Cloudflare WAF is a cloud proxy that filters HTTP traffic before it reaches your server. It is excellent at what it does — but it only protects web traffic. It cannot see SSH attacks, scan for malware, detect CVE vulnerabilities, or protect services that do not go through DNS. Defensia protects the server itself: SSH, web, filesystem, packages, and containers. They are different layers and can work together.
1. Change DNS nameservers to Cloudflare
2. Enable proxy mode (orange cloud)
3. Configure WAF managed rulesets
# Only HTTP/HTTPS traffic protected...
# SSH, database, email — unprotected...
# Origin IP still attackable directly...
# Per-domain pricing on paid plans...
Free basic WAF. Pro $20/domain/mo. Business $200/mo.
$ curl -fsSL https://defensia.cloud/install.sh | sudo bash
✓ SSH protection active (15 patterns)
✓ Web firewall active (nginx + Apache)
✓ Malware scanner ready (64K+ hashes)
✓ CVE scanner running
✓ Geoblocking + bot management
✓ All services protected — not just HTTP
30 seconds. Per-server pricing. All domains included.
Cloudflare WAF is a solid product for HTTP protection. But it leaves significant gaps at the server level. See also how Defensia compares to Sucuri and ModSecurity:
Cloudflare WAF is a DNS proxy — it only sees traffic that passes through Cloudflare's network. SSH (port 22), databases (MySQL 3306, PostgreSQL 5432), email servers (SMTP 25/587), and any service not behind the proxy are completely unprotected. Defensia runs on the server itself and protects all services regardless of port or protocol.
Cloudflare cannot see what is happening on your server. It cannot detect malware in your filesystem, vulnerable packages, rootkits, suspicious processes, or compromised WordPress databases. Defensia scans the server itself — 64K+ malware hashes, CVE detection with NVD/EPSS/KEV, rootkit checks, and credential exposure scanning.
Cloudflare's free plan includes basic WAF rules. But advanced WAF features require Pro ($20/month per domain) or Business ($200/month). If you host 10 domains on one server, that is $200-2,000/month for Cloudflare. Defensia is per-server: one price covers all domains on that server. At EUR 9/month, you protect the entire server regardless of how many domains it hosts.
Cloudflare's protection is bypassed if an attacker discovers your server's real IP address. Origin IPs can be leaked through email headers (SPF/DKIM), DNS history tools (SecurityTrails), certificate transparency logs, or direct scanning with Censys/Shodan. Defensia runs on the server itself — it protects regardless of how the attacker connects.
Cloudflare terminates TLS at its edge. Your visitors' HTTPS traffic is decrypted by Cloudflare, inspected, and re-encrypted to your origin server. This means Cloudflare can read all traffic in plaintext — a concern for privacy-sensitive applications. Defensia operates at the server level and never intercepts or decrypts any traffic.
Cloudflare's dashboard shows WAF analytics per domain, but it does not provide a unified view of server security across your infrastructure. Defensia's dashboard shows SSH attacks, web attacks, malware findings, CVE vulnerabilities, ban timelines, and security posture scores across all your servers in one place.
An edge proxy versus a server-level agent. Different layers, different protection. For web server hardening that complements either approach, see our nginx security guide.
| Feature | Defensia | Cloudflare WAF |
|---|---|---|
| Protection layer | Server-level (OS) | Edge (DNS proxy) |
| SSH brute force protection | 15 patterns | ✗ |
| Web Application Firewall | 15+ OWASP types | OWASP CRS + managed rules |
| Malware scanning | 64K+ hashes + 684 patterns | ✗ |
| CVE & vulnerability scanning | OS-level (NVD + EPSS + KEV) | ✗ |
| File integrity monitoring | ✓ | ✗ |
| Rootkit detection | ✓ | ✗ |
| WordPress database scanning | ✓ | ✗ |
| Security posture score | 0-100, A-F grade | ✗ |
| Geoblocking | 200+ countries | IP Access Rules |
| Bot management | 70+ fingerprints | Bot Management (Enterprise) |
| DDoS protection | ✗ | ✓ |
| CDN / content caching | ✗ | ✓ |
| Works without DNS change | ✓ | ✗ |
| Protects SSH, databases, email | ✓ | ✗ |
| Cannot be bypassed via origin IP | ✓ | ✗ |
| End-to-end encryption preserved | ✓ | ✗ |
| Docker native support | ✓ | ✗ |
| Kubernetes / Helm | ✓ | ✗ |
| Multi-server security dashboard | ✓ | Per-domain analytics |
| Alerts (Slack/email/Discord) | ✓ | Email + webhooks |
| Open source | MIT licensed agent | ✗ |
| Pricing model | Per-server (all domains) | Per-domain (or site) |
| Free tier | 1 server, SSH + dashboard | Basic WAF rules |
| Price | Free + €9/mo Pro | Free / $20 / $200 per domain |
Cloudflare WAF sits between the internet and your server. Everything that does not pass through that proxy is invisible to it:
SSH brute force attacks. Your server's SSH port (22) is not proxied through Cloudflare. Every Linux server receives thousands of SSH brute force attempts daily. Cloudflare cannot see or block any of them. Defensia detects 15 SSH attack patterns and automatically bans attackers via ipset within seconds.
Malware already on the server. If malware is uploaded through a vulnerability, a compromised plugin, or a stolen credential — Cloudflare cannot detect it. The WAF only sees HTTP requests, not file contents. Defensia scans the server filesystem with 64,000+ malware hashes and 684 dynamic patterns, detecting web shells, cryptominers, backdoors, and compromised WordPress databases.
Vulnerable packages and CVEs. Cloudflare has no visibility into which software packages are installed on your server or whether they have known vulnerabilities. Defensia scans installed packages against the NVD database with EPSS probability scores and CISA KEV urgency flags, alerting you to critical vulnerabilities before they are exploited.
Origin IP bypass. Cloudflare's protection depends on attackers not knowing your server's real IP address. But origin IPs can be leaked through email headers, DNS history, subdomains, or scanning tools like Censys and Shodan. If an attacker connects directly to your origin IP, Cloudflare's WAF is bypassed entirely. Defensia runs on the server itself — it cannot be bypassed regardless of how the attacker connects.
Cloudflare protects HTTP at the edge. Defensia protects everything at the server.
Cloudflare cannot see SSH traffic, databases, or email servers. Defensia detects 15 SSH attack patterns and automatically bans attackers via ipset. It monitors the entire server — not just HTTP. Every Linux server receives thousands of SSH attacks daily that Cloudflare is completely blind to.
Cloudflare filters HTTP requests but cannot detect malware already on your server or vulnerable packages. Defensia scans the filesystem with 64,000+ malware hashes and 684 dynamic patterns. CVE scanning checks installed packages against NVD with EPSS probability scores and CISA KEV urgency flags.
Cloudflare pricing is per-domain: $20/month for Pro, $200/month for Business. If your server hosts 20 domains, that is $400-4,000/month at Cloudflare. Defensia charges per-server at EUR 9/month — every domain on that server is protected by the same agent. For multi-domain servers, the cost difference is dramatic.
Cloudflare is a strong product. Here are cases where it is the better fit — or where both tools complement each other:
They protect different layers and are not direct replacements. Cloudflare protects HTTP traffic at the edge and provides CDN/DDoS protection. Defensia protects the server itself: SSH, filesystem, packages, containers. If you only need HTTP WAF with CDN, Cloudflare is sufficient. If you need server-level security (or both), use Defensia. Many teams run both for defense in depth.
Yes, and many users do. Cloudflare filters malicious HTTP traffic at the edge (reducing attack volume) while Defensia protects everything on the server: SSH attacks, malware, CVEs, rootkits, and attacks that bypass Cloudflare. They complement each other without conflict.
Different architecture. Cloudflare proxies DNS per domain — each domain is a separate configuration. Defensia runs as one agent on the server — it protects all domains, services, and ports on that server with a single installation. For servers hosting many domains (shared hosting, WordPress multisite, microservices), the per-server model is dramatically more cost-effective.
No. Cloudflare only proxies HTTP/HTTPS traffic through its network. SSH (port 22) connects directly to your server, completely bypassing Cloudflare. Defensia detects 15 SSH attack patterns and automatically bans attackers via ipset within seconds.
Yes. The agent is MIT licensed and available on GitHub. Written in Go, it compiles to a single ~40MB binary and uses under 30MB of memory. Cloudflare WAF is a proprietary cloud service with no open-source component.
Sources
Cloudflare WAF documentation (developers.cloudflare.com/waf), Cloudflare pricing (cloudflare.com/plans), Cloudflare blog — WAF managed rulesets, W3Techs Cloudflare usage statistics. Defensia agent telemetry data. All features verified April 2026.
Install Defensia in 30 seconds. Free plan includes 1 server, SSH protection, and the real-time dashboard. Works alongside Cloudflare or standalone — all domains on the server included.
Get Started FreeNo credit card required. Free plan includes 1 server.