Allowlisting in Cloudflare will allow the scanner to detect weaknesses lying underneath the WAF, so you can execute a 'defence in depth' security strategy, and put in place measures that would prevent successful exploitation, even where the WAF fails or can be bypassed by an attacker.
Cloudflare's WAF provides two ways to allowlist security scanners:
'IP Access Rules' (within the Tools tab) – which cannot be used to allowlist Intruder's scanning ranges.
'Custom Rules' – which can be used and is explained below. 👇
👉 Old dashboard:
Security >> WAF
👉 New dashboard:
Security >> Security rules
Adding the WAF Custom Rule
To get started, we need to browse to the WAF page and click on the Custom Rules tab
Click 'Create rule >> ', and give it a recognisable name
Using the 'Field' dropdown, select 'IP Source Address' and under the Operator field, select 'is in'
In the 'Value' field, add the relevant Intruder scanning ranges and IPs.
For customers on the Essential plan, please obtain the up-to-date IP range from this article.
For customers on the Cloud, Pro, Enterprise, and Vanguard plans, the IPs will vary depending on your selected scanning region. (To find these, head to Settings > Scan).
Under 'Choose an action', select 'Skip', tick all the WAF Components listed, then click the 'More components to skip' button and skip the remaining components
When finished, click 'Deploy'.
Intruder's scanners will now be able to scan your Cloudflare-protected hosts, without scan interference.
Cloudflare Validation Checks
Cloudflare applies a set of mandatory validation checks before any Custom Rules, Firewall Rules, IP Allowlisting, or WAF configuration is evaluated. These checks cannot be disabled on most Cloudflare plans, and Cloudflare does not permit allowlisting specific IPs for them.
As a result, even if you correctly add Intruder’s IP ranges to your Cloudflare allowlist, Cloudflare may still block or challenge scanner traffic before it reaches your site. This behaviour is documented by Cloudflare and affects all automated scanning.
Cloudflare describes these checks here:
https://developers.cloudflare.com/waf/tools/validation-checks/
Why this matters
Because validation checks are evaluated before Cloudflare’s firewall, allowlists and rules:
Intruder's IPs cannot bypass these checks and they cannot be disabled on Cloudflare Free, Pro, or Business plans.
Customers using Cloudflare WAF may see blocked scans even when allowlists are correctly configured.
Symptoms you might see
If Cloudflare validation checks interfere with scanning, you may observe:
Scans that stop early or fail.
Limited findings for Cloudflare-protected targets.
Cloudflare event logs showing Browser Integrity Check, bot challenges, JavaScript validation, or "Managed Challenge" activity, even when rules allow Intruder’s IPs.
Suggestions
Because the checks cannot be bypassed directly, Cloudflare users typically consider one of the following approaches:
Create a scanning subdomain
Point the subdomain to the same backend.
Reduce the security level and disable Browser Integrity Check, JS challenges, and Bot Fight Mode (if present).
Use a staging environment
If an equivalent environment exists without the Cloudflare WAF or with relaxed validation behaviour, targeting that instance can avoid interference.Cloudflare Enterprise customers
Enterprise support may offer additional control (for example, higher-level configuration options or classification of scanner IPs). This is not available on standard plans.
If you are using Cloudflare and continue to see interference after allowlisting Intruder’s IPs, the behaviour is most likely due to these mandatory validation checks.