Cloudflare One's User Risk Scoring now incorporates direct signals from Gateway DNS traffic patterns. This update allows security teams to automatically elevate a user's risk score when they visit high-risk or malicious domains, providing a more holistic view of internal threats. Why this matters Browsing activity is a primary indicator of potential compromise. By tying Gateway DNS logs to specific users, administrators can now flag individuals interacting with:
Security threats: Domains associated with malware, phishing, or command-and-control (C2) centers. High-risk content: Categories such as questionable content or violence that may violate corporate compliance.
Even if a Gateway policy is set to Block the traffic, the interaction is still captured as a "hit" to ensure the user's risk profile reflects the attempted activity. New risk behaviors Two new behaviors are now available in the dashboard:
Suspicious Security Domain Visited: Triggers when a user visits a domain in the security threats or security risk categories. High risk domain visited: Triggers when a user visits domains categorized as questionable content, violence, or CIPA.
To learn more and get started, refer to the User Risk Scoring documentation.
Fetched April 8, 2026