A Transparent
Gap Analysis
While Cloudflare provides comprehensive coverage for most NCSC service functions, transparency about limitations ensures you maintain a holistic security architecture.
Our Commitment to Transparency
Cloudflare is exceptionally powerful for traffic-path security and configuration monitoring, but it is not a 1:1 replacement for all vulnerability management functions. We believe in being upfront about these limitations so you can plan accordingly.
Coverage Summary
| Gap Category | Cloudflare Capability | Alternative Solutions | Impact for Public Sector |
|---|---|---|---|
| Deep Software Inventory | No native authenticated host scanning | Axonius, Defender, Qualys | Missing visibility into unpatched OS packages |
| Forensic DMARC (RUF) | Not supported (Beta focuses on RUA) | Red Sift, Sendmarc, Valimail | Harder to analyse specific phishing attempts |
| Supply Chain EASM | Limited third-party vendor tracking | Hexiosec, Bitsight | Reduced visibility into supplier risk posture |
| BIMI Management | Manual DNS record entry only | Red Sift OnDMARC | Logo verification in email clients requires extra effort |
| "Plain English" Guidance | Standard technical severity descriptions | N/A (documentation needed) | Requires higher technical baseline for remediation |
Detailed Gap Explanations
The Origin-Blindness Constraint
Cloudflare Security Insights primarily evaluates the configuration of the Cloudflare environment itself—DNS records, WAF settings, SSL levels. While it can detect unproxied A/AAAA records signifying an exposed origin, it does not natively perform deep, authenticated vulnerability scanning of the internal software stack of the origin server.
Recommended Complementary Solutions:
- • Axonius: Asset management and software inventory
- • Microsoft Defender for Endpoint: Integrated vulnerability management
- • Qualys: Authenticated vulnerability scanning
The DMARC Forensic Reporting Gap
Cloudflare DMARC Management focuses on aggregate (RUA) reporting. It does not provide forensic (RUF) reports, which include specific message headers and sometimes body content of failed emails. While NCSC also scaled back these features due to privacy concerns, some organisations with high-sensitivity mandates may still require RUF data for incident response.
Recommended Complementary Solutions:
- • Red Sift OnDMARC: Full RUF support with privacy controls
- • Sendmarc: Comprehensive DMARC with forensic reporting
- • Valimail: Enterprise DMARC with detailed analytics
Educational Content vs. Technical Insight
One of the primary values of NCSC services was their accessibility to non-technical staff. Web Check and Mail Check provided remediation guidance written for the "layperson," framing security issues in terms of business risk and local government priorities. Cloudflare Security Insights are technically precise but designed for security professionals.
How to Address This:
- • Develop internal playbooks translating Cloudflare findings to action items
- • Consider training for IT staff on interpreting security dashboards
- • Engage Cloudflare Solutions Engineering for onboarding support
Plugging the Gaps: Ready-to-Deploy Solutions
I'm building a Cloudflare Worker application that fills the Mail Check gaps not covered by native Cloudflare products. Deploy it to your account with one click—no coding required.
Mail Check Gap Filler
A complete solution for MTA-STS policy hosting and TLS-RPT report collection with a visual dashboard—everything Mail Check provided for email confidentiality monitoring.
What's Included:
- MTA-STS Policy Hosting — Serve policy files at the edge with automatic HTTPS
- TLS-RPT Collection — Ingest and store encryption reports from senders
- Visual Dashboard — See your email encryption rate over time
- DNS Validation — Check your records are configured correctly
For Developers
Want to customise the solution or build your own? The Worker is open source and built on Cloudflare's developer platform using Workers, D1, and KV.
View on GitHubNeed Help?
If you need assistance deploying or configuring the solution for your organisation, Trickey.Solutions can help with implementation support.
Get in touchReady to Plan Your Migration?
Now that you understand the coverage and gaps, explore our phased migration roadmap to ensure no loss of visibility before the NCSC deadline.
View Migration Roadmap