Introducing Cloudy, Cloudflare’s first AI agent

Welcome to the fourth day of Security Week. I'm Harsh, I'm a product manager on Cloudflare's security news team and today we're going to talk about one of the announcements that's coming out today, specifically Cloudflare's new AI agent called Cloudy. I'm joined here by Alex Dunbrack who will be introducing himself in a sec. Alex, can you tell us a bit more about what this new feature is, what it does and where we're going next? Yeah, thanks Harsh and hello everyone. My name is Alex Dunbrack, a product manager here at Cloudflare, part of our Cloudflare 1.0 trust suite of products. As Harsh mentioned, exciting to be sharing this news on the fourth day of Security Week. We've had a lot of great stories and I know we've got another full day here and then one more day tomorrow to talk about some of those things. Also, as Harsh mentioned, the focus of today's conversation is around our new AI agent that we've named Cloudy. A fun, lighthearted name but means serious business and we're really excited to describe more about what Cloudy is and where you'll start to see it in the dash. So to just start, what is Cloudy? Cloudy can be a lot of things long term and we're really excited with the roadmap for this AI agent. But where we're starting really focuses on areas of the existing Cloudflare suite of products, maybe some of the products you use every day, and finding ways to leverage workers AI in our AI services to essentially summarize and provide recommendations on your configurations as you have them today. What are some of the things that your configurations are allowing for that maybe you're not aware of? Where are there some gaps between rules and policies that are maybe leaving you less secure in the end? And we'll talk about more of that functionality here in a second, but you'll start to see Cloudy for all customers in two areas at least to start. One will be our WAF product, which Harsh will talk about here, and then one in our Cloudflare gateway product in Cloudflare 1, which I'll cover here in a second too. But maybe it's worth even backing up a little bit and talking about what led us to develop something like Cloudy and look for opportunities to leverage AI across all of our products. And that really is twofold. First are the customer challenges that we hear all the time when we speak with our users and our customers. It's always where we start and we want to understand based on our existing products, based on what we want to build in the future, what are the challenges that our operators and administrators and our tools are experiencing day to day? And we'll talk more about what we heard there in a second as well. And then on the flip side is we have all these great tools at Cloudflare. Why aren't we looking for these opportunities to leverage them as part of our core offerings? And that's what we're starting to do here with Cloudy. Maybe Harsh, I could pass it back over to you. Would love to hear more about in the concept in the world of WAF where Cloudy is being introduced, and then maybe we can talk a little bit more about some of the customer challenges that led us to Cloudy and WAF custom rules. So absolutely. So one of the feedback that we've been hearing for a very long time is help us create rules in as simple a way as possible. So last year during birthday week, we announced an AI assistant, which essentially helped create users custom rules using different fields using a natural language prompt. So all you had to do was click on a button, type in your prompt and say, for example, I want to create a rule to block all bots to score less than 20. Then the AI agent would create a rule for you and apply the rule for you. And that kind of helps you save a trip to the documentation, figure out what fields do I need to use and what kind of attack I'm trying to mitigate. All of that is taken care of by the AI agent. Once we launched that during birthday week last year, we received a lot of positive feedback on that. And the next obvious question was, hey, you help me create these rules. I have hundreds of thousands. We can have a thousand custom rules in WAF just to give everyone some context. And so the next obvious question was, I have a thousand rules with multiple team members updating them all the time and their team members sometimes leave and can get very complex and very difficult to manage over time. Why don't you just help us manage that? So that became the next obvious iteration of the agent for us. So for now, what we do, so our current AI agent essentially helps you analyze the relationship and the interactions between different kinds of rules, help you identify the overlapping rules, any rules that you think that we think are important that have been disabled and we think that you should enable. The idea is to help you minimize the time you spend in auditing your rules and configuration and give you more confidence in your security coverage. And this applies to the Cloudflare website as well. Alex, do you mind how that applies to the Cloudflare website? Yeah, yeah, absolutely. And it's something that I think, at least between you and me, Harsh, and our listeners out there too, that's something we all experience in work -related and non-work-related tools where you just get this pile up of configurations that stack over time, kind of forget what some of them do. They work with each other, but also sometimes don't work with each other. And you just lose this, that you're grounding in what is actually going on here. And maybe there are more systemic ways to solve those kinds of challenges long-term, but we recognize, isn't this something that like an LLM or the AI technology we're seeing out there, an agent-based, maybe something like this, is completely poised to solve, right? That can describe and identify in a mass amount of data where there's overlap, where there are gaps, what things are doing and where our users can improve. And so that's what, at least, I hear from you on the WAF side. And it's not all that different in the Cloudflare 1 side. For anyone listening or that has used Cloudflare 1 in the first place, if you've used our gateway product, or our access product for that matter, you know that these products revolve around the concept of policies. So in Cloudflare 1, our suite for enterprises that are looking really to secure their employees and how they use the Internet via secure web gateway or ZTNA technology, you set up these policies to say, hey, my employees are allowed to access these kinds of websites, but not these kinds of websites. If they're on this one team, they can access this thing. But if they're not on that team, they should not be able to access that. All of these rules in place, you know, with time, like we're talking about here, compound on themselves, and more and more are put in place. Some are not removed. Some are used to supersede others. It can get very cluttered very quickly. And that's exactly where we found the opportunity, you know, looking at what WAF was doing with custom rules. Why don't we implement this in Cloudflare 1 with the policies that we have too? So in Cloudflare 1, you'll start to see today in gateway policies, whether it's HTTP, network-based, doesn't matter, the ability for essentially a summary or an overview of what that policy is doing. So in gateway, if you go in you click on one of the policies that you already have created under firewall rules in the dashboard there, you'll see this little section now appear called policy summaries by cloudy. And there you'll start to understand a little bit more about what that policy is doing, especially the ones that are using multiple selectors, multiple operators, get a sense of exactly what it's doing. And we're excited on the Cloudflare 1 side with time to build more recommendation functionality, more awareness of essentially what are those recommendations or gaps that maybe we're missing across all of the policies that we have. And so that's where we're starting today. Harsh, I know from your lens, you have a full roadmap around this kind of functionality. And I know that you can't talk in too, too much detail here, but could you maybe give us a little bit of like a teaser of what we can see maybe in the coming months or coming next with cloudy functionality? Right. So the way we are looking at it is like a logical next step the users might want to take after understanding the rules. So step one was helping them create better rules. Step two was helping them understand what rules to have. And next step is having, giving them recommendations on what kind of rules they should be creating. What that essentially means is we are going towards a centralized dashboard AI agent that will help you understand or help you help users complete specific workflows. And that will be conceptual on the user analytics data. So we will essentially be analyzing your traffic patterns and providing you specific recommendations on specific use cases. To give you some examples, for example, if you see a sudden spike in traffic related to an account takeover attacks, our AI agent will be able to recommend or go and use early credential rule set, which is a specialized rule set that needs to be enabled specifically to prevent these kinds of attacks. They will go on and check whether you have a corresponding rule for it or not. If not, it will go and suggest a rule for you and all you will have to do is go and click deploy. So that's the direction we are heading in. And the second direction we are heading in is basically helping you better, giving you better analytics for rules in general. So right now we started with the rules summary. Down the line, we are planning to give you better insights on how your rules are performing, how many rules are being actioned on, when was the last time something was updated by users, and basically helping you understand what your rules do in the context of BaaS in general. So yeah, so with that, we are really excited to get this in the hands of our users as quickly as possible and hear what they would like to build next. Yeah, it's something that I know that we're listening to closely in where you're iterating on the WAF side and beyond within Cloudflare 1.2. And I think from our lens, we're looking for those opportunities, those easy, low-hanging fruit places in our existing functionality where we can process more data and we can see more in terms of patterns and things that are absent across what already exists in Cloudflare 1.2 in the SaaSy dashboard. And so I think that we'll take very similar approaches in terms of where we'll be rolling out Cloudy. You know, Cloudflare, and you'll know this too harsh from your own experience as a product manager here, we listen so closely to our customers and really they're the lifeblood of what we build and what order we build in. And so around this functionality too for those listening and those that are excited to try all of this out, your feedback is priceless to us. And we definitely want to hear it. We want to learn about where are those other areas where this kind of summarization and recommendation kind of output could be helpful for you. So a few ways you can do that, definitely go try out the functionality. We'd love to hear what you think. You can either post on social media with the hashtag securityweek as part of this, but we've also set up an email, which is cloudyfeedback at Cloudflare.com. And if you send your feedback and your thoughts to that email, we'll definitely be able to go take a look and see, you know, does this maybe make sense as the next step, next iteration of Cloudy feedback. So we look forward to hearing what you think. This is not the end for Cloudy, but really the first step. As Harsh mentioned, you know, some of this stuff has been worked on for over a year. And then other places, just looking now for those quick wins and those places where we can really embed Cloudy and make everyone's user experience that much better. So with that, thank you everyone for joining us on this quick session, just about Cloudy. Feel free to read the blog, go check out the functionality in the WAF product and in Gateway and Cloudflare 1. And with that, thank you for joining once again and have a great rest of your day. Looking forward to the last two days of security week here.