick wins and proves value without touching outbound traffic. Gateway DNS and HTTP filtering can be layered in a second phase once Access is stable and trusted by the business.
🪜
Pilot posture checks incrementally
Add device posture as an Access policy condition only after validating that all enrolled devices meet the criteria. A failed posture check locking users out on day one is the most common deployment setback.
🔑
Use service tokens for M2M flows
CI/CD pipelines, monitoring agents, and API integrations should use Cloudflare service tokens rather than privileged user credentials. Rotate tokens on a scheduled basis and scope them to the minimum required applications.
📊
Log before you block (DLP & Gateway)
For both Gateway HTTP policies and DLP profiles, run in Log-only mode for at least two weeks. Review the Gateway activity log to identify false positives, tune policies, and get stakeholder sign-off before switching to Block mode.
🌍
Leverage split tunnelling thoughtfully
Use WARP split tunnelling to exclude Microsoft 365 and other high-volume SaaS from tunnel inspection where latency sensitivity outweighs inspection value. Document exclusions clearly — undocumented split tunnels become compliance gaps.
🔄
Align IdP groups to ZT policies
Build a 1:1 mapping between IdP security groups and Cloudflare Access policy groups before deployment. Avoid per-user Access policies — group-based management scales and reduces admin overhead as the user base grows.
🛡️
Enable Browser Isolation for high-risk flows
Apply Remote Browser Isolation to external contractor access, unmanaged device scenarios, and high-risk browsing categories (e.g. newly registered domains). RBI contains browser-borne threats without blocking access entirely.
📅
Schedule CASB posture reviews
Set a recurring calendar reminder (weekly or bi-weekly) to review CASB findings. SaaS misconfigurations accumulate silently — new file shares, OAuth app approvals, and admin account changes all happen outside the security team's view without scheduled review cycles.
05

Add-on Considerations

Products and integrations that enhance or extend the core Cloudflare One deployment

🖥️ Remote Browser Isolation (RBI)

Consider RBI when the customer has contractor / third-party access requirements, unmanaged device populations, or compliance mandates requiring screen-only access to sensitive internal applications. RBI is additive to Access — no separate product negotiation required for existing CF1 customers.

📡 Magic WAN & Magic Firewall

Engage Magic WAN when the customer has branch-to-branch or branch-to-cloud connectivity running on MPLS or legacy VPN. Magic Firewall adds L3/L4 firewall controls over Magic WAN traffic — ideal for customers replacing hardware firewalls at branch sites.

🔒 Email Security (CloudflareAEG)

Cloudflare Area 1 / Email Security is a natural add-on for Zero Trust customers — particularly those enforcing DLP and CASB controls, where email is the most common data exfiltration and phishing vector that sits outside Gateway's inspection scope.

📋 Digital Experience Monitoring (DEX)

DEX provides synthetic monitoring of the WARP-to-Cloudflare-to-application path — giving IT teams visibility into end-user experience degradation before a helpdesk ticket is raised. Strong add-on for customers who have previously had VPN performance complaints.

🤝 SIEM & SOAR Integration

Cloudflare One supports log streaming to Splunk, Microsoft Sentinel, Elastic, Sumo Logic, and others via Logpush. Coordinate with the customer's SOC team early to define which Gateway and Access log streams are required for SIEM ingestion and alert correlation.

🛡️ Cloudflare AppSec Cross-Sell

Zero Trust customers with externally facing web applications are natural candidates for Cloudflare WAF, Bot Management, and API Shield. Position Cloudflare Application Security (WAF, Bot Management, API Shield) as the outbound-facing complement to Cloudflare One's inbound Zero Trust controls — together they cover the full threat perimeter.

Escalation & Support Paths
Technical Escalation Raise a support ticket via the Cloudflare dashboard → Support → New ticket. For partner-assisted deployments, InCloud CPS can co-triage via the Cloudflare partner support channel.
Partner Engineering For architecture reviews, POC design, or complex Magic WAN deployments, engage InCloud CPS at CPS@InCloudites.com to arrange a joint session with the Cloudflare SE team.
Cloudflare Community community.cloudflare.com — peer-reviewed Zero Trust configuration threads, workarounds, and product feedback.
Developer Documentation developers.cloudflare.com/cloudflare-one — authoritative, version-controlled reference for all CF1 product configuration.
Powered by AI · Built for Cloudflare Partners

AI-Powered Cloudflare Health Check

CloudPulse is the AI-powered health check platform built specifically for Cloudflare partners — delivering instant, prioritised visibility into your customers' Cloudflare configuration without manual audits. Two modules are available across the Cloudflare portfolio:

🛡️ Health Check AI — AppSec ✓ LIVE

Scans your customer's Cloudflare AppSec configuration — WAF, Bot Management, DDoS, Rate Limiting, API Shield, and SSL — and surfaces prioritised gaps with step-by-step remediation. Generates a shareable, scored health report in under 5 minutes.

AI Zone Analysis — instant scan across all AppSec controls
Security Posture Scoring — shareable score for QBRs and renewals
Audit-Ready Reports — export in minutes, no manual audit work
Continuous Monitoring — catch configuration drift before it becomes a gap
Upsell Intelligence — identify expansion opportunities with AI insights
Open AppSec Health Check →
Need access? Contact us at CPS@InCloudites.com
🔐 Health Check AI — Zero Trust ⏳ COMING SOON

The Cloudflare One / Zero Trust module is currently in development and will be released soon. It will deliver the same AI-driven health check experience — scanning Access policies, Gateway rules, CASB findings, DLP profiles, WARP coverage, and device posture — surfacing gaps and generating a shareable Zero Trust posture report.

→ Access & ZTNA policy analysis
→ Gateway DNS / HTTP rule coverage scoring
→ CASB & DLP posture gap detection
→ WARP device enrolment coverage
→ Shareable Zero Trust health score report
Want early access? Contact us at CPS@InCloudites.com
Key Health Check AI Value:
Improve Retention & Reduce Renewal Churn
Show clear value and ensure customers fully utilise Cloudflare One to drive stronger renewals.
Unlock Upsell Opportunities
Identify targeted add-ons (RBI, Magic WAN, DEX, Email Security) with AI-driven posture insights.
Deliver Services Without Deep Expertise
Enable teams to provide high-quality Zero Trust health checks without needing specialist Cloudflare SMEs.
Create New Revenue Streams
Turn Zero Trust health check findings into billable remediation services and recurring managed security revenue.
This playbook is developed by the InCloud CPS Team, based on Cloudflare Zero Trust (CF1) capabilities and real-world implementation experience. developers.cloudflare.com/cloudflare-one ↗ Contact: CPS@InCloudites.com