Environment Audit

Score every part of your Cloudflare estate.

Tap a category to see its top finding.

CLOUDFLARE ENVIRONMENT AUDITOVERALL68/100FINDINGS46CATEGORIES8DNS & zones86/100STRONG3 findingsCDN & cache64/100MIXED7 findingsWAF posture71/100MIXED9 findingsDDoS readiness92/100STRONG1 findingBot Management58/100GAPS6 findingsAPI security41/100GAPS11 findingsLogpush & observability53/100GAPS5 findingsZero Trust hygiene78/100MIXED4 findings
41

Gaps · 11 findings

API security

API Shield, schema validation, mTLS, rate limits per endpoint.

Top finding: No API endpoint inventory exists. Schema validation off everywhere.
Request a Cloudflare audit View audit checklist
On this page
AI summary Machine-readable context is available at /ai-index.json

Nanosek provides Cloudflare environment audit services that review account governance, DNS, CDN, WAF, DDoS protection, Bot Management, API Shield, Zero Trust, certificates, logging, and rulesets. The audit produces a prioritized findings report with severity classifications, evidence, remediation recommendations, and a roadmap suitable for Nanosek-led or internal team remediation.

cloudflarecloudflare auditcloudflare security auditcloudflare environment reviewwaf auditdns auditzero trust auditcloudflare misconfiguration

Who this is for

Security teams and infrastructure leaders who want an expert-led review of their Cloudflare environment before a major change, migration, or compliance exercise.
Organizations that have grown their Cloudflare configuration over time and suspect misconfiguration, duplicated rules, missing logging, or stale bypasses.
Teams preparing for a security certification, incident post-mortem, or internal audit that requires evidence of control coverage.

Why organizations get a Cloudflare environment audit

Reduce security risk and attack surface

Cloudflare environments accumulate stale rules, wide bypasses, weak WAF enforcement, and missing security controls over time. An audit identifies the highest-risk gaps before they are exploited.

Find misconfiguration before it matters

Misconfigured cache behavior, incorrect TLS settings, broken redirect chains, exposed origins, and orphaned DNS records create silent risk. Structured review surfaces these before they cause incidents.

Validate compliance and governance posture

Compliance frameworks and internal audits may require evidence of access control, logging coverage, encryption standards, and change management. Nanosek produces structured evidence alongside findings.

Reduce rule sprawl and operational debt

WAF rulesets, rate limits, bot policies, Zero Trust rules, and redirect lists grow without governance. An audit identifies duplicates, conflicts, stale entries, and rules that no longer serve their original purpose.

Assess readiness before migration or expansion

Organizations migrating additional properties, enabling new Cloudflare products, or expanding Zero Trust need a baseline review to ensure the current environment can support growth safely.

Recover after an incident or near-miss

After a WAF bypass, bot attack, DDoS event, or Zero Trust misconfiguration, an audit provides structured root-cause evidence and identifies gaps that contributed to the incident.

Understand what you have inherited

Teams taking over a Cloudflare environment from a previous team, vendor, or acquisition often have limited documentation. An audit produces an authoritative inventory with risk context.

Improve operational confidence and handover quality

Audits improve documentation, runbooks, and team understanding of what is deployed, why it exists, and what the operational implications of changes are.

Prepare for managed services engagement

Organizations moving to managed Cloudflare operations benefit from a baseline audit that establishes the current state before Nanosek takes on ongoing responsibility.

Get a second opinion on a specific concern

Security teams sometimes need expert validation of a specific area such as WAF tuning, Zero Trust policy, Bot Management rollout, or certificate coverage before accepting risk.

Our Cloudflare environment audit methodology

Phase 1

Scope and access

  • Define audit scope including accounts, zones, Zero Trust organizations, and product areas to review.
  • Establish read-only access using Cloudflare API tokens, account audit roles, or temporary audit credentials.
Phase 2

Configuration inventory

  • Extract and document the current state of DNS records, rulesets, WAF policies, certificates, logging configuration, Zero Trust applications, and account settings.
  • Build an inventory that serves as both an audit artifact and a baseline for future change tracking.
Phase 3

Risk assessment

  • Evaluate each configuration area against security best practices, Cloudflare guidance, and the organization's risk tolerance and compliance requirements.
  • Identify misconfigurations, missing controls, stale entries, overly permissive exceptions, and operational gaps.
Phase 4

Evidence and findings documentation

  • Document each finding with evidence, severity classification, business impact description, and specific remediation steps.
  • Classify findings by severity using Critical, High, Medium, Low, and Informational categories.
Phase 5

Remediation roadmap

  • Prioritize findings into a structured roadmap with recommended action order, effort estimates, and dependency notes.
  • Separate quick wins from longer remediation efforts and identify findings that require business owner input before action.
Phase 6

Findings presentation and workshop

  • Present findings to the security, infrastructure, and operations teams with an opportunity to review, challenge, and prioritize.
  • Discuss remediation trade-offs and agree on a realistic action plan with owners and timelines.
Phase 7

Optional remediation support

  • Nanosek can execute remediations directly or work alongside the internal team to close findings.
  • Remediation work follows change management process with documentation, testing, rollback preparation, and sign-off.

How findings are classified

Critical: Immediate exploitation risk or active exposure such as origin IP leakage, authentication bypass, or missing WAF enforcement on public-facing applications.
High: Significant risk that should be remediated within weeks, such as wide WAF bypasses, DDoS protection gaps, exposed admin paths, or missing logging on production zones.
Medium: Configuration weaknesses that increase risk or reduce operational confidence, including stale rules, suboptimal cache behavior, incomplete certificate coverage, or weak rate limits.
Low: Minor configuration improvements and hygiene items such as TTL optimization, redundant rules, documentation gaps, or alert configuration improvements.
Informational: Observations and recommendations that do not represent direct risk but support operational maturity, governance, or future scalability.

What we audit

Account and governance

Account structure, IAM, roles, API token scope, audit log configuration, change management workflows, and Terraform or API governance.

DNS

Zone records, proxy status, TTLs, DNS-only records, CNAME flattening, email authentication records (SPF, DKIM, DMARC), DNSSEC, and orphaned or stale entries.

CDN and caching

Cache rules, cache eligibility, edge TTL, browser TTL, bypass logic, custom cache keys, Tiered Cache, Cache Reserve, and path-specific behavior correctness.

WAF and application security

Managed ruleset selection and tuning, custom rules, exception scope, enforcement modes, rate limiting thresholds, and rule conflict or overlap analysis.

DDoS protection

HTTP DDoS mitigation level, L3/L4 Magic Transit or Spectrum configuration if applicable, override rules, sensitivity settings, and incident response readiness.

Bot Management

Bot score policy coverage by path, enforcement mode (log, challenge, block), verified bot handling, rate limiting alignment, and known false-positive risks.

API Shield

API discovery, endpoint inventory, schema validation coverage, mTLS deployment, API-specific rate limits, and authentication controls.

Zero Trust and Access

Access policy coverage, identity provider integration, service token scoping, application onboarding gaps, split tunnel design, WARP enrollment, and Gateway policy review.

Certificates

Universal SSL, Advanced Certificate Manager, custom certificates, hostname coverage, expiry monitoring, TLS minimum version, and cipher suite configuration.

Logging and observability

Logpush dataset coverage, destination configuration, field selection, Security Analytics usage, alert configuration, dashboard coverage, and SIEM integration.

Rulesets and rule governance

Phase rule ordering, ruleset inheritance, wildcard scope, redundant or conflicting rules, and stale bypass or exception entries with no documented owner or expiry.

Common issues we find

WAF managed rules in log mode on paths that should be enforced
Wide bypass rules with no owner, reason, or expiry date
Bot Management in log mode site-wide with no path-specific enforcement
Logpush not configured or missing key datasets such as HTTP requests, WAF, or bot events
SPF records that include too many mechanisms or are missing for secondary sending domains
DMARC in p=none with no plan for progression to quarantine or reject
TLS 1.0 or 1.1 still permitted in zone TLS minimum version settings
Origin IP exposed via DNS-only subdomains, SPF, or certificate transparency logs
Cache bypass too broad, bypassing caching on assets that would benefit from edge delivery
Cache bypass too narrow, accidentally caching authenticated or session-specific content
API endpoints without schema validation, mTLS, or rate limiting
Redirect chains that cause redirect loops or incorrect final destinations
Zero Trust applications accessible without identity provider authentication
Service tokens in use with overly broad scope or no expiry date
Rate limits set to thresholds that would never trigger under realistic attack conditions
Stale redirect or rewrite rules from previous configurations or migrations
Missing alert configuration for WAF spikes, DDoS activation, or bot score anomalies
Terraform or API state that does not match the live Cloudflare configuration
Account-level rules that conflict with zone-level rules in unexpected ways

Audit coverage matrix

Account and IAM

What we review

Roles, API tokens, audit log, change governance

Example output

Token scope inventory, role review, audit log configuration check

DNS

What we review

Record accuracy, proxy status, authentication records

Example output

Zone record inventory, SPF/DKIM/DMARC gap report, TTL review

CDN and caching

What we review

Cache behavior correctness, bypass accuracy

Example output

Cache rule map, bypass audit, edge and browser TTL review

WAF

What we review

Rule coverage, enforcement mode, exception scope

Example output

Ruleset inventory, bypass review, managed rule tuning assessment

DDoS protection

What we review

Mitigation level, override rules, incident readiness

Example output

DDoS config review, override scope, response workflow check

Bot Management

What we review

Bot policy coverage, enforcement mode, false-positive risk

Example output

Path coverage map, enforcement mode report, crawl allowlist review

API Shield

What we review

Endpoint inventory, schema validation, mTLS coverage

Example output

API discovery summary, schema validation coverage, mTLS status

Zero Trust and Access

What we review

Policy coverage, IdP integration, service token scope

Example output

Application policy audit, service token inventory, IdP validation

Certificates

What we review

Coverage gaps, expiry, TLS version and cipher settings

Example output

Certificate inventory, expiry timeline, TLS minimum version report

Logging and observability

What we review

Logpush coverage, SIEM integration, alert gaps

Example output

Logpush dataset review, field selection audit, alert configuration check

Rulesets

What we review

Rule ordering, conflicts, stale entries

Example output

Ruleset conflict analysis, stale entry list, ordering recommendations

Deployment steps

  1. 01 Define audit scope, confirm accounts and zones, establish read-only access, and agree on compliance or risk focus areas.
  2. 02 Extract and inventory the current configuration state across all in-scope Cloudflare products and zones.
  3. 03 Evaluate each configuration area for misconfiguration, missing controls, risky bypasses, and operational gaps.
  4. 04 Document findings with evidence, severity classification, business impact, and remediation steps.
  5. 05 Build a prioritized remediation roadmap with effort estimates, dependency notes, and business owner actions.
  6. 06 Present findings and discuss remediation priorities with security, infrastructure, and operations stakeholders.
  7. 07 Support or execute remediation work with change management process, testing, rollback preparation, and documentation.

Risks and mitigations

Risk

Access scope not sufficient for full audit.

Mitigation

Agree access requirements and credential model during scoping. Nanosek uses read-only API tokens and documents the minimum access required.

Risk

Live environment changes during audit.

Mitigation

Take configuration snapshots at the start of the engagement. Flag configuration changes during the audit that may affect findings.

Risk

Findings require urgent remediation that conflicts with change freeze.

Mitigation

Triage Critical and High findings on delivery. Work with business owners to fast-track remediations that address immediate risk within change governance.

Risk

Audit scope expands beyond original agreement.

Mitigation

Define scope with explicit boundaries before engagement starts. Handle out-of-scope findings as addendum items or scope extensions with agreed timeline and cost impact.

Risk

Remediation recommendations conflict with existing business requirements.

Mitigation

Document the business context for exceptions. Nanosek marks accepted risks with owner and rationale so they are not re-surfaced in future audits without review.

Risk

Configuration exported during audit becomes outdated before remediation.

Mitigation

Re-validate configuration before remediation begins for Critical and High findings. Use Terraform or API to confirm current state.

Risk

Audit output shared too broadly.

Mitigation

Handle all audit findings under data handling agreements. Restrict distribution of the findings report to stakeholders with a need to know.

Risk

Internal team lacks capacity to execute remediation roadmap.

Mitigation

Nanosek can provide remediation support alongside the internal team or take on execution with change management governance.

Risk

New risk introduced during remediation.

Mitigation

Apply change management process to all remediations. Test in staging or low-traffic context where possible, prepare rollback steps, and validate after change.

Risk

Audit findings not actioned over time.

Mitigation

Nanosek recommends a follow-up review cycle of 6 to 12 months and can provide managed Cloudflare operations to maintain ongoing configuration hygiene.

Cloudflare environment audit checklist

  • Audit scope agreed and documented
  • All Cloudflare accounts and zones in scope identified
  • Read-only audit access provisioned
  • Zero Trust and Access organizations in scope confirmed
  • Current Terraform or IaC state provided if available
  • Recent incident or change history reviewed
  • Compliance requirements or specific controls in scope confirmed
  • Account IAM and role inventory extracted
  • API token inventory and scope documented
  • DNS zone records exported and reviewed
  • Email authentication records (SPF, DKIM, DMARC) evaluated
  • Certificate inventory and expiry timeline reviewed
  • WAF ruleset configuration extracted
  • WAF exceptions and bypass list reviewed
  • DDoS protection configuration reviewed
  • Bot Management policy and enforcement mode reviewed
  • Rate limiting rule inventory and thresholds reviewed
  • API Shield endpoint inventory and schema validation reviewed
  • Zero Trust application policy inventory reviewed
  • Zero Trust service token inventory and scope reviewed
  • WARP and Gateway policy configuration reviewed
  • Logpush configuration and dataset coverage reviewed
  • Alert configuration and coverage reviewed
  • Cache rule and cache bypass logic reviewed

Deliverables

  • Audit scope and access documentation
  • Cloudflare configuration inventory across all in-scope zones and products
  • DNS and email authentication records review
  • WAF ruleset and bypass audit report
  • Bot Management policy coverage and enforcement report
  • DDoS protection configuration review
  • API Shield endpoint and schema validation coverage report
  • Zero Trust application and policy audit
  • Zero Trust service token and WARP configuration review
  • Certificate inventory and expiry timeline
  • Logging and observability coverage report
  • Ruleset conflict and stale rule analysis
  • Prioritized findings report with severity, evidence, and remediation steps
  • Remediation roadmap with effort estimates and ownership guidance
  • Executive summary of key risks and quick wins
  • Optional findings presentation and workshop
  • Optional remediation support with documentation and change management

When Nanosek should help

You have grown your Cloudflare configuration over time and want expert-led review before a major change.
You suspect misconfiguration, stale rules, wide bypasses, or missing security controls.
You are preparing for a security certification, compliance exercise, or internal audit.
You have taken over a Cloudflare environment and need to understand what you have inherited.
You had an incident, near-miss, or bypass and want a structured root-cause review.
You are migrating additional properties to Cloudflare and want a baseline review first.
You want to move to managed Cloudflare operations and need a current-state baseline.
You need a second opinion on a specific area such as Zero Trust policy, WAF tuning, or Bot Management.
Your compliance team needs evidence of control coverage and a structured risk register.

Frequently asked questions

What does a Cloudflare environment audit cover?
A Nanosek Cloudflare environment audit covers account governance and IAM, DNS, CDN and caching, WAF, DDoS protection, Bot Management, API Shield, Zero Trust and Access, certificates, logging and observability, and ruleset governance. The scope is agreed at the start of the engagement and can be adjusted to focus on specific areas of concern.
How long does an audit take?
A standard audit covering all major Cloudflare product areas typically takes two to three weeks from access provisioning to findings delivery. Complex environments with many zones, Zero Trust deployments, or compliance requirements may take longer. Nanosek agrees a timeline during scoping.
What access does Nanosek need for the audit?
Nanosek uses read-only Cloudflare API tokens or audit-role credentials scoped to the accounts and zones in audit scope. No write access is required for the discovery and findings phase. Remediation work uses separate, scoped access under agreed change management.
Will the audit disrupt our Cloudflare environment?
No. The audit is read-only during the discovery and findings phases. Nanosek extracts configuration data through the Cloudflare API and reads current settings without making changes to rules, routing, or security controls.
What is included in the findings report?
The findings report includes each finding with evidence from the configuration, a severity classification (Critical, High, Medium, Low, Informational), a business impact description, and specific remediation steps. Findings are organized into a prioritized roadmap with effort estimates and ownership guidance.
Can Nanosek remediate findings after the audit?
Yes. Nanosek can execute remediations directly or work alongside the internal team. All remediation work follows a change management process with documentation, testing, rollback preparation, and sign-off by the appropriate stakeholders.
How should we prioritize the remediation roadmap?
Nanosek provides a recommended prioritization based on severity and effort. Critical and High findings with quick remediations are usually addressed first. Findings that require business owner input, testing, or change window coordination are scheduled in later phases.
How is the audit different from a Cloudflare security audit?
The Cloudflare environment audit covers the full environment including DNS, CDN, caching, certificates, logging, and operational governance in addition to security controls. A security audit focuses specifically on WAF, Bot Management, DDoS, API Shield, and access security. Nanosek can scope either or both depending on your priorities.
How often should we run a Cloudflare environment audit?
Nanosek recommends a structured audit every 6 to 12 months, with additional reviews after major changes such as migrations, new product deployments, security incidents, or compliance exercises. Managed Cloudflare operations engagements include ongoing configuration hygiene as a standard component.

Understand and improve your Cloudflare environment

Nanosek delivers a structured, evidence-based review of your Cloudflare configuration with prioritized findings, severity classifications, and a remediation roadmap your team can act on.

Talk to Nanosek View Cloudflare services
Ready to talk?

Deliver Cloudflare without surprises.

Whether you're migrating, hardening, or operating Cloudflare — Nanosek brings authorized MSP & ASDP delivery, rollback-ready cutovers, and managed operations after launch.

Talk to Nanosek Run readiness assessment