Translating risk insights into actionable protection: leveling up security posture with Cloudflare and Mastercard
Source: Cloudflare Blog
2026-03-10
4 min read
Every new domain, application, website, or API endpoint increases an organization’s attack surface. For many teams, the speed of innovation and deployment outpaces their ability to catalog and protect these assets, often resulting in a “target‑rich, resource‑poor” environment where unmanaged infrastructure becomes an easy entry point for attackers.
Replacing manual, point‑in‑time audits with automated security‑posture visibility is critical to growing your Internet presence safely. That’s why we are happy to announce a planned integration that will enable continuous discovery, monitoring, and remediation of Internet‑facing blind spots directly in the Cloudflare dashboard: Mastercard’s RiskRecon attack‑surface intelligence capabilities.
Information‑security practitioners in pay‑as‑you‑go and Enterprise accounts will be able to preview the integration in Q3 2026.
Attack surface intelligence can spot security gaps before attackers do
Mastercard’s RiskRecon attack‑surface intelligence identifies and prioritizes external vulnerabilities by mapping an organization’s entire Internet footprint using only publicly accessible data. As an outside‑in scanner, the solution can be deployed instantly to uncover “shadow IT,” forgotten subdomains, and unauthorized cloud servers that internal, credentialed scans often miss. By seeing what an attacker sees in real time, security teams can proactively close security gaps before they can be exploited.
But what security gaps are attackers typically looking to exploit? In a 2025 study of 15,896 organizations that had experienced security breaches, Mastercard found that unpatched software, exposed services (e.g., databases, remote‑administration), weak application security (e.g., missing authentication), and outdated web encryption were frequent hallmarks, as shown in the graph below.
The same study also found that organizations with significant cybersecurity‑posture gaps in these areas were 5.3 × more likely to be hit by a ransomware attack and 3.6 × more likely to suffer a data breach compared with companies that maintain good cybersecurity hygiene.
Why Cloudflare and Mastercard are partnering
This partnership combines Mastercard’s attack‑surface intelligence—which identifies security gaps—with Cloudflare’s ability to fix them. Organizations can use Mastercard’s data to find shadow assets (e.g., forgotten domains or unprotected cloud instances) and secure them by routing traffic through Cloudflare’s proxy. This allows for the immediate deployment of security controls without changing the underlying website or application.
Based on a sample of ~388 k organizations spanning >18 million systems, Mastercard’s attack‑surface intelligence shows that systems using Cloudflare as a proxy have significantly better security hygiene than those that do not:
- Software Patching: 53 % fewer software vulnerabilities
- Web Encryption: 58 % fewer SSL/TLS issues
- System Reputation: 98 % fewer instances of malicious behavior (e.g., communicating with botnet C2 servers, hosting phishing sites)
The table below provides additional details on the security‑posture insights provided by Mastercard. These insights are generated by passively scanning publicly accessible hosts, web applications, and configurations.
| Category | Security Check | Description |
|---|---|---|
| Software Patching | Application Servers | Unpatched application‑server software. |
| OpenSSL | Unpatched OpenSSL. | |
| CMS Patching | Unpatched content‑management‑system software. | |
| Web Servers | Unpatched web‑server software. | |
| Application Security | CMS Authentication | Enumeration of CMS administration interfaces publicly exposed to the Internet. |
| High‑Value System Encryption | Enumeration of systems that collect sensitive data but lack encryption. | |
| Malicious Code | Enumeration of systems containing malicious code (e.g., Magecart). | |
| Web Encryption | Certificate Expiration Date | SSL certificate expired. |
| Certificate Valid Date | SSL certificate not yet valid. | |
| Encryption Hash Algorithm | Weak SSL encryption hash algorithm. | |
| Encryption Key Length | Weak SSL encryption key length. | |
| Certificate Subject | Invalid SSL certificate subject. | |
| Exposed Services / Network Filtering | Unsafe Network Services | Enumeration of unsafe network services (e.g., databases, RDP, VNC). |
| IoT Devices | Enumeration of IoT devices such as printers, embedded‑system interfaces, etc. |
Comprehensive domain discovery, continuous posture visibility, and remediation
Cloudflare Security Insights in Cloudflare’s Application Security suite currently identifies risks—such as DNS misconfigurations, weak web encryption, or inactive WAF rules—for any domain already proxied by Cloudflare. However, a significant security gap remains: you cannot protect domains you don’t know exist.
The integration with Mastercard will eliminate these blind spots.
End of cleaned markdown.
Continuous Internet‑Footprint Profiling
Mastercard continuously profiles the Internet footprint of > 12 million organizations, identifying domains, hosts, and software stacks associated with your company—even if they aren’t yet behind a Cloudflare proxy. This lets Security Insights surface shadow‑IT and unprotected hosts so you can secure them with Cloudflare’s WAF and DDoS protection.
Visibility is only the first step; understanding the criticality of discovered assets lets security teams prioritize findings. Each host is assigned a criticality level:
- High Criticality – Hosts that collect sensitive data, require authentication, or run sensitive network services (e.g., database listeners, remote‑access gateways).
- Medium Criticality – Brochure‑type sites that are adjacent to high‑criticality systems (e.g., on the same /24 network).
- Low Criticality – Brochure‑type sites that are not adjacent to any critical systems.
Below is a fictitious example of an organization with many domains it is unaware of. Only one of the discovered domains is currently proxied by Cloudflare. In Security Insights you can visualize this level of detail for shadow domains and hosts.
| Domain | Protected by Cloudflare | Host (IP) | Criticality | Location | Hosting Provider |
|---|---|---|---|---|---|
search-engine.net | Yes | portal.search-engine.net (10.XXX.XX.5) | HIGH | Springfield, United States | Cloudflare |
zenith-industries.com | No | vpn.zenith-industries.com (10.XXX.XXX.106) | HIGH | Helsinki, Finland | CloudNode‑Services |
stratus-global.com | No | store.stratus-global.com (10.XXX.XXX.124) | HIGH | Munich, Germany | SwiftStream‑Tech |
core-logic.cl | No | extranet.core-logic.cl (10.XXX.XXX.178) | HIGH | Santiago, Chile | SecureCanopy Ltd. |
vanguard-labs.com | No | extranet.vanguard-labs.com (10.XXX.XX.197) | HIGH | Metropolis, United States | GlobalSoft Systems |
fusion-id.com | No | fusion-id.com (10.XXX.XXX.146) | HIGH | Prague, Czechia | EuroData‑Hub |
norden-biotech.no | No | store.norden-biotech.no (10.XXX.XX.124) | MEDIUM | Chicago, United States | SwiftStream‑Tech |
norden-biotech.se | No | store.norden-biotech.se (10.XXX.XX.124) | MEDIUM | Chicago, United States | SwiftStream‑Tech |
Example of shadow domains and unprotected hosts associated with an organization.
Mastercard also provides continuous visibility into the security posture of Internet‑facing systems—including software patching, exposed network services (e.g., databases, remote access), and application security (e.g., unauthenticated CMSes)—complementing Cloudflare Security Insights, as shown below.
Security Insights dashboard.
These insights are only useful if they lead to action. Instead of merely flagging a domain or host as at risk, Cloudflare Security Insights guides you to remediation: enable Cloudflare proxy (gaining DDoS and bot protection), turn on the Web Application Firewall (WAF), enforce stricter TLS encryption, and address the specific risks identified by the scan.
What’s next: updated Security Insights dashboard
We are integrating Mastercard’s RiskRecon attack‑surface intelligence into the Cloudflare Security Insights dashboard to provide immediate visibility into shadow domains, unprotected hosts, and associated posture gaps.
With an increasing volume of insights, our roadmap also includes:
- Risk scoring
- AI‑assisted diagnosis paths that not only surface an insight but also propose relevant correlations (e.g., traffic to an unpatched host) and suggest the exact WAF rule or API Shield configuration needed to neutralize it.
We’d love for you to join the waitlist here.
Cloudflare capabilities
- Network Services – protects entire corporate networks.
- Workers – helps customers build Internet‑scale applications efficiently.
- Performance – accelerates any website or Internet application.
- DDoS Protection – wards off DDoS attacks.
- Application Security – keeps hackers at bay.
- Zero Trust – supports your journey to a Zero Trust architecture.
Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.
To learn more about our mission to build a better Internet, start here. If you’re looking for a new career direction, check out our open positions.
Tag: Security Posture Management
Here’s the cleaned‑up markdown, preserving the original links and presenting them as a clear list:
- [Security Posture](https://blog.cloudflare.com/tag/security-posture/)
- [Application Security](https://blog.cloudflare.com/tag/application-security/)
- [Risk Management](https://blog.cloudflare.com/tag/risk-management/)