This article was originally published on the Cloudflare Blog on 9 October 2025. Co-authored with Chris O’Rourke, Blake Darche, Jacob Crisp, and Trevor Lyness.
In Q2 2025, Cloudflare stopped an average of 190 billion cyber threats every day. But real-world customer experiences showed us that stopping attacks at the edge is not always enough. Ransomware disrupted financial operations. Data breaches crippled real estate firms. Misconfigurations caused major data losses. In each case, the real damage happened inside networks.
These incidents also exposed a structural problem: customers had to hand off to separate internal teams for investigation and remediation. Those handoffs created delays, fractured the response, and meant critical context collected at the edge never reached the teams managing cleanup.
We built REACT (Respond, Evaluate, Assess, Consult Team) to close that gap.
REACT is a new suite of incident response and security advisory services under Cloudforce One. The team handles ransomware, APT and nation-state activity, insider threats, and business email compromise. What makes it different from traditional IR firms:
- Network-native mitigation. Responders can deploy mitigations directly at the Cloudflare edge (WAF rules, Gateway policies) during an active incident, cutting the time between identification and containment.
- Threat intelligence built in. With roughly 20% of the web behind Cloudflare, REACT investigators correlate incident details against emerging attack patterns visible across the global network in real time.
- Vendor-agnostic scope. The team investigates and remediates across any environment: on-prem, cloud, hybrid, regardless of whether the customer uses Cloudflare for everything or just part of their stack.
The service includes both proactive advisory (threat hunting, tabletop exercises, maturity assessments) and emergency incident response with retainer options for guaranteed availability.
Three threat patterns dominated our early engagements: insider threats (including state-sponsored operatives gaining access through fraudulent remote roles), ransomware across every vertical, and application-layer breaches through both “vibe-coded” AI-generated vulnerabilities and SaaS supply chain compromises.
REACT is now available to Enterprise customers directly from the Cloudflare dashboard, with a dedicated Under Attack page for emergency engagement.