Austin, Texas.
An average DDoS attack now lasts 45 minutes. For an independent e-commerce operator with a small storefront, 45 minutes of downtime during peak hours is far more than an inconvenience. It can cause major billing issues, damage buyer trust, and sometimes even start a wave of chargebacks. Most small business owners have cybersecurity insurance they have never used. Meanwhile, attackers are finding cheaper and faster ways to launch these attacks.
Cloudflare Zero Trust tools for online smart apps come at a time when AI-powered applications are making businesses more vulnerable to attacks.
The Threat That Cloudflare Zero Trust Was Built To Stop
To see why this suite is important, it helps to know how the threat works. Traffic flooding using HTTP/2 rapid reset is not a complex nation-state attack. Instead, it is an automated script that even low-skill attackers can use to cause serious damage.
The HTTP/2 rapid reset attack exploits a weakness in the HTTP/2 protocol, which is the main standard for how most websites communicate. Attackers use the stream cancellation feature to send a request, then cancel it immediately, repeating this process very quickly. By automating this simple request, cancel request, cancel pattern; attackers can overwhelm and take down any server or application using standard HTTP/2.
Think of it this way: HTTP/2 gives websites the ability to handle many simultaneous conversations. The rapid reset mitigation problem is that the protocol also allows these conversations to be started and then dropped right away. A botnet using this exploit does not need to send full requests. It just opens and closes connections millions of times per second until the server can no longer respond to anyone, even real customers.
In August 2023, Cloudflare mitigated thousands of hyper volumetric HTTP DDoS attacks, 89 of which exceeded 100 million requests per second. The largest peaked at 201 million RPS, three times the previous record. That record has since been shattered further. In Q2 2025, Cloudflare detailed the largest reported DDoS attack peak to date at 7.3 TBPS, delivering roughly 37.4 TB of malicious traffic in approximately 45 seconds.
The Agent Defense Gateway and How the Protocol Wall Functions.
Cloudflare’s rapid reset mitigation works at the TLS proxy level right at the start of the HTTPS process. This approach saves significant resources compared to standard layer-7 mitigation systems. It lets the network absorb attacks without causing the chain of 502 errors that used to mean a site was down.
This design decision sets Cloudflare’s approach apart from older perimeter defenses. Traditional firewalls check traffic only after it has already been used up server resources. In contrast, Cloudflare’s protocol wall stops the bad connection pattern before it reaches the application layer. The server never has to process the attack because it never even sees it.
The agent defense gateway extends this logic specifically to AI-powered applications, the online smart apps that now sit at the center of most modern business workflows. Cloudflare offers a single policy layer to protect any public-facing AI app from a wide range of new threats, including the OWASP top 10 for large language models. Its AI firewall can block prompt injection, model poisoning, and excessive usage attempts that might get past conventional security measures.
For a small business using an AI-powered customer service chatbot or product recommendation engine, excessive usage is a real concern. A competitor or attacker can use automated scripts to overload an AI endpoint, driving up costs, lowering response quality for real users, and sometimes exposing the model’s workings.
Cloudflare Zero Trust Automated Web Traffic Guard Manual: Governing AI Usage Inside Organizations
The Cloudflare Zero Trust automated web traffic guard manual, which serves as the policy and enforcement mechanism for managing how AI apps connect to internal networks, also addresses another threat that gets less attention: shadow AI.
Cloudflare Gateway lets you automatically enforce AI policies at the network’s edge, so every employee is protected no matter where they are. Security teams can block unapproved AI apps, limit the data uploaded to AI tools, and review AI tools to ensure they continue to meet security and privacy standards.
Imagine a 12-person accounting team where staff copy client financial summaries into a free AI writing tool to speed up reports. This might save two hours a week, but it also sends confidential client data through a third-party model the firm has not checked, creating unknown regulatory risks. AI prompt protection helps security teams spot risky employee interactions with AI models and enforce policies at the prompt level. It can warn employees or prevent them from submitting sensitive data such as source code or financial records to an untrusted AI provider.
Why This Resets the Standard for Business Web Infrastructure.
A 2026 Forrester Total Economic Impact study looked at Cloudflare 1G’s combined platform, which brings together zero trust network access, secure web gateway, cloud access, security broker, and firewall as a service under one policy system. This combination is important because using different vendors for DDoS identity and AI governance can create policy gaps that attackers can exploit. A unified protocol wall that uses the same logic for traffic flooding, shadow AI, and agent behavior across the entire network removes those gaps by design. It covers all AI models and APIs across an organization’s web properties, providing visibility into the full scope of AI usage before policies are applied. You cannot govern what you cannot see, and most organizations running online smart apps today have incomplete inventories of the AI endpoints their applications actually touch.
For business owners and startup CTOs. The main takeaway is that being offline for 45 minutes is more expensive than ever, while the cost of protection is lower than before, compared to the risk. Cloudflare zero trust makes an automated defense a basic requirement, not only a luxury for big companies. Businesses that set up this protection now can focus on improving their products instead of dealing with security incidents.
Source: Cloudflare Press releases
