Skip to content

WAF attack score

The attack score traffic detection helps identify variations of known attacks and their malicious payloads. This detection complements WAF Managed Rules.

WAF’s managed rulesets contain rules that are continuously updated to better detect malicious payloads. They target specific patterns of established attack vectors and have a very low rate of false positives. However, managed rulesets are not optimized for attacks based on variations of the original signature introduced, for example, by fuzzing techniques.

Attack score allows you to identify these attack variations and their malicious payloads. It classifies each request using a machine learning algorithm, assigning an attack score from 1 to 99 based on the likelihood that the request is malicious. Just like Bot Management, you can use this score to identify potentially malicious traffic that is not an exact match to any of the rules in WAF Managed Rules.

To maximize protection, Cloudflare recommends that you use both Managed Rules and attack score.

Available scores

The Cloudflare WAF provides the following attack scores:

ScoreMinimum plan requiredAttack vectorField
WAF Attack ScoreEnterpriseN/A (global score)cf.waf.score
WAF SQLi Attack ScoreEnterpriseSQL injection (SQLi)cf.waf.score.sqli
WAF XSS Attack ScoreEnterpriseCross-site scripting (XSS)cf.waf.score.xss
WAF RCE Attack ScoreEnterpriseRemote Code Execution (RCE)cf.waf.score.rce
WAF Attack Score ClassBusinessN/A (global classification)cf.waf.score.class

You can use these fields in expressions of custom rules and rate limiting rules where:

  • A score of 1 indicates that the request is almost certainly malicious.
  • A score of 99 indicates that the request is likely clean.
  • A score of 100 indicates that the Cloudflare WAF did not score the request.

The available scores are independent of each other. Namely, the WAF Attack Score is not a sum of the other scores.

The WAF Attack Score Class field can have one of the following values, depending on the calculated request attack score:

Dashboard labelField valueDescription
AttackattackAttack score between 1 and 20.
Likely attacklikely_attackAttack score between 21 and 50.
Likely cleanlikely_cleanAttack score between 51 and 80.
CleancleanAttack score between 81 and 99.

Requests with an attack score of 100 will have a class of Unscored in the Cloudflare dashboard, but you cannot use this class value in rule expressions.

Attack score automatically detects and decodes Base64, JavaScript (Unicode escape sequences), and URL encoded content anywhere in the request: URL, headers, and body.


Start using WAF attack score

1. Create a custom rule

If you are an Enterprise customer:

  • Create a WAF custom rule that logs all requests with a WAF Attack Score below 40 (recommended initial threshold). For example, set the rule expression to cf.waf.score lt 40 and the rule action to Log.

If you are a Business customer:

  • Create a WAF custom rule matching requests with a WAF Attack Score Class of Attack. For example, set the rule expression to cf.waf.score.class eq "attack" and the rule action to a challenge action (such as Managed Challenge) or Block.

2. Monitor domain traffic

Monitor the rule you created, especially in the first few days, to make sure you entered an appropriate threshold (or class) for your traffic. Update the rule if required.

3. Update the rule action

If you are an Enterprise customer and you created a rule with Log action, change the rule action to a more severe one, like Managed Challenge or Block.


Additional remarks

The WAF Attack Score is different from Threat Score and Bot Score. WAF Attack Score identifies variation of attacks that WAF Managed Rules do not catch. Bot Score identifies bots, while Threat Score measures IP reputation across Cloudflare services.