Cloudy is an LLM‑driven explanation engine embedded in Cloudflare One that converts detailed telemetry from email security and CASB detections into concise, human‑readable guidance. By surfacing the reasoning behind each alert, it enables end users and security teams to act swiftly with confidence, cutting false positives and improving overall security posture.
Architecture of the Cloudy Explanation Layer
The core of Cloudy consists of a large language model fine‑tuned on security telemetry, orchestrated by Cloudflare Workers AI. Raw detection outputs-such as sender reputation scores, authentication results, and link behavior-are aggregated into a structured payload. Prompt templates then steer the model to generate natural‑language explanations that prioritize clarity over technical depth. This design isolates the explanation process from classification, ensuring that the original detection verdict remains unchanged.
Integration with Cloudflare Email Security
When an email passes through Cloudflare Email Security, multiple machine learning models evaluate aspects like DKIM/SPF alignment, content heuristics, and URL reputation. Cloudy receives the ensemble of model scores and produces a summary that tells the recipient why the message received a label such as Malicious or Suspicious. The summary appears directly in the user interface, allowing the user to make an informed decision without consulting the SOC.
Phishnet Workflow Enhancement
Phishnets reporting button now triggers a Workers‑based workflow that calls Cloudy in real time. The request aggregates signals from the detection pipeline, feeds them to the LLM, and returns a user‑friendly explanation on the spot. This immediate feedback reduces unnecessary submissions to the SOC and educates users at the moment of interaction, turning potential noise into actionable insight.
CASB Detection Contextualization
For SaaS environments monitored by Cloudflare CASB, Cloudy translates configuration drift, risky permission grants, and data exposure alerts into plain‑language risk statements. Administrators see a concise remediation path-e.g., Remove public read access on bucket X-without digging through low‑level logs. This accelerates response times and aligns security operations with business priorities.
Real‑Time Summarization via Workers AI
The summarization engine runs on Cloudflares global edge network, ensuring sub‑second latency regardless of user location. By leveraging the distributed nature of Workers, Cloudy scales to millions of concurrent explanations while preserving data locality, which is critical for compliance with regional data‑handling regulations.
Operational Impact and Future Roadmap
Early deployments show a 30% drop in false‑positive escalations and a measurable increase in user confidence when handling suspicious emails. Upcoming enhancements include adaptive prompting based on user expertise levels and deeper integration with threat‑intel feeds. For a broader view of Cloudflares AI initiatives, see the accelerating SASE migrations with Cloudflare One article, and for related security tooling, refer to active defense introducing Cloudflare's stateful API vulnerability scanner.