CLOUDFLARE’S Threat Intelligence Platform has evolved to be actionable, scalable, and ETL-less, outlined in a 3 March 2026 post that describes a shift from traditional data handling to edge-native threat intelligence. The platform uses a sharded, SQLite-backed architecture with GraphQL running on the edge, distributing Threat Events across thousands of Durable Objects to deliver sub-second query latency even across millions of events.
Ingestion relies on Cloudflare Queues and long‑term storage in R2, while the hot index remains in the Durable Object’s SQLite storage for instant retrieval, with parallel multi‑shard fan‑out to speed searches. The system enables automatic STIX2 exports, mapping internal indicators to standard observables and linking them to threat actors or campaigns, and can generate firewall rules via the Firewall Rules API to enable instant protection.
Cloudforce One access is offered at Essentials, Advantage, and Elite levels, and the article emphasises a human‑in‑the‑loop model through an RFI portal that enriches the intelligence feed at the edge.