A fixed-price audit of your existing Cloudflare deployment. We review the edge, the origin, and the access layer, then close the gaps. From $390, most finished in 5 business days.
Cloudflare is a security product, but only if it’s configured like one. The defaults won’t stop a determined attacker. A misconfigured WAF can either let exploits through or block your own admins out of their dashboard. Half the breaches we see on Cloudflare-fronted sites start with origin IP exposure — the attacker bypasses Cloudflare entirely and hits the server directly.
A Cloudflare security audit looks at the parts that decide whether the layer is doing its job, then we fix what’s broken.
WAF rules, rate limits, bot scoring, and page rules. The defaults are a starting point. Production traffic needs them tuned.
Whether your real server IP is exposed (DNS history, certificate transparency, subdomain enumeration), and whether your origin still accepts connections that don't come from Cloudflare.
Zero Trust policies, identity provider integration, API token scopes, and admin areas that should sit behind a login but don't.
A misconfigured Cloudflare site typically has problems on all three layers, but the most damaging one is origin exposure. If an attacker can find your real IP and your origin still accepts direct connections, Cloudflare is theatre. We start there.
We run the full scope on every audit. Each item below is a separate pass, because Cloudflare gives you enough configuration surface that scanning one layer misses most real issues.
A plain-English findings report ranked by how likely each issue is to get you breached. With it comes a fix list your team or ours can apply. On the hardening tier we apply the fixes ourselves and verify with a re-scan.
Edge, origin, and access issues ranked by likelihood and impact.
Hand it to your team or back to us. Every item has the Cloudflare dashboard path and the change to make.
Which managed rules to enable, which custom rules to add, and where to relax for known false positives.
Host-level rules that block direct connections, IP allow-lists, and TLS lockdown applied.
Existing policies tightened, new ones added for admin areas that should have them.
A short call to go through findings. No jargon, no upsell.
Most audits run end-to-end in five business days, with the report handed over before any hardening starts.
You give us read-only Cloudflare access (or admin if hardening is included), plus SFTP to the origin host. We snapshot the current config before touching anything.
Same dayEdge rules, origin probe (we try to find your real IP from the outside), and access policy review. By hand, not just the dashboard.
2-3 business daysRanked findings delivered as a document, plus a walkthrough call.
Day fourOn the hardening tier we apply the fixes and re-scan to confirm.
Day fiveThe audit-only tier is $390. That covers the three-layer review, the ranked findings report, and the walkthrough call. Your team applies the fixes from there, or you come back to us later.
Audit plus hardening is $690. That’s the one most teams pick, because applying the fixes is the part they don’t want to schedule themselves.
If your real IP is publicly findable and your origin still accepts direct connections, the audit will spot it but you’ll want hardening done the same week. That’s exactly the gap we close on the higher tier.
If you’re already breached, start with restoration first. There’s no point hardening a Cloudflare in front of an infected origin.
This audit fits inside our website security services, and we usually pair it with a check of the origin itself. If your origin is WordPress, the WordPress security audit covers the application layer that Cloudflare doesn’t see. The two together close most of the gap.
If your Cloudflare account is fresh and you want it set up from scratch rather than audited, start with the Cloudflare setup and hardening page. And if you want Zero Trust deployed across your admin areas as a fixed-scope bundle, look at the Cloudflare Zero Trust bundle. It packages the access-layer work at a fixed $690.
We'll triage the same day. Send context, screenshots, error messages — whatever you have. No sales calls, no chatbots.