CLOUDFLARE

CONFIDENTIAL — FOR FORTESCUE USE ONLY

Fortescue Security Insights

Cloudflare Dashboard & Security Visibility Review

April 2026

Today's Agenda

Cloudflare sits in front of every request to your web presence. Here's what the dashboard surfaces — and the security intelligence you gain the moment traffic flows through our network.

Application Security

WAF & firewall threat blocking, managed rules, attack wave analytics

Bot Management

Automated traffic classification, detection engines, threat tags

API Security

Endpoint discovery, schema validation, risk signals, session posture

Page Shield

Client-side scripts, third-party connections, cookie intelligence

DNS & Network Protection

DNS query analytics, CDN coverage, Spectrum TCP/UDP protection

Traffic Intelligence

Geographic origins, live request analysis, cache performance

Application Security — WAF & Firewall

Attack Volume & Trend

Month-by-month blocked vs. logged events. Correlate spikes with external threat campaigns, CVE disclosures, or your own deployment activity.

Rule-Level Breakdown

See exactly which managed rules are triggering — OWASP, SQLi, XSS, RCE — and which are generating the highest event volume against your specific applications.

Firewall Rule Effectiveness

Custom rules, rate limits, and managed rulesets — the dashboard shows which layer is doing the blocking and what would have reached your origin without it.

Zero-Impact Blocking

All blocking happens at Cloudflare's edge — your origin never sees the attack traffic. The dashboard quantifies what was absorbed on your behalf.

  What we typically find

Attack waves are not random. Resources companies see targeted scanning campaigns correlating with commodity price events and public filings.

Rule debt accumulates fast. Legacy WAF rules create conflicting logic — increasing false positives and hiding real attack signals.

Logging mode = blind spots. Rules left in "log" rather than "block" generate data but provide no protection — the dashboard makes this visible immediately.

  For Fortescue

Within 24 hours of going live on Cloudflare, Fortescue's WAF dashboard will show the exact attack profile hitting your web estate — broken down by rule, attack type, source geography, and path. No instrumentation needed on your side.

Bot Management

Traffic Classification  ·  Detection Engines  ·  Threat Tags

Bot Management — Detection Tags & Threat Intelligence

~60%

of all traffic is non-human
on a typical enterprise estate

  Key insight

Attack spikes appear as sudden surges in "Likely Automated" traffic — visible in the Bot Management dashboard before WAF events fire. Every request is scored 1–99 by machine learning, heuristics, and JavaScript detections running in parallel.

ai_bot

AI crawler agents — GPTBot, CCBot, Bytespider — systematically harvesting web content to train commercial LLMs. For resources companies this includes operational data, technical documents, and investor content.

empty_ua

Automated scripts running with no user agent — bare HTTP clients used by scrapers and attack tooling. No legitimate browser ever operates this way.

spoofed_bot

Bots deliberately impersonating legitimate browsers — faking user agents, mimicking human HTTP behaviour. Only ML behavioural fingerprinting catches these; firewall rules and IP blocklists cannot.

credential_stuffing / scanner

Automated login and enumeration attacks against internal tools, supplier portals, and employee-facing applications — common against resources sector companies with large contractor ecosystems.

verified_bot

Legitimate crawlers — Google, Bing, LinkedIn — identified and explicitly allowlisted so they are never accidentally blocked. Cloudflare maintains a continuously updated verified bot registry.

Detection tags appear in the Security Events dashboard & are exportable via Logpush/GraphQL API for SIEM correlation

API Security

API Shield  ·  Discovery  ·  Schema Validation  ·  Risk Signals

API Shield — What the Dashboard Discovers

ML

Automatic endpoint
discovery — no config

100%

API traffic scored
for risk signals

  What API Discovery shows

Cloudflare's ML engine maps every API endpoint receiving traffic — including shadow APIs that are undocumented or forgotten. Typically, we find 30–40% more endpoints than customers self-report. Each gets risk-labelled automatically.

  Common risk labels we surface

cf-risk-errors-anomaly cf-risk-missing-auth cf-risk-missing-schema cf-risk-mixed-auth

Each label pinpoints a specific risk on a specific endpoint — giving your security team an actionable, prioritised remediation list.

Schema Validation — Positive Security Model

Cloudflare learns the schema of your APIs automatically. You can enforce it — blocking requests that don't conform before they reach your origin.

Rate Limiting — Per Session, Not Per IP

With session identifiers configured, Cloudflare recommends per-user, per-endpoint rate limits — far more precise than IP-based controls that attackers rotate around.

Sequence Analytics

Detect attack sequences — enumerate → extract → exfiltrate — that span multiple API calls. Invisible to point-in-time rules, caught by session-aware sequencing.

SIEM Export via GraphQL

Full API event data — endpoint, method, response code, bot score, risk label — available via GraphQL API or Logpush for export to your security tooling.

Fallthrough WAF Rule

A single rule catches any request to an endpoint not in your managed inventory — protecting against zombie APIs and newly deployed but unregistered endpoints.

Page Shield

Client-Side Security  ·  Scripts  ·  Connections  ·  Cookies

Page Shield — Client-Side Security Visibility

The threat: supply chain attacks

Your web pages load JavaScript from dozens of third-party providers. If any one is compromised, attackers can silently inject code — stealing credentials and data directly from users' browsers. Page Shield detects and blocks this at the source.

Scripts

All third-party scripts
inventoried automatically

Connections

Every outbound destination
mapped & monitored

Cookies

All cookies classified by origin, type & security flags

What Page Shield surfaces in the dashboard

Admin scripts loading on public pages

Privileged JavaScript files that appear on user-facing pages — a common supply chain misconfiguration that creates high-impact attack vectors.

Advertising & tracking pixels

Social media and analytics pixels (TikTok, Snapchat, Meta) often appear on sensitive pages without explicit approval — creating compliance exposure under Australian Privacy Act.

Outdated libraries with known CVEs

Page Shield flags JavaScript libraries with known vulnerabilities — jQuery, Bootstrap, and others — that arrive via third-party dependencies, not your own code.

Code change detection

Alerts the moment any monitored script changes — catching supply chain compromises in real time before they impact users.

Real-world precedent: The 2020 British Airways supply chain attack — £20M fine, 500,000 records stolen — was exactly this attack pattern. Page Shield detects and blocks it.

Network & Traffic Intelligence

DNS Protection  ·  CDN Coverage  ·  Geographic Origins  ·  Cache Performance

DNS & CDN — Visibility Across All Zones

DNS Query Analytics

300M+

DNS queries/month
typical enterprise estate

All zones

Per domain & subdomain
broken down in dashboard

DNS-layer threat protection

Cloudflare resolves every DNS query — blocking malicious domains, preventing DNS tunnelling, and providing full query-level visibility before a connection is ever established.

Spectrum — TCP/UDP Protocol Protection

Protects non-HTTP workloads — OT/SCADA proxies, SFTP, custom industrial protocols. Usage is tracked against contracted limits in the dashboard.

CDN & Cache Performance

Current

Baseline cache HIT rate
(varies — often near zero)

40–60%

Achievable with
Cache Rules enabled

  Common CDN finding

Without Cache Rules, static assets — images, JS, CSS, fonts — bypass the cache entirely, sending hundreds of gigabytes of avoidable traffic to origin servers. The dashboard surfaces exactly which content types are hitting origin and quantifies the opportunity.

Global performance improvement

Content served from Cloudflare's edge reaches users from the nearest of 330+ data centres — reducing latency for Fortescue's globally distributed workforce.

Traffic Intelligence — Geographic Origins & Anomalies

What the dashboard shows per country & ASN

Request volume by country

Every request is attributed to a source country. For Fortescue, AU dominates legitimate traffic — anomalous volume from unexpected geographies stands out immediately.

ASN-level source breakdown

Traffic is attributed to its originating Autonomous System — identifying cloud provider origin (AWS, Azure, GCP) versus residential ISPs or known data centre ranges used by attackers.

Operational footprint confirmation

Traffic from mine-site regions (WA, SA, NT) and international operations confirms legitimate reach — distinguishing genuine operational traffic from automated noise.

  Anomaly signals to watch

High req/visit ratio

Normal browsing: 30–40 requests per visit. Scanning tools: 500–1,000+. The dashboard shows this ratio per country — flagging automated probing campaigns instantly.

Tor Network (T1) access

Cloudflare identifies Tor exit nodes as "T1" and surfaces them separately in the geographic breakdown. Common in reconnaissance and attack-preparation activity.

Cloud ASN concentration

Bulk traffic from AWS, Azure, or GCP IP ranges — attackers and AI crawlers operate from cloud providers. The ASN view makes this immediately visible alongside the country data.

What This Means
for Fortescue

Security Posture  ·  Recommended Approach  ·  Next Steps

What Cloudflare Delivers for Fortescue

1

  Threat Visibility from Day One

WAF, bot, DNS, and CDN dashboards are live the moment Fortescue's traffic flows through Cloudflare. No instrumentation, no agents — immediate visibility across all zones.

2

  Bot Management

Every request scored 1–99 using ML and JS detections. Identify AI crawlers, spoofed bots, and credential-stuffing attacks targeting Fortescue's portals.

3

  API Surface Discovery

ML maps Fortescue's full API estate automatically — including undocumented shadow endpoints. Schema validation and session-aware rate limiting included.

4

  Page Shield — Supply Chain

Inventories every third-party script, connection, and cookie across Fortescue's web pages. Code change detection alerts the moment any monitored script is modified.

5

  AI Gateway & LLM Protection

Govern AI API usage across engineering and operations teams. Rate limiting, DLP, and usage analytics for OpenAI, Anthropic, and Gemini — without blocking innovation.

6

  SIEM Integration & Audit Trail

All security events, bot scores, and API findings exportable via Logpush or GraphQL to Fortescue's SIEM. Full audit trail for compliance and incident response.

Recommended Next Steps

1

Security Discovery Workshop

Review Fortescue's web estate, API surface, and current security stack. Identify priority zones for a targeted PoC.

High

2

14-Day Bot Management Trial

Bot Management in log-only mode on Fortescue's primary zone. Within 14 days we produce a full bot threat analysis of what automated traffic is hitting your estate.

High

3

API Shield Discovery Run

Cloudflare's ML maps Fortescue's API estate. Discovery report covers endpoints found, risk labels, and schema coverage gaps.

Medium

4

Page Shield Supply Chain Audit

Run Page Shield across Fortescue's public properties. Surface every third-party script, connection, and cookie — identify compliance and security risks.

Medium

5

Security Review Presentation

Consolidate PoC findings into a tailored Security Insights review — Fortescue data, visualised in a deck like this one.

Low

What Fortescue gets from a PoC

Full bot traffic analysis — classified, scored, and tagged by threat type

API endpoint discovery map — including shadow APIs and risk labels

WAF event breakdown — attack types, volume, and rule effectiveness

Page Shield scan — client-side scripts, connections, and cookies

Geographic traffic intelligence — anomaly detection and origin analysis

Tailored security review deck — Fortescue data, context, and findings

The goal of the PoC is not to sell a product — it's to show Fortescue's security team exactly what Cloudflare can see, and let the data speak for itself.

Thank You

Questions & Discussion

Jason Clarke

jclarke@cloudflare.com

Solutions Engineer, Cloudflare ANZ

This presentation illustrates the security visibility and insights Cloudflare provides · April 2026 · Data shown is illustrative