Cloudflare describes how integrating LLMs into their email security pipeline shifts phishing detection from reactive to proactive by mapping the threat landscape at scale.
- •Traditional email security improves primarily through user-reported misses, creating a reactive loop where detection lags behind attacker innovation.
- •LLMs categorize millions of daily emails by intent, urgency, and deception, surfacing nuanced threat vectors like "Sales Outreach" phishing that mimic legitimate B2B communication.
- •LLM-generated tags enable analysts to identify systemic gaps faster, driving targeted ML model training without waiting for large volumes of customer reports.
- •A dedicated sentiment analysis model was built for Sales Outreach phishing, trained on LLM-curated corpora focusing on persuasive framing, urgency, and transactional language.
- •Average daily Sales Outreach phishing misses dropped 20.4% from Q3 to Q4 2025 (965 to 769), with a further two-thirds reduction continuing into Q1 2026.
The Cloudflare Blog 