InCloud ITES
Cloudflare Partner

Request Access

This playbook is for InCloud partners and customers.
Submit your details and we'll be in touch.

Please use your company email, not Gmail or Yahoo.

InCloud ITES Ltd · Cloudflare Partner · Confidential

InCloud Bootcamp

AppSec Playbook
for Cloudflare Enterprise

InCloud Bootcamp AppSec Playbook for Cloudflare Enterprise

Status Current
Audience Partners & SEs
Scope Enterprise AppSec
Docs developers.cloudflare.com
~215B
Threats blocked daily via global threat intelligence
330+
Cities worldwide for low-latency edge delivery
7
Core AppSec product categories in this guide
01

Platform Overview

What Cloudflare Application Services delivers and why it matters

📖 Official Docs
Application Services Products Portfolio Developer Hub
🛡️
Unified Cloud-Native Platform
Combines security, performance, and reliability for externally facing web applications and APIs — deployable as individual services or layered for defence-in-depth protection.
🤖
Threat Neutralisation at Scale
Blocks ~215 billion threats daily through ML-based scoring, global threat intelligence, and managed rulesets that update automatically as the threat landscape evolves.
Edge Performance Without Trade-offs
Security controls deployed across 330+ cities globally mean protection never compromises latency. Argo Smart Routing and edge caching deliver acceleration alongside security.
🔗
Composable Architecture
Enable services individually or combine WAF + Bot Management + Rate Limiting + API Shield for a positive security model that scales with your application's risk profile.
Thwart DDoS, malicious bots, and application-layer abuse
Close vulnerabilities including zero-days via managed rulesets
Accelerate content and API responses at the edge
Provide visibility and control over APIs and AI-powered applications
02

Core Product Categories

Seven capability areas mapped to use cases and official documentation

📖 Official Docs
WAF DDoS Protection Bot Management API Shield Rate Limiting Cache / CDN Workers AI
Category Key Products Typical Use Case Developer Docs
🛡️ Threat Protection
Edge mitigation
 DDoS Protection WAF Managed Rules Custom Rules Bot Management Stop L7 DDoS, credential stuffing, and scraping — ML-based scoring filters bad actors before they reach your origin DDoS Protection
WAF Overview
Bot Management
🔌 API Security
Discover, protect, enforce
 API Shield API Discovery Schema Enforcement Positive Security Model Discover shadow APIs, enforce schemas, prevent over-posting and injection on internal and public APIs API Shield
API Discovery
Schema Validation
🧠 AI App Security
GA as of 2026
 AI Security for Apps Prompt Injection Detection PII Leakage Prevention Real-time protection for generative AI endpoints and agents — blocks prompt injection, data leakage, and model abuse AI Security for Apps
Get Started
⚡ Performance & Delivery
Speed without compromise
 CDN Argo Smart Routing Load Balancing Image Optimization Reduce TTFB, improve cache hit ratio, route around congestion — performance controls co-exist with security policies CDN & Caching
Argo Smart Routing
Load Balancing
🚦 Rate Limiting
Control request volume
 Advanced Rate Limiting Security Center Token Bucket Rules Prevent brute force, API abuse, and flash crowds — per IP, per user, or per endpoint with token bucket precision Rate Limiting
Security Center
📊 Observability
Visibility into everything
 Security Analytics Firewall Events GraphQL API Logpush Granular traffic visibility for troubleshooting, compliance reporting, rule tuning, and SIEM integration Analytics
Logpush
GraphQL API
🤖 AI Dev Assistance
Edge inference & tooling
 Workers AI Cursor AI Assistant Edge Inference Run AI models serverlessly at the edge; query Cloudflare-specific knowledge for configuration guidance and prototyping Workers AI
Workers AI (Cursor)
03

Implementation Roadmap

Typical setup sequence — from onboarding to continuous optimisation

📖 Official Docs
Setup Guide SSL/TLS Managed Rulesets Bot Management Cloudflare Tunnel
1
Onboard Domain / Application Foundation
  • Add site to Cloudflare — change nameservers or use partial CNAME setup for existing DNS providers
  • Enable SSL/TLS — Full or Strict mode recommended; ensure origin certificate is valid
  • Verify zone is active and traffic is proxied (orange-cloud DNS record) before applying security policies
Docs: Setup Guide SSL/TLS DNS Management
2
Baseline Security Activation ⚡ 5–10 min
  • Turn on DDoS Protection — always-on, mitigated automatically at the network edge with no configuration required
  • Enable WAF Managed Ruleset — OWASP Core + Cloudflare-specific rules; deploy in Log mode first
  • Activate Bot Management — Super Bot Fight Mode for fast start; upgrade to Enterprise Bot Management for ML-based JA3/JA4 fingerprinting
Docs: DDoS Protection Managed Rules Bot Management
3
Enhance Protection — Layered Approach Defence-in-depth
  • Configure Rate Limiting rules per endpoint, per user, per IP — calibrate thresholds from baseline traffic data before blocking
  • Deploy Custom WAF Rules for business logic threats — geo-blocks, User-Agent filtering, path-specific policies
  • For APIs: enable API Shield → run Discovery → enforce positive security model with schema validation
  • Lock down origin: update firewall to accept only Cloudflare IP ranges or deploy Cloudflare Tunnel for zero exposed IPs
Docs: Rate Limiting Custom Rules API Shield CF Tunnel Cloudflare IP Ranges
4
Secure AI Applications If applicable
  • Activate AI Security for Apps on zones serving generative AI endpoints or agent interfaces
  • Define policies to detect and block prompt injection, PII leakage, and jailbreak attempts in real time
  • Test injection vectors explicitly during staging before enabling block mode in production
Docs: AI Security for Apps Get Started
5
Optimise Performance Speed layer
  • Enable Caching via Cache Rules — target >80% cache hit ratio for static assets
  • Turn on Argo Smart Routing for dynamic path selection around congested internet segments
  • Configure Load Balancing for multi-origin setups — includes health checks and automatic failover
  • Enable Image Optimization — Polish (lossless/lossy compression) and Mirage (adaptive loading)
Docs: Cache Rules Argo Smart Routing Load Balancing Polish / Images
6
Monitor, Tune & Iterate Continuous
  • Review Security Analytics and Firewall Events regularly — identify false positives before switching rules to Block
  • Use Security Center to surface posture gaps and recommended actions across your account
  • Leverage GraphQL Analytics API for custom dashboards and SIEM correlation via Logpush
  • Iterate rules based on false positive analysis — combine Bot Score + WAF Score + Rate Limiting for strongest coverage
  • Optional: use Cursor AI Assistant for interactive guidance on configurations or troubleshooting
Docs: Security Analytics Security Center Logpush GraphQL API
04

Best Practices & Common Gotchas

Proven guidance from production deployments

📖 Official Docs
WAF Best Practices Bot Score Cache Best Practices WAF Troubleshooting
🪵
Start in Log Mode
Always deploy new WAF and Rate Limiting rules in Log mode first. Collect 5–10 days of data, review for false positives, then switch to Block. Never go direct to block on a production zone.
🏢
Account-Level Configuration
Use account-level WAF policies and managed rulesets where available — ensures consistent policy enforcement across all zones rather than per-zone configuration that drifts over time.
🧩
Combine Signals for Stronger Models
Layer Bot Score + WAF Score + Rate Limiting together. A single signal can be spoofed; combined signals create a positive security model that is far harder to bypass.
📈
Target >80% Cache Hit Ratio
Regularly review Analytics to optimise cache performance. Above 80% cache hit ratio for static assets significantly reduces origin load and cost — and shrinks the attack surface.
🔬
Test AI Injection Vectors Explicitly
For AI-powered applications, test prompt injection, jailbreak patterns, and PII leakage scenarios in staging before enabling AI Security for Apps in production block mode.
🔒
Lock Down Your Origin
WAF protection is ineffective if attackers can reach your origin directly via IP. Update firewall rules to accept only Cloudflare IP ranges — or deploy Cloudflare Tunnel for full lockdown with zero exposed IPs.
05

When to Escalate to Enterprise

Signals that indicate an Advanced or Enterprise tier engagement

📖 Official Docs
JA3/JA4 Fingerprinting Mutual TLS (mTLS) Magic Transit Enterprise Support

🤖 Advanced Bot Detection Required

Customer needs ML-based bot detection with custom JA3/JA4 fingerprinting, device fingerprinting, or behavioural analysis beyond Super Bot Fight Mode capability.

🔌 Advanced API Security

Require strict API schema validation, mutual TLS (mTLS) for API authentication, or sequence mitigation for complex multi-step API abuse patterns.

💥 Extreme-Scale DDoS

Handling DDoS at >Tbps scale, or requiring network-layer Magic Transit protection for on-premises or cloud infrastructure beyond L7 HTTP coverage.

📋 Dedicated SLAs & Threat Intel

Customer requires dedicated support SLAs, named TAM, custom threat intelligence feeds, or compliance evidence packs (SOC 2, ISO 27001, PCI) for audit.

🧠 AI Application Security at Scale

GenAI endpoints handling significant volume require enterprise-grade prompt injection detection, model abuse prevention, and custom policy configuration.

🔍 Continuous Posture Management

Customer needs ongoing configuration health monitoring, drift detection across all zones, and automated scoring — use CloudPulse.io to deliver this as a managed service.

📚
Cloudflare Developer Documentation Hub
Full product docs, rule syntax, API references, tutorials, and changelogs.
developers.cloudflare.com
CloudPulse
Powered by AI · Built for Cloudflare Partners

AI-Powered Cloudflare Health Check

Even after a successful AppSec deployment, Cloudflare configurations drift. Rules get cloned without review, bot thresholds go untuned, WAF exceptions accumulate. CloudPulse is the AI-powered health check tool built specifically for Cloudflare, delivering instant, continuous visibility into your AppSec posture without manual audits.

AI Zone Analysis Scans every zone across WAF, Bot, DDoS, SSL and performance instantly
Prioritised Recommendations Highest-impact gaps surfaced first with step-by-step remediation
Security Posture Scoring Shareable AppSec health score to track improvement over time
Audit-Ready Reports Export a professional health check report in minutes for QBRs
Continuous Monitoring Catch configuration drift before it becomes a vulnerability
Improve Retention & Reduce Renewal Churn
Show clear value and ensure customers fully utilise Cloudflare to drive stronger renewals.
Unlock Upsell Opportunities
Identify targeted add-ons and expansion use cases with AI-driven insights.
Deliver Services Without Deep Expertise
Enable teams to provide high-quality outcomes without needing specialist Cloudflare SMEs.
Create New Revenue Streams
Turn recommendations into billable services and recurring revenue.
cloudpulse.io

Run your first Cloudflare health check in under 5 minutes.

  • Pre-sales: evidence gaps to justify AppSec investment
  • Post-deployment: prove value delivered under the SOW
  • QBRs: share scored health report at every review
  • Managed services: continuous posture monitoring
  • No manual audit work required
Get Started Now
Run your first Cloudflare health check in under 5 minutes.
Visit cloudpulse.io or send email to discover@incloudites.com
CloudPulse.io is powered by Cyntra AI
Official Cloudflare documentation for all products referenced in this playbook developers.cloudflare.com ↗