We Built a Scanner to Evade Cloudflare and Suricata. It Worked.

We built a scanner specifically designed to bypass modern detection systems. Timing-geometry intelligence to stay under threshold-based alerts. AI-directed probe sequencing that learns what detection systems miss. Evolutionary adversarial testing using llms that treats your security stack as a puzzle to be solved. What was wrong with nmap, bbot I hear you saying?! Everything as it turns out.

Today we pointed it at our own Cloudflare-protected target. Four open ports found, services fingerprinted, full take. Ok sure, just web-ports but that's not the point.

The point: cheecking Cloudflare's Security Analytics for our source IP. Zero requests mitigated. Zero events. Zero sampled logs. The dashboard was empty. According to Cloudflare, we were never there. That's the point.

You should nmap at Cloudflare and you'll see the traffic, for sure.

We ran it past Suricata on the node too. We did not win completely this time - it caught a few SSH probes. Everything else -- clean pass.

We built this hoping the theory would hold up in practice. And then it just... worked. Completely. Against two of the most widely deployed detection systems in the industry.

That should worry you. It worries us.

Because if we can do this -- small team, months of development -- then anyone with the same motivation and access to the same published research can do it too. The difference is they won't be writing about it afterwards.

This is the problem with detection-first security. Cloudflare is a great product. Suricata has solid community rules. But both are fundamentally configuration-driven, signature-matching systems. They catch what they've been told to catch. Our scanner was designed from the ground up to not be in the playbook, and it wasn't.

Zero alerts on a dashboard doesn't mean zero threats. It can just as easily mean someone built something your stack has never seen before.

The industry's reflex is always more detection. More rules, more ML, more signatures, tune the thresholds. But that's an arms race where the defender has to be right every time and the attacker only needs to be right once. We've just demonstrated what "once" looks like.

The question we think matters more: how do you know your defences are ready to enforce right now, against techniques that exist right now?

That's why we built the earned autonomy framework alongside the scanner. Not as separate projects -- as two halves of the same system. The scanner that ghosted Cloudflare today is the same adversarial engine we turn inward against our own autonomous defences. If our enforcement layer can't catch our own scanner, it doesn't get to enforce. It hasn't earned it.

Continuous adversarial certification. The defence must prove, against live evasion, that it's ready to act -- and keep proving it. Not annually. Not quarterly. Continuously. Authority earned through demonstrated competence, not assumed from a vendor datasheet.

We're calling it an immune training system for autonomous enforcement. The scanner is the pathogen. The defence has to evolve to match it. If it can't, it doesn't get autonomy. Simple as that.

Today proved the concept works in one direction -- our offensive tooling walked through production detection systems undetected. Now we get to find out if the defensive half can keep up.

One more thing. We're building offensive scanning infrastructure, and we think that comes with obligations. Today we're also launching our scanning directory -- a public register of our scanner IPs, what we're doing, and why. If you see our traffic, you can trace it back to us, read what we're about, and get in touch. If you're going to build tools that ghost through detection systems, the least you can do is tell people where to find you.

-- Simon