Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

At Cloudflare, our mission is to help build a better Internet. Usually, that means rolling out new services to our millions of users or defending the web against the world’s largest cyber attacks. But sometimes, building a better Internet requires us to stand up against laws or regulations that threaten its fundamental architecture.

Incident response in the cloud is derailed not by a lack of skill, but by a lack of visibility. Security teams frequently discover critical blind spots only after an incident is already underway, leading to delayed containment, inaccurate attribution, and incomplete forensic analysis. This report walks through six realistic, real-world inspired scenarios where missing log sources prevented effective investigations.

As organizations continue to scale their AWS environments, security teams face increasing challenges in detecting cloud-native threats such as compromised credentials, misused APIs, container breaches, and malicious workload behavior. Traditional perimeter-based controls and legacy endpoint tools are often insufficient in dynamic, cloud-first architectures. AWS GuardDuty provides native,intelligent threat detection for AWS environments.

Your Bedrock agent running on EKS receives a prompt through your RAG pipeline. CloudTrail logs it as a normal bedrock:InvokeModel event—status 200, authorized IAM role, expected endpoint. But inside the container, the agent’s response triggers a tool call that spawns curl to an external IP, exfiltrating the context window. GuardDuty doesn’t flag it because the connection routes through a permitted VPC endpoint. You open your AWS console and see a healthy API call.

Your CNAPP flags a misconfigured service account. Your CSPM warns about an overly permissive IAM role. Your container scanner reports vulnerabilities in a model-serving image. But none of these tools can tell you that an AI agent just called an internal admin API it has never touched before — or that a prompt injection caused your LLM to leak customer data through a RAG connector.

Cloud adoption is accelerating, but cloud security complexity is growing just as fast. Security teams now manage hybrid workloads, multi-cloud environments, containerized applications, and sensitive cloud-native data. Traditional tools designed for on-prem environments often struggle to provide consistent visibility across these dynamic systems. This creates operational pressure. Teams deal with fragmented alerts, inconsistent policies, and uncertainty about real cloud risk exposure.

Today, Cloudflare is introducing a new suite of fraud prevention capabilities designed to stop account abuse before it starts. We've spent years empowering Cloudflare customers to protect their applications from automated attacks, but the threat landscape has evolved. The industrialization of hybrid automated-and-human abuse presents a complex security challenge to website owners.

Amazon S3 is a popular cloud storage that is widely used around the world. You can manage Amazon S3 cloud storage in the web interface by using a web browser. We have explained the alternative methods to manage files stored in S3 buckets in the blog post about mounting Amazon S3 as a drive for cloud file sharing, but in that blog post the emphasis was on the command line interface of operating systems such as Linux, Windows, and macOS.