Cloudflare evolved its Threat Intelligence Platform to eliminate ETL pipelines using a sharded, SQLite-backed Durable Objects architecture with GraphQL running at the edge.
- •Threat Events distributed across thousands of SQLite-backed Durable Object shards enable sub-second query latency over billions of events
- •GraphQL endpoint runs in Cloudflare Workers at the edge with no delay between data ingestion and query availability
- •Complements SIEMs by enriching raw logs with historical actor patterns and long-term structured intelligence storage
- •Fan-out queries execute in parallel across global Durable Objects, eliminating monolithic database bottlenecks
- •Supports high-cardinality searches across IPs, file hashes, domains, and JA3 fingerprints with results in seconds
The Cloudflare Blog 