The 38 Cloudflare security checks Black Cat runs
Black Cat SSPM evaluates 38 security policies against your Cloudflare configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Remove or convert external Cloudflare account members not part of your organization
Configure SSO with an identity provider in Cloudflare Zero Trust for centralized authentication
Reduce Cloudflare Super Administrator count by demoting unnecessary admins to specific roles
Ensure at least two Cloudflare Super Administrator accounts exist for redundancy
Require Cloudflare Super Administrators to enable two-factor authentication immediately
Review and revoke stale pending Cloudflare account member invitations
ai governance
Enable request logging on the Cloudflare AI Gateway to capture prompts and responses
Enable authentication on the AI Gateway to restrict who can route inference requests
Configure rate limiting on the AI Gateway to prevent abuse and cost overruns
Enable Zero Data Retention (ZDR) on the AI Gateway to prevent Cloudflare from storing inference data
Configure content guardrails on the AI Gateway to filter harmful or inappropriate content
Configure Logpush for the AI Gateway to export logs to an external SIEM or storage
Change the AI Gateway log management strategy from DELETE_OLDEST to STOP_INSERTING to prevent silent log loss
Reduce retry attempts or add rate limiting to prevent amplified abuse on the AI Gateway
Review the Worker source code to verify it routes AI calls through an AI Gateway
Enable authentication on at least one AI Gateway in the account
Review account fine-tuned models for proprietary training data exposure
autonomy
Block or restrict high-risk AI Gateway agents with scores above 70
configuration
Enable Cloudflare Browser Integrity Check to block requests from malicious clients
Enable the Cloudflare Web Application Firewall and configure managed rulesets
Raise the Cloudflare zone security level from Essentially Off to Medium or higher
Raise the Cloudflare zone security level from Low to Medium or higher
Investigate why Cloudflare zone settings cannot be retrieved and ensure API token has sufficient permissions
encryption
Enable SSL/TLS encryption on the Cloudflare zone and set the mode to at least Full
Upgrade Cloudflare SSL mode from Flexible to Full (strict) to encrypt origin traffic
Enable Always Use HTTPS for the Cloudflare zone to redirect all HTTP traffic
Enable Automatic HTTPS Rewrites for the Cloudflare zone to fix mixed content issues
Enable HSTS on the Cloudflare zone with a max-age of at least 6 months
Set the Cloudflare zone minimum TLS version to 1.2 or higher
Enable Opportunistic Encryption for the Cloudflare zone
Enable TLS 1.3 for the Cloudflare zone to improve security and performance
Set Cloudflare SSL/TLS encryption mode to Full (Strict) to verify origin certificates
lifecycle
Reassign the AI Gateway agent to an active owner
mfa
Require Cloudflare account members to enable two-factor authentication
Enable two-factor authentication enforcement for all Cloudflare account members
network
Review and remove unnecessary DNS wildcard records to reduce the attack surface
Remove or correct DNS A records pointing to RFC 1918 private IP addresses
Enable Cloudflare proxy for A/AAAA DNS records to hide the origin server IP address