Cloudflare open-sources vulnerability discovery harness

Cloudflare has released technical documentation for its internal vulnerability discovery system, outlining how the company automates the detection and triage of security flaws across its infrastructure. The disclosure provides a rare look at the engineering behind large-scale, continuous security scanning in a CDN environment.

The system is designed to address two persistent challenges in automated vulnerability discovery: high false-positive rates and the context limitations of large language models (LLMs). Cloudflare’s approach uses a staged pipeline that separates initial detection from validation, with manual review reserved for ambiguous cases.

How the system works

Cloudflare’s harness operates in three primary phases. First, a discovery stage scans code and infrastructure for potential vulnerabilities using a mix of static analysis, dynamic testing, and heuristic rules. Findings are then passed to a validation stage, where adversarial techniques simulate real-world exploitation attempts to confirm or dismiss each alert. A final routing layer uses LLMs to categorize validated vulnerabilities by severity and assign them to the appropriate engineering teams for remediation.

State management is handled through a centralized control plane that tracks each vulnerability’s progress from initial detection to closure. This allows the system to avoid redundant scans and ensures that fixes are verified before cases are marked as resolved. The company notes that separating detection from validation has significantly reduced the volume of false positives that reach human reviewers, though it does not provide specific metrics comparing the new system to earlier tools.

Design choices and trade-offs

The architecture prioritizes scalability and integration with Cloudflare’s existing CI/CD pipelines. Vulnerability data is stored in a structured format that feeds into both the company’s internal ticketing system and its public bug bounty program. This dual-purpose design allows the same harness to serve both proactive security efforts and external researcher submissions.

One notable limitation is the system’s reliance on LLMs for routing and classification. Cloudflare acknowledges that context window constraints require breaking complex vulnerabilities into smaller chunks, which can lead to misclassification. To mitigate this, the company employs a fallback mechanism that escalates ambiguous cases to human analysts rather than risking incorrect prioritization.

The adversarial validation stage is another key feature. By attempting to exploit each suspected vulnerability before flagging it, the system filters out low-confidence findings that might otherwise overwhelm security teams. This step is computationally expensive but reduces the burden on manual reviewers, who only see cases that have already passed multiple layers of automated scrutiny.

Implications for the industry

Cloudflare’s decision to document the system’s architecture without releasing the code itself suggests a balance between transparency and operational security. The disclosure provides a reference model for other infrastructure providers looking to build similar systems, particularly those operating at CDN scale. However, the company cautions that the approach may not be directly applicable to smaller organizations, as it assumes the availability of dedicated security engineering resources and extensive telemetry data.

For security teams at hosting providers and cloud platforms, the most relevant takeaway is the emphasis on staged validation. The separation of detection and confirmation phases could help reduce alert fatigue, a common issue in environments where automated scanners generate high volumes of low-confidence findings. The adversarial validation step, in particular, offers a potential blueprint for improving signal-to-noise ratios in vulnerability management.