Capabilities

Edge Threat Radar

Correlate adversary traffic at your CDN edge with your own findings, with real risk amplification.

The Edge Threat Radar ingests Cloudflare events at 5-minute cadence and correlates them with your own findings. The result: a Risk Score that is amplified when adversary traffic actually targets a weakness you have.

What it ingests

From Cloudflare:

Firewall events (blocks, challenges, bypasses).
Bot management scores and classifications.
Rate-limited paths and clients.
Geographic and ASN signals.
Browser and protocol fingerprints.

WASViking^® pulls the events via the Cloudflare API at a 5-minute cadence per zone. Configure the integration under Integrations → Cloudflare.

Edge correlation

For each open Finding on a public asset, WASViking checks:

Is adversary traffic targeting the same path or parameter?
Is the targeted client geography consistent with abuse traffic observed across other tenants?
Is the bot classification suspicious?

When the signal correlates, the Finding's Risk Score is amplified. This is the difference between "we have a SQLi" and "we have a SQLi that the internet is currently probing."

Alert rules

Not every correlated event should page someone. Tune which edge events raise an alert under Settings → System Settings → Notifications & Alerts → Edge Threat Intelligence. Two controls:

Minimum Risk Score. Only events at or above this score trigger an alert. Default 60.
Alert on classifications. Pick which traffic classifications raise an alert.

Classification	Meaning
`human_like`	Normal user behavior.
`unknown`	Low volume, no clear intent.
`suspicious`	Irregular, probing behavior.
`automation`	Scripted or bot traffic.
`aggressive_automation`	High volume, multi-path.
`scanner`	Active scanning or exploitation.
`authenticated_attack`	Attack from a logged-in user.

By default WASViking alerts on suspicious, automation, aggressive_automation, scanner, and authenticated_attack, and leaves human_like and unknown off, so the channel stays focused on high-risk activity. Adjust to taste and select Save Notification Settings.

These rules decide when an Edge Threat Intelligence event is delivered to your Notification Channels. They do not change the Risk Score amplification described above, which always applies.

Brand abuse on the same plane

The Edge Threat Radar surface also runs the brand abuse / typosquatting analyzer (see Exposure Intelligence). Findings of that class show up here too, with edge correlation when abusive domains are being clicked into your real surface.

RAG over edge events

The Ask WASViking AI assistant scopes a RAG (retrieval-augmented generation) index over your edge events. Ask in natural language:

"Are we being probed by any KEV-listed exploit pattern this week?"
"Which paths got hit hardest from non-US ASNs in the last 24h?"
"Are there bot patterns that match the SQLi finding on the checkout API?"

The assistant answers from the event corpus only, with citations to specific events.

Where it lives in the portal

Edge Intelligence dashboard: the main view. Cards, charts, correlation table.
Findings: risk_score shows the amplified value; the underlying composition (base, criticality, environment, edge boost) is visible on click.
Ask WASViking AI: scope a question to edge events.

How risk amplification reads back

Findings amplified by edge correlation carry an edge_boost field in the API response.

{
  "finding_id": "f_8ab2",
  "risk_score": 88,
  "risk_components": {
    "severity": 55,
    "asset_criticality": 12,
    "environment": 6,
    "sla_proximity": 0,
    "edge_boost": 15
  }
}

edge_boost is bounded so a single correlated event cannot single-handedly push a low-severity finding into critical. The boost is proportional to correlation strength and observed adversary volume.

What you need to enable it

A Cloudflare zone token with Read permission for the relevant logs.
The Edge module enabled on your plan (Pro and above).
Per monitored domain capacity, see Pricing.

For the full step-by-step (WAF, Firewall, Bot Protection, API token permissions, dynamic blocklist with customer-approval gate), see the Cloudflare integration guide.

What this is not

This is not a WAF replacement. WASViking reads from Cloudflare; it does not produce or push rules to your CDN. The pattern is: the WAF blocks, WASViking interprets the blocking pattern against your posture.

If your edge is not Cloudflare, the module is dormant for now. AWS WAF and Akamai ingest paths are on the roadmap.