Cloudflare managed services checklist
Use this checklist to prepare or review Cloudflare managed services coverage across change intake, DNS operations, WAF and bot tuning, DDoS readiness, cache optimization, certificate ownership, Workers support, Logpush visibility, alerting, incident response, reporting, and continuous improvement.
Use this checklist to prepare or review Cloudflare managed services coverage across change intake, DNS operations, WAF and bot tuning, DDoS readiness, cache optimization, certificate ownership, Workers support, Logpush visibility, alerting, incident response, reporting, and continuous improvement.
Topics: cloudflare, resource, cloudflare, managed, services, checklist
Machine-readable context: /ai-index.json
Step by step
Step-by-step checklist
- 1
Define the change-intake process: how requests are raised, what counts as standard versus emergency change, who approves, and how changes are scheduled and recorded.
- 2
Agree the scope of managed coverage across DNS, CDN/cache, WAF and bot tuning, DDoS readiness, certificates, Workers, and Logpush, and mark what is in scope versus the customer's responsibility.
- 3
Set service levels and ownership: response and update targets per severity, escalation path, named owners on both sides, and the boundary between platform support and Cloudflare's support.
- 4
Establish monitoring and alerting: which signals are watched (origin health, WAF events, certificate expiry, error rates, attack alerts), thresholds, and where alerts route.
- 5
Define DNS and certificate operational ownership: who makes record changes, how they are reviewed, and how certificate renewals and expirations are tracked and actioned.
- 6
Set the WAF, bot, and rules tuning cadence: how false positives are reviewed, how managed rule changes are staged, and how the exception register is maintained over time.
- 7
Wire visibility and reporting: Logpush to the SIEM, dashboards, and a regular operational report covering changes, incidents, security events, and recommendations.
- 8
Run a handover and continuous-improvement loop: runbooks accepted by application, security, and infrastructure owners, and a backlog of tuning and hardening actions reviewed on a schedule.
Risk register
Risks to control
Scope is undefined, so changes fall between the customer and the managed provider.
Write a responsibility matrix marking each area — DNS, WAF, certificates, Workers, Logpush — as in-scope, shared, or customer-owned, and review it with all owners.
No change-intake discipline leads to untracked, unscheduled, or risky changes.
Define standard versus emergency change paths, approvals, scheduling, and a record of every change with owner and rollback note.
Alerts fire to nobody, or alert fatigue hides real incidents.
Tune thresholds, route alerts to a defined on-call owner, and separate informational signals from actionable ones with an agreed escalation path.
Certificate expiry is missed because ownership was never assigned.
Assign certificate and renewal ownership explicitly and track expiry with alerting so renewals happen before they lapse.
WAF and bot rules drift as exceptions accumulate without review.
Maintain an exception register with owner and review date and run a regular false-positive and rule-tuning cadence rather than one-off changes.
Reporting is ad hoc, so the customer cannot see what was changed or why.
Deliver a regular operational report covering changes, incidents, security events, and recommendations, backed by Logpush, dashboards, and a shared backlog.
Output
Useful deliverables
- Responsibility matrix marking each Cloudflare area as in-scope, shared, or customer-owned.
- Change-intake process with standard and emergency paths, approvals, and a change record.
- Service-level and escalation definition with severity targets and named owners on both sides.
- Monitoring and alerting plan: watched signals, thresholds, and alert routing.
- DNS and certificate ownership and renewal-tracking procedure.
- WAF, bot, and rules tuning cadence with an exception register and false-positive review.
- Operational reporting pack: Logpush, dashboards, regular report, and continuous-improvement backlog.
Keep reading
Related resources
FAQ
Frequently asked questions
Common questions teams ask when putting this resource into practice.
What does Cloudflare managed services actually cover?
It is defined by scope, not assumption. A responsibility matrix sets which areas — DNS, CDN/cache, WAF and bot tuning, DDoS readiness, certificates, Workers, Logpush, reporting — are managed, shared, or customer-owned, with named owners and escalation on both sides.
How are changes handled under managed services?
Through a defined intake process: requests are raised and classified as standard or emergency, approved by named owners, scheduled, and recorded with a rollback note. This keeps changes tracked rather than ad hoc, and is the foundation for reliable operations.
What is the difference between managed services and Cloudflare's own support?
Cloudflare's support handles platform-level issues; managed services handle day-to-day operation — change intake, monitoring, WAF and bot tuning, certificate ownership, alerting, and reporting — and own the escalation boundary between the customer, the provider, and Cloudflare.
How is ongoing WAF and bot tuning kept under control?
Through a regular cadence rather than one-off edits: false positives are reviewed on schedule, managed rule changes are staged, and every exception lives in a register with an owner and a review date so the policy does not silently drift.
How is managed-services performance reported?
Through a regular operational report covering changes made, incidents, security events, and recommendations, backed by Logpush to the SIEM, dashboards, and a shared continuous-improvement backlog so the customer can see what was done and what is next.
Nanosek
Review managed services
Nanosek can turn this resource into a practical delivery plan for your environment — with rollback planning, stakeholder alignment, and 24/7 managed operations support.