Always-On Detections: Eliminating The WAF 'Log Versus Block' Trade-Off
Cloudflare, Wednesday, March 4th, 2026
Traditional Web Application Firewalls typically require extensive, manual tuning of their rules before they can safely block malicious traffic. When a new application is deployed, security teams usually begin in a logging-only mode, sifting through logs to gradually assess which rules are safe for blocking mode.
This process is designed to minimize false positives without affecting legitimate traffic. It's manual, slow and error-prone.
Teams are forced into a trade-off: visibility in log mode, or protection in block mode. When a rule blocks a request, evaluation stops, and you lose visibility into how other signatures would have assessed it - valuable insight that could have helped you tune and strengthen your defenses.
Today, we're solving this by introducing the next evolution of our managed rules: Attack Signature Detection.