How it works

Once you enable Security Insights, Cloudflare runs regular security scans on your account. These scans check your Cloudflare account settings, DNS record configurations, and product configurations — such as SSL/TLS, WAF, and Access — across all domains in your account.

Each scan compares your current configuration against a set of ideal product configurations that indicate a strong security posture. When your configuration does not match an ideal configuration for one or more checks, the scan produces a Security Insight — a finding that represents a potential risk.

The list of insights may include potential security threats, vulnerabilities, compliance risks, insecure configurations, or any other identified risks.

Note

Security Insights also checks non-proxied (DNS-only) hostnames. Because these records are not routed through Cloudflare, they do not benefit from Cloudflare's application security features.

Scan properties

Each insight has the following properties:

• Severity: The security risk of the insight. The severity values are: Moderate, High, and Critical. The higher the severity level, the higher the risk of threat to your environment.
• Insight: The insight description detailing the current configuration that is causing the risk or vulnerability.
• Risk: A description of the risk associated with not addressing the issue.
• Type: The insight category.

For a full list of insight types and their descriptions, refer to Security Insights.

Scan frequency

Once you enable Security Insights, Cloudflare performs scans automatically. Paying customers (as defined in the table below) are re-scanned daily and can trigger a scan manually:

Plan	Scan Frequency	On-Demand
Accounts on a Free, Pro, or Business plan	Every 7 days	Yes
Accounts on an Enterprise plan	Every 3 days	Yes

Eligible accounts (Business, Enterprise, or Teams plans) can also manually start a scan. Refer to Get started for instructions.