Skip to content

The 38 Cloudflare security checks Black Cat runs

Black Cat SSPM evaluates 38 security policies against your Cloudflare configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

mediumExternal Account Member

Remove or convert external Cloudflare account members not part of your organization

mediumSSO Not Configured

Configure SSO with an identity provider in Cloudflare Zero Trust for centralized authentication

mediumSuper Admin Count Excessive

Reduce Cloudflare Super Administrator count by demoting unnecessary admins to specific roles

highSuper Admin Redundancy Missing

Ensure at least two Cloudflare Super Administrator accounts exist for redundancy

criticalSuper Admin Without MFA

Require Cloudflare Super Administrators to enable two-factor authentication immediately

mediumPending Account Member

Review and revoke stale pending Cloudflare account member invitations

ai governance

highAI Gateway Logging Disabled

Enable request logging on the Cloudflare AI Gateway to capture prompts and responses

highAI Gateway No Authentication

Enable authentication on the AI Gateway to restrict who can route inference requests

highAI Gateway No Rate Limiting

Configure rate limiting on the AI Gateway to prevent abuse and cost overruns

mediumAI Gateway ZDR Disabled

Enable Zero Data Retention (ZDR) on the AI Gateway to prevent Cloudflare from storing inference data

mediumAI Gateway No Guardrails

Configure content guardrails on the AI Gateway to filter harmful or inappropriate content

mediumAI Gateway No Log Export

Configure Logpush for the AI Gateway to export logs to an external SIEM or storage

mediumAI Gateway Log Overflow Silent

Change the AI Gateway log management strategy from DELETE_OLDEST to STOP_INSERTING to prevent silent log loss

mediumAI Gateway Aggressive Retry Without Rate Limit

Reduce retry attempts or add rate limiting to prevent amplified abuse on the AI Gateway

lowWorker AI Binding Ungoverned

Review the Worker source code to verify it routes AI calls through an AI Gateway

lowAI Gateway Account-Wide No Authentication

Enable authentication on at least one AI Gateway in the account

lowFine-Tuned Model Present

Review account fine-tuned models for proprietary training data exposure

autonomy

highCloudflare AI Gateway Agent High Risk Unblocked

Block or restrict high-risk AI Gateway agents with scores above 70

configuration

mediumBrowser Integrity Check Disabled

Enable Cloudflare Browser Integrity Check to block requests from malicious clients

highWAF Disabled

Enable the Cloudflare Web Application Firewall and configure managed rulesets

highSecurity Level Essentially Off

Raise the Cloudflare zone security level from Essentially Off to Medium or higher

mediumSecurity Level Low

Raise the Cloudflare zone security level from Low to Medium or higher

mediumZone Settings Unavailable

Investigate why Cloudflare zone settings cannot be retrieved and ensure API token has sufficient permissions

encryption

criticalSSL Encryption Disabled

Enable SSL/TLS encryption on the Cloudflare zone and set the mode to at least Full

highSSL Mode Flexible

Upgrade Cloudflare SSL mode from Flexible to Full (strict) to encrypt origin traffic

highAlways Use HTTPS Disabled

Enable Always Use HTTPS for the Cloudflare zone to redirect all HTTP traffic

mediumAutomatic HTTPS Rewrites Disabled

Enable Automatic HTTPS Rewrites for the Cloudflare zone to fix mixed content issues

highHSTS Disabled

Enable HSTS on the Cloudflare zone with a max-age of at least 6 months

highMinimum TLS Version Weak

Set the Cloudflare zone minimum TLS version to 1.2 or higher

lowOpportunistic Encryption Disabled

Enable Opportunistic Encryption for the Cloudflare zone

mediumTLS 1.3 Disabled

Enable TLS 1.3 for the Cloudflare zone to improve security and performance

mediumTLS Mode Not Strict

Set Cloudflare SSL/TLS encryption mode to Full (Strict) to verify origin certificates

lifecycle

highCloudflare AI Gateway Agent Orphaned Owner

Reassign the AI Gateway agent to an active owner

mfa

highMFA Not Enabled

Require Cloudflare account members to enable two-factor authentication

criticalTwo-Factor Enforcement Disabled

Enable two-factor authentication enforcement for all Cloudflare account members

network

mediumDNS Wildcard Record

Review and remove unnecessary DNS wildcard records to reduce the attack surface

mediumDNS Record Points to Private IP

Remove or correct DNS A records pointing to RFC 1918 private IP addresses

lowDNS Record Not Proxied

Enable Cloudflare proxy for A/AAAA DNS records to hide the origin server IP address

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial