diff --git a/src/content/docs/page-shield/how-it-works/malicious-script-detection.mdx b/src/content/docs/page-shield/how-it-works/malicious-script-detection.mdx index 2bdc53c33dc51e0..94709570cfd1122 100644 --- a/src/content/docs/page-shield/how-it-works/malicious-script-detection.mdx +++ b/src/content/docs/page-shield/how-it-works/malicious-script-detection.mdx @@ -3,9 +3,9 @@ pcx_content_type: concept title: Malicious script and connection detection sidebar: order: 2 -head: [] -description: Page Shield implements different mechanisms to determine if a - script or a connection is malicious. +description: Cloudflare analyzes the JavaScript code of the scripts loaded by + your website visitors, using threat intelligence and machine learning (including LLMs) + to detect malicious behavior. --- :::note @@ -22,9 +22,13 @@ Any updates to the threat feeds will trigger new checks for previously detected ## Malicious script detection -In this type of detection, Cloudflare will download the script file and run it through a classifier. The classifier is a machine learning (ML) model that has learned to detect patterns of malicious operations such as [Magecart-type attacks](https://sansec.io/what-is-magecart). +Cloudflare analyzes the JavaScript code of the scripts loaded by your website visitors. This analysis uses machine learning, including an LLM powered by Workers AI, to reduce the false positive rate and focus on highlighting true positives such as [Magecart-type attacks](https://sansec.io/what-is-magecart). -The script classifier will output a probability score for the script (also called the JS integrity score) between 1 and 99, where 1 means definitely malicious and 99 means definitely not malicious. This score, together with a threshold value, will determine if the malicious script detection system will classify the script as malicious or not. +:::note +Cloudflare uses open-source models for this analysis. Customer data is not used to train these models. +::: + +The analysis assigns a score (also called JS integrity score) between 1 and 99 to each script version, classifying how malicious it is. A score of 1 means definitely malicious, and 99 means definitely not malicious. This score, together with a threshold value, will determine if the malicious script detection system will classify the script as malicious or not. The score threshold for considering a script as malicious is currently set to 10. If the script classification score is below this value, the monitoring dashboards will display the script as being malicious. diff --git a/src/content/release-notes/page-shield.yaml b/src/content/release-notes/page-shield.yaml index ef2723f0a8e5337..033347e0869d3c3 100644 --- a/src/content/release-notes/page-shield.yaml +++ b/src/content/release-notes/page-shield.yaml @@ -3,6 +3,13 @@ link: /page-shield/release-notes/ productName: Page Shield productLink: "/page-shield/" entries: + - publish_date: "2026-03-03" + title: LLM-assisted false positive reduction for malicious script detection + description: |- + Page Shield now includes an additional machine learning step, utilizing an LLM powered by Workers AI, to assist in analyzing the JavaScript code of scripts loaded by your website visitors. This enhancement specifically helps reduce the false positive rate of our detection engines, focusing your attention on true positives. + + Cloudflare uses open-source models for this analysis, and customer data is not used to train these models. For more information, refer to [Malicious script and connection detection](/page-shield/how-it-works/malicious-script-detection/). + - publish_date: "2025-10-08" title: Updated machine learning (ML) model description: |-