Cloudflare opens Client-Side Security's GNN+LLM detection to everyone and cuts false positives by 200x
Contents
On March 30, Cloudflare refreshed the detection engine behind Client-Side Security, formerly Page Shield, with a two-stage cascade of a graph neural network and an LLM. It also opened the Advanced features, which used to require enterprise sales, to self-serve customers. Domain-based threat intelligence is now free for everyone, including the free plan.
What Client-Side Security protects
Third-party JavaScript embedded in a site can do damage without changing the look of the page. Magecart skimming, supply-chain attacks through npm packages, and browser-side keyloggers are all threats that a server-side WAF will miss.
Client-Side Security uses the browser’s Content Security Policy reporting mechanism to collect script execution data. No scanner or agent is needed on the application side, and latency impact is zero. Cloudflare evaluates about 3.5 billion scripts per day, or about 40,000 per second.
The limits of GNN alone
The previous system used only a GNN. It parses JavaScript ASTs with tree-sitter and learns graph structure, so it can detect unknown threats even when variable names are renamed or code is minified.
The model uses a message-passing graph convolution network that classifies scripts into benign, Magecart, cryptomining, or malware. Test data showed nearly 99% macro accuracy and malicious detection precision.
The problem was false positives. A 0.3% false-positive rate sounds low, but at Cloudflare scale it still means millions of alerts per day. Legitimate but heavily obfuscated scripts, such as bot-management challenges and ad-tech code, looked suspicious to the GNN, which led to alert fatigue.
How the two-stage cascade works
The new pipeline runs the GNN first and only sends suspicious cases to the LLM.
graph TD
A["Browser CSP reports<br/>40k scripts per second"] --> B["Stage 1: GNN<br/>AST structure analysis"]
B -->|benign| C["Pipeline ends<br/>LLM skipped"]
B -->|suspect| D["Stage 2: LLM<br/>semantic evaluation"]
D -->|benign| E["Removed as false positive"]
D -->|malicious| F["Alert fired<br/>block rule applied"]
E --> G["Logged for audit<br/>LLM overrode GNN"]The GNN evaluates every script. If a script looks benign, it exits early and skips the expensive LLM inference. Only suspicious scripts reach Stage 2.
The LLM runs on Cloudflare Workers AI using an open-source model. It is given a security-specific prompt context and evaluates the script semantically. That lets it understand normal JavaScript framework patterns and distinguish “suspicious but harmless” code from truly malicious code.
If the LLM overrides the GNN, the decision is stored in the audit log. That creates a feedback loop for continuous improvement.
The 200x false-positive reduction
In production traffic for the JavaScript Integrity threat category, the results were:
| Metric | Before | After | Reduction |
|---|---|---|---|
| Full-traffic FP rate | about 0.3% | about 0.1% | roughly 3x |
| Unique-script FP rate | about 1.39% | about 0.007% | about 200x |
The 200x number is per unique script, which is the number that matters for security teams looking at real alerts. The true-positive rate stayed the same, so the combination of high recall from the GNN and high precision from the LLM is doing the work.
Zero-day XSS detection
Cloudflare shared a real detection example in the blog post. A malicious core.js targeting Xiaomi OpenWrt routers was distributed in a heavily obfuscated form using an array-string obfuscator. The script checked the router’s WAN config, overwrote DNS settings, and changed the administrator password.
Before VirusTotal or other intelligence platforms had reported it, the GNN caught the malicious pattern from the AST structure and the LLM confirmed the intent.
The point is the same as in Cloudflare’s Turnstile analysis: Cloudflare has deep experience analyzing obfuscated JavaScript, and that knowledge is now baked into the detection engine.
Training data strategy
The model is strong because of how the training data is built. Only about 6% of the scripts are malicious, so the dataset is highly imbalanced.
Cloudflare handles that by prioritizing quantity for malicious samples and diversity for benign ones. To make annotation efficient, it uses LLM-based code embeddings to filter semantically similar scripts and only keeps samples with cosine similarity at least 0.10 apart. That compressed the annotation set from about 3,000 to 196 scripts and cut false positives by 50%.
Inference efficiency is also notable. Because more than 99.9% of scripts are cached by a tree-based hash, Cloudflare can process 40,000 scripts per second while running the GNN fewer than 10 times per minute. The cache key is AST-structure-derived rather than SHA-256, so minor minification or formatting changes do not invalidate it.
대응 to npm supply-chain attacks
Cloudflare also references the September 2025 malicious npm package campaign and Sansec’s January 2026 report about a browser-side keylogger in a merchant store used by bank employees. Both are the sort of threats Client-Side Security is built to catch.
Supply-chain attacks keep getting more sophisticated, as seen in Famous Chollima’s StegaBin campaign and TeamPCP’s PyPI poisoning. Client-Side Security works as the last line of defense for the scripts that actually run in browsers.
Plan changes
Until now, Client-Side Security Advanced, formerly Page Shield Advanced, could only be bought through enterprise sales. Cloudflare had already said during Birthday Week 2025 that security features should be accessible without sales involvement, and now it is following through.
| Feature | Free | Pro / Business | Advanced (self-serve) |
|---|---|---|---|
| Domain-based threat intelligence | yes | yes | yes |
| GNN+LLM malicious script detection | no | no | yes |
| Code change monitoring | no | no | yes |
| Proactive block rules | no | no | yes |
The article notes that non-enterprise commerce platforms, especially Magento-like storefronts, are common skimming targets. Getting advanced detection without an enterprise contract is a real security improvement for smaller operators.
Where Cloudflare AI Security for Apps protects the server side against prompt injection and PII leaks, Client-Side Security protects the browser side against malicious scripts. Together they cover both ends of the web app.