--- title: WAF attack score description: Machine learning scores that classify each request for attack likelihood. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/waf/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # WAF attack score The attack score [traffic detection](https://developers.cloudflare.com/waf/concepts/#detection-versus-mitigation) classifies each request using a machine learning algorithm, assigning a score from 1 to 99 based on the likelihood that the request is malicious. This detection complements [WAF Managed Rules](https://developers.cloudflare.com/waf/managed-rules/). [Managed Rules](https://developers.cloudflare.com/waf/managed-rules/) match requests against known attack signatures — specific patterns of established attack vectors. They have a very low rate of false positives. However, attackers can modify known payloads, for example by using fuzzing techniques (a testing technique that sends modified inputs to find vulnerabilities), to evade exact signature matches. Attack score addresses this gap. You can use the score to identify potentially malicious traffic that is not an exact match to any of the rules in WAF Managed Rules. To maximize protection, Cloudflare recommends that you use both Managed Rules and attack score. Note The full feature is available to Enterprise customers. Business plans only have access to a single field (WAF Attack Score Class). ## Available scores The Cloudflare WAF provides the following attack score fields: | Field | Description | Required plan | | --------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | | WAF Attack Score [cf.waf.score](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.score/) Number | A global score from 1–99 that combines the score of each WAF attack vector into a single score. | Enterprise | | WAF SQLi Attack Score [cf.waf.score.sqli](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.score.sqli/) Number | A score from 1–99 classifying the [SQL injection ↗](https://www.cloudflare.com/learning/security/threats/sql-injection/) (SQLi) attack vector. | Enterprise | | WAF XSS Attack Score [cf.waf.score.xss](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.score.xss/) Number | A score from 1–99 classifying the [cross-site scripting ↗](https://www.cloudflare.com/learning/security/threats/cross-site-scripting/) (XSS) attack vector. | Enterprise | | WAF RCE Attack Score [cf.waf.score.rce](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.score.rce/) Number | A score from 1–99 classifying the command injection or [remote code execution ↗](https://www.cloudflare.com/learning/security/what-is-remote-code-execution/) (RCE) attack vector. | Enterprise | | WAF Attack Score Class [cf.waf.score.class](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.waf.score.class/) String | The attack score class of the current request, based on the WAF attack score. Possible values: attack, likely\_attack, likely\_clean, and clean. | Business or above | You can use these fields in expressions of [custom rules](https://developers.cloudflare.com/waf/custom-rules/) and [rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/). Numeric score fields range from `1` to `99`: * A score of `1` indicates that the request is almost certainly malicious. * A score of `99` indicates that the request is likely clean. A score of `100` means the request reached the WAF attack score system, but the system decided not to score it. In [Logpush](https://developers.cloudflare.com/logs/logpush/) data, a score of `0` means the request did not reach the attack score stage — for example, because a previous rule or protection system already mitigated it. The value `0` does not appear in the Cloudflare dashboard. The global WAF Attack Score is mathematically derived from individual attack scores (for example, from SQLi Attack Score and XSS Attack Score), reflecting their interdependence. However, the global score is not a sum of individual scores. A low global score usually indicates medium to low individual scores, while a high global score suggests higher individual scores. The WAF Attack Score Class field can have one of the following values, depending on the calculated request attack score: | Dashboard label | Field value | Description | | --------------- | -------------- | ------------------------------- | | _Attack_ | attack | Attack score between 1 and 20. | | _Likely attack_ | likely\_attack | Attack score between 21 and 50. | | _Likely clean_ | likely\_clean | Attack score between 51 and 80. | | _Clean_ | clean | Attack score between 81 and 99. | Requests with the special attack score `100` will show a WAF Attack Score Class of _Unscored_ in the Cloudflare dashboard, but you cannot use this class value in rule expressions. Attack score automatically detects and decodes Base64, JavaScript (Unicode escape sequences), and URL encoded content anywhere in the request: URL, headers, and body. ## Rule recommendations Blocking traffic solely based on attack score for all values below `50` is not recommended. The _Likely attack_ range (scores `21`–`50`) can include legitimate requests incorrectly flagged as malicious (false positives). If you want to block traffic based on attack score, do one of the following: * Use a more strict WAF Attack Score value in your expression. For example, block traffic with a WAF attack score below `20` or below `15` (you may need to adjust the exact threshold). * Combine a higher WAF Attack Score threshold with additional filters when blocking incoming traffic. For example, include a check for a specific URI path in your expression or use bot score as part of your criteria. --- ## Start using WAF attack score ### 1\. Create a custom rule Enterprise customers can [create a custom rule](https://developers.cloudflare.com/waf/custom-rules/create-dashboard/) that blocks requests with a **WAF Attack Score** less than or equal to `20` (recommended initial threshold). For example: | Field | Operator | Value | | ---------------- | --------------------- | ----- | | WAF Attack Score | less than or equal to | 20 | * Equivalent rule expression: `cf.waf.score le 20` * Action: _Block_ Business customers must create a custom rule with the **WAF Attack Score Class** field instead. For example, use this field to block incoming requests with a score class of _Attack_: | Field | Operator | Value | | ---------------------- | -------- | ------ | | WAF Attack Score Class | equals | Attack | * Equivalent rule expression: `cf.waf.score.class eq "attack"` * Action: _Block_ ### 2\. Monitor domain traffic Monitor the rule you created, especially in the first few days, to make sure you entered an appropriate threshold (or class) for your traffic. Update the rule if required. ### 3\. Update the rule action If you are an Enterprise customer and you created a rule with _Log_ action, change the rule action to a more severe one, like _Managed Challenge_ or _Block_. --- ## Additional remarks WAF attack score and [bot score](https://developers.cloudflare.com/bots/concepts/bot-score/) serve different purposes. Attack score identifies variations of attacks that WAF Managed Rules do not catch. Bot score identifies whether a request comes from automated traffic. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/waf/","name":"WAF"}},{"@type":"ListItem","position":3,"item":{"@id":"/waf/detections/","name":"Traffic detections"}},{"@type":"ListItem","position":4,"item":{"@id":"/waf/detections/attack-score/","name":"WAF attack score"}}]} ```