[Secuity Center] Add list of RFI types (#24337)

Maddy-Cloudflare · marciocloudflare · web-flow · commit 1031c03e62bb · 2025-08-12T15:41:10.000+01:00
* [Secuity Center] Add list of RFI types

* Use first person

* Apply suggestions from code review

Co-authored-by: marciocloudflare &lt;83226960+marciocloudflare@users.noreply.github.com&gt;

* Turn H3s into bullet points + address suggestion

---------

Co-authored-by: marciocloudflare &lt;83226960+marciocloudflare@users.noreply.github.com&gt;
diff --git a/src/content/docs/security-center/cloudforce-one/index.mdx b/src/content/docs/security-center/cloudforce-one/index.mdx
@@ -6,6 +6,8 @@ sidebar:
 
 ---
 
+import { Details } from "~/components"
+
 :::note
 You must have a Cloudforce One subscription to access Cloudforce One on the dashboard.
 :::
@@ -35,6 +37,36 @@ To submit RFIs (Request for Information):
 3. Select **New Request**.
 4. Fill in the required fields, then select **Save**.
 
+<Details header="List of RFI types">
+
+The Cloudflare dashboard presents the following request types when you want to configure a Cloudforce One Requests for Information:
+
+- **Binary Analysis - IOCs**: Conduct high level malware analysis to produce [indicators](https://www.cloudflare.com/en-gb/learning/security/what-are-indicators-of-compromise/) such as a call-back domain or IP address. 
+
+- **Binary Analysis - Report**: A thorough analysis of a malware sample to produce an attribution assessment and extract the configuration of the sample for further analysis. Useful for customers that are investigating a problem or trying to develop detection logic in an [EDR](https://en.wikipedia.org/wiki/Endpoint_detection_and_response) or network sensor.
+
+- **DDoS Attack**: Confirm if an attack is happening against a specific website to share any available indicators and potential attribution. 
+
+- **Indicator Analysis - IOCs**: Conduct DNS lookups, origin pivots, and account pivots to provide indicators such as DNS resolutions, origin IPs, and subdomains. Analysis can include account registration patterns and victimology.
+
+- **Indicator Analysis - Report**: A thorough analysis of indicators written in a formal, structured format. In addition to listing [Indicator of compromise (IOCs)](https://www.cloudflare.com/en-gb/learning/security/what-are-indicators-of-compromise/), the report explains how IOCs function within the attack chain, and adds context by linking IOCs to specific campaigns and/or threat actors and their TTPs. 
+
+- **Passive DNS Resolution**: Research the pair of an IP address to the domain it resolved to during a specified period of time.
+
+- **Strategic Threat Research**: Strategic Threat Research goes beyond simple indicators to analyze broader, long-term trends, threat actors, and industries — often supplemented by open-source intelligence to inform high-level management and planning rather than providing immediately actionable intelligence.
+
+- **Threat Detection Signature - IOCs**: Develop a rule such as Yara that will detect a sample, behavior, or network observable such as an IP address, domain, file hash, or attribute of a file or HTTP request.
+
+- **Threat Detection Signature - Report**: A thorough analysis report that investigates the details of a threat detection alert or report for the benefit of customers that are trying to prioritize their response effort or to attribute activity to a threat actor.
+
+- **Traffic Analysis - IOCs**: Review HTTP telemetry of IOCs in question and provide relevant, sanitized traffic which can include victim country and in some cases victim ASNs. Identify malicious files/payloads, and unusual file paths or request patterns.
+
+- **Traffic Analysis - Report**: Report that analyzes HTTP telemetry to identify patterns, anomalies, and data pointing to malicious behavior. Provides context for observed network behaviors and maps them to known TTPs of specific threat groups.
+
+- **Vulnerability**: Investigation to attribute vulnerability exploitation to a threat actor or investigation of IPs, domains, or threat actor groups exploiting the vulnerability. Response can include relevant, sanitized traffic demonstrating exploitation and identification of victim countries and industries.
+
+</Details>
+
 Once you select **Save**, the dashboard will display an overview of the shared information consisting of:
 
 - **Status**: When you submit the RFI, the status is `Open`. Once the team accepts the RFI, the status changes to `Accept`. When the team commits to answer your RFI, the status changes to `Complete`.
