Cloudy is an LLM-powered explanation layer integrated into Cloudflare One that converts dense detection data from email security and CASB engines into clear, actionable guidance for both security operators and end users. By presenting the reasoning behind each alert in plain language, it enables faster, more informed decisions while reducing false‑positive noise.
Deep Technical Analysis
Cloudy aggregates outputs from multiple specialized detection models-such as sender reputation, authentication results, link behavior, and content analysis-into a unified data structure. This enriched payload is then fed to a purpose‑built prompt chain executed by Cloudflare Workers AI, which generates natural‑language explanations in real time. The system distinguishes between admin‑focused and end‑user‑focused summaries, tailoring terminology and detail level to the audience.
Model Aggregation and Signal Collection
Each incoming email triggers Phishnet to invoke a suite of large language model large language model analyses alongside traditional heuristics. Signals include SPF/DKIM/DMARC status, domain age, URL reputation, and behavioral patterns extracted from the message body. These signals are normalized into a JSON schema that preserves provenance for downstream explanation generation.
Prompt Engineering for Explanation
Cloudy employs a multi‑stage prompt pipeline. The first stage summarizes raw signals into bullet points the second stage reframes these points as a concise narrative that answers what and why for the user. Prompt templates embed safety guards to prevent exposure of sensitive internal logic while ensuring the output remains comprehensible.
Real‑Time Delivery via Workers
When a user clicks the Phishnet reporting button, a Workers‑based workflow aggregates the stored signal payload, invokes the prompt pipeline, and returns the explanation within milliseconds. This edge‑deployed path guarantees low latency regardless of the users geographic location.
Impact on Security Operations
By surfacing clear rationales, Cloudy reduces unnecessary report submissions by up to 30 % in pilot deployments, allowing SOC analysts to focus on truly malicious incidents. End users receive contextual education at the point of decision, improving overall phishing resilience without additional training sessions.