diff --git a/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx b/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx
index 5486149bb97f0b..6f8008624065ac 100644
--- a/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx
+++ b/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx
@@ -1,22 +1,24 @@
---
-title: mTLS at Cloudflare
+title: Use mTLS with Cloudflare protected resources
pcx_content_type: overview
sidebar:
order: 3
+ label: mTLS with Cloudflare
---
In this implementation guide we will be focusing on the L7 / Application Layer security for HTTP/S requests targeting [proxied](/dns/manage-dns-records/reference/proxied-dns-records/) hostnames, including the [first connection](/ssl/origin-configuration/ssl-modes/) between client and Cloudflare.
Some common mTLS use cases are:
+
- Protect and verify legitimate API traffic by verifying Client Certificates provided during TLS/SSL handshakes.
- Check IoT devices' identity by verifying Client Certificates they provide during TLS/SSL handshakes.
There are two main ways to use mTLS at Cloudflare, either by using the Application Security offering (optionally including [API Shield](/api-shield/)) or [Cloudflare Access](/cloudflare-one/policies/access/). Below is a non-exhaustive overview table of their differences:
-| Feature | Application Security (Client Certificate \+ WAF) | Cloudflare Access (mTLS) |
-| :---- | :---- | :---- |
-| Mainly used for | External Authentication (that is, APIs) | Internal Authentication (that is, employees) |
-| Availability | By default, 100 Client Certificates per Zone are included for free. For more certificates or [API Shield features](/api-shield/), contact your account team. | Zero Trust Enterprise only feature. |
-| [Certificate Authority (CA)](/ssl/concepts/#certificate-authority-ca) | Cloudflare-managed or customer-uploaded (BYO CA). There's a soft-limit of up to [five customer-uploaded CAs](/ssl/client-certificates/byo-ca/#availability). | Customer-uploaded only (BYO CA). There's a soft-limit of up to [50 CAs](/cloudflare-one/account-limits/#access). |
+| Feature | Application Security (Client Certificate \+ WAF) | Cloudflare Access (mTLS) |
+| :-------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Mainly used for | External Authentication (that is, APIs) | Internal Authentication (that is, employees) |
+| Availability | By default, 100 Client Certificates per Zone are included for free. For more certificates or [API Shield features](/api-shield/), contact your account team. | Zero Trust Enterprise only feature. |
+| [Certificate Authority (CA)](/ssl/concepts/#certificate-authority-ca) | Cloudflare-managed or customer-uploaded (BYO CA). There's a soft-limit of up to [five customer-uploaded CAs](/ssl/client-certificates/byo-ca/#availability). | Customer-uploaded only (BYO CA). There's a soft-limit of up to [50 CAs](/cloudflare-one/account-limits/#access). |
| Client Certificate Details | Forwarded to the origin server via [Cloudflare API](/ssl/client-certificates/enable-mtls/#cloudflare-api), [Cloudflare Workers](/ssl/client-certificates/enable-mtls/#cloudflare-workers), and [Managed Transforms](/ssl/client-certificates/enable-mtls/#managed-transforms). | Forwarded to the origin server via [Cloudflare API](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-api), [Cloudflare Workers](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-workers), and [Managed Transforms](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#managed-transforms). Client Certificate headers and [Cf-Access-Jwt-Assertion](/cloudflare-one/identity/authorization-cookie/validating-json/) JWT header can be forwarded to the origin server. |
-| Client Certificates Revocation | Use the WAF [Custom Rules](/waf/custom-rules/) to check for [*cf.tls\_client\_auth.cert\_revoked*](/ssl/client-certificates/revoke-client-certificate/), which only applies to Cloudflare-managed CA.
For BYO CAs, it would be the same approach as with Cloudflare Access. | Generate a [Certificate Revocation List (CRL)](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#create-a-crl) and enforce the revocation in a Cloudflare Worker. |
\ No newline at end of file
+| Client Certificates Revocation | Use the WAF [Custom Rules](/waf/custom-rules/) to check for [_cf.tls_client_auth.cert_revoked_](/ssl/client-certificates/revoke-client-certificate/), which only applies to Cloudflare-managed CA.
For BYO CAs, it would be the same approach as with Cloudflare Access. | Generate a [Certificate Revocation List (CRL)](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#create-a-crl) and enforce the revocation in a Cloudflare Worker. |
diff --git a/src/content/docs/learning-paths/mtls/index.mdx b/src/content/docs/learning-paths/mtls/index.mdx
index 67cadcd502d8cd..004a01d7d39216 100644
--- a/src/content/docs/learning-paths/mtls/index.mdx
+++ b/src/content/docs/learning-paths/mtls/index.mdx
@@ -1,15 +1,14 @@
---
-title: mTLS at Cloudflare
+title: Use mTLS with Cloudflare protected resources
type: developers-site
new_learning_path: true
pcx_content_type: learning-path
head:
- tag: title
- content: mTLS at Cloudflare
+ content: Use mTLS with Cloudflare protected resources
description: Safeguarding APIs and devices on Cloudflare's network.
-
---
-import { LearningPath } from "~/components"
+import { LearningPath } from "~/components";
diff --git a/src/content/docs/reference-architecture/implementation-guides/application-security/index.mdx b/src/content/docs/reference-architecture/implementation-guides/application-security/index.mdx
new file mode 100644
index 00000000000000..ad1274cc58d71e
--- /dev/null
+++ b/src/content/docs/reference-architecture/implementation-guides/application-security/index.mdx
@@ -0,0 +1,12 @@
+---
+title: Application Security
+pcx_content_type: navigation
+---
+
+import { Description, DirectoryListing, Render } from "~/components";
+
+Application security implementation guides walk you through the steps to secure your public applications, devices and APIs with Cloudflare.
+
+## Application Security
+
+- [Use mTLS with Cloudflare protected resources](/learning-paths/mtls/)
diff --git a/src/content/docs/reference-architecture/implementation-guides/application-security/mtls.mdx b/src/content/docs/reference-architecture/implementation-guides/application-security/mtls.mdx
new file mode 100644
index 00000000000000..27ee919bd1ead9
--- /dev/null
+++ b/src/content/docs/reference-architecture/implementation-guides/application-security/mtls.mdx
@@ -0,0 +1,7 @@
+---
+pcx_content_type: navigation
+title: Use mTLS with Cloudflare protected resources
+external_link: /learning-paths/mtls/
+sidebar:
+ order: 2
+---
diff --git a/src/content/docs/reference-architecture/implementation-guides/index.mdx b/src/content/docs/reference-architecture/implementation-guides/index.mdx
index 9f8dac0873f987..aa555181cc92b6 100644
--- a/src/content/docs/reference-architecture/implementation-guides/index.mdx
+++ b/src/content/docs/reference-architecture/implementation-guides/index.mdx
@@ -7,10 +7,14 @@ sidebar:
import { Description, DirectoryListing, Render } from "~/components";
-Implementation guides provide [step-by-step instructions](/reference-architecture/implementation-guides/) and practical guidance for how to effectively deploy and configure specific solutions or services. Implementation guides are focused on a specific implementation goal.
+Implementation guides provide [step-by-step instructions](/reference-architecture/implementation-guides/) and practical guidance for how to effectively deploy and configure specific solutions or services. Implementation guides are focused on a specific implementation goal.
## Zero Trust
- [Secure your Internet traffic and SaaS apps](/learning-paths/secure-internet-traffic/)
- [Replace your VPN](/learning-paths/replace-vpn/)
- [Deploy Zero Trust Web Access](/learning-paths/zero-trust-web-access/)
+
+## Application Security
+
+- [Use mTLS with Cloudflare protected resources](/learning-paths/mtls/)