CF Guard DeskCF Guard DESK
See pricingIndie / Pro / Consultant
Navigation
See pricingannual pricing emphasizedRead docs
CF Guard Desk / Early access / Windows first, with macOS and Linux staged behind hosted artifact readiness

Desktop Cloudflare posture audits with findings, history, and local evidence control.

Audit WAF coverage, DNS exposure, bot pressure, cache risk, and TLS or edge posture across Cloudflare zones from a single local desktop console.

See pricingRead docsDownload trial builds

Every desktop build starts with 7 days of full product access. After the trial, a Lemon Squeezy license key activates continued scans, exports, and advanced workflows. Launch scope includes the desktop app, docs hub, staged downloads, and pricing visibility while commerce and CDN delivery remain config-driven. Taxes, VAT, and local fees are handled at checkout where applicable.

Scroll to explore the product
Product overview

A desktop-first Cloudflare audit workflow for real operator review.

CF Guard Desk is desktop-first Cloudflare security audit software for operators, consultants, and small teams that need reproducible posture evidence, local data control, and report-ready findings.

Connections and Workspaces

Validate Cloudflare tokens, inspect capabilities, and separate client or environment boundaries before a scan is trusted.

Zone Coverage

Run quick, full, or focused scans across discovered zones while keeping scope and visibility gaps explicit.

Findings and Triage

Review severity, confidence, lifecycle state, suppressions, and remediation guidance from one local desktop workflow.

History and Exports

Track drift, save markdown or JSON evidence, and keep diagnostics redacted and operator-triggered.

Read docsSee pricing
CF Guard Desk
Scroll or click tabs
Posture dashboard

Score, critical findings, bot pressure, visibility gaps, and next actions in one operator view.

local-firstcoverage-aware
Operator workflow view
72posture score
4critical findings
highbot pressure
SurfaceStatusSignalPriority
Managed WAFpartialentrypoint visiblereview
Origin exposurealertunproxied hosthigh
TLS edge postureoksafe probe passwatch
Visibility gaps2token scope limitedexplicit
Interactive preview: dashboard, zones, findings, and history workflowsdesktop-first Cloudflare audit console
Dashboard context

Operator priority view

Zones at risk5
High pressureauth + api
Coverage notevisibility gaps explicit
  • score is directional
  • critical findings first
  • coverage gaps stay visible
8finding families in the current audit model
3scan profiles for fast, full, or focused coverage
7 daysoffline grace before restricted mode
0desktop telemetry SDKs enabled by default
Product screenshots

Cloudflare audit screens from the actual CF Guard Desk product line.

These captures show the product story buyers actually need: vault gating, dashboard posture, zone coverage, findings triage, history, exports, and licensing-aware desktop state.

Why this matters

The screenshots give visual proof that the product is more than a landing page concept. Search engines and buyers both get concrete evidence of the real operator workflow.

Vault GateSecurity posture

Unlock the local vault before Cloudflare connections, scans, or findings become actionable.

The desktop boundary is visible immediately: vault-gated access, OS-backed secret storage, local persistence, and a clear separation between locked state and operational state.

Filenamevault-gate.png
Review the security section
DashboardFull product scope

See posture score, high-risk zones, findings, and pressure trends at a glance.

The dashboard compresses posture, attack pressure, WAF gaps, DNS exposure, and follow-up priority into one operator surface instead of scattering that context across Cloudflare tabs.

Filenamedashboard-overview.png
Read the current product docs
Zone CoverageConnections and scan scope

Move from workspace and token validation into real zone coverage and scan execution.

Connections, account capabilities, discovered zones, and scan profiles stay attached to the same desktop workflow so missing access or entitlement gaps stay explicit.

Filenamezone-scans.png
See the feature stack
Findings ExplorerAudit and remediation

Triage posture findings with severity, confidence, and operator lifecycle controls.

Each finding carries deterministic rule metadata, operator notes, and concrete remediation framing so the tool behaves like an audit workspace instead of a flat checklist.

Filenamefindings-explorer.png
Inspect the workflow
Analytics and HistoryEvidence and drift

Track threat pressure, scan history, and posture drift without leaving the desktop client.

The analytics and history surfaces keep scan timelines, drift, and exported evidence readable enough for consultants and in-house operators who need defensible reports.

Filenameanalytics-history.png
See history and exports
Licensing and SettingsOperator defaults

Control licensing state, operator defaults, and release-aware desktop settings.

Licensing, support diagnostics, vault behavior, and operator-facing settings live in one panel so the commercial model and local runtime policies stay explicit.

Filenamelicensing-settings.png
Read the product overview
Feature stack

The Cloudflare audit layer the native dashboard still does not give you.

The product is not positioned as a thin dashboard wrapper. It is the local operations layer for Cloudflare posture review: connection validation, scan execution, findings, history, exports, and explicit visibility handling.

Positioning

The product combines Cloudflare configuration, analytics, safe probes, findings, and exportable evidence rather than stopping at configuration linting.

Workspaces and Access

Separate Cloudflare estates without collapsing everything into one token bucket

CF Guard Desk keeps workspaces, Cloudflare connections, capability checks, and zone discovery attached to a local operator workflow that makes missing access explicit instead of quietly optimistic.

Connection modelWorkspace / token / capability / zone separation
Audience fitOperators, consultants, and smaller teams
  • Multiple workspaces let consultants and internal teams keep client or environment boundaries intact.
  • Token validation reports capabilities and missing visibility before a scan is trusted.
  • Zone discovery stays attached to the active workspace instead of becoming an unscoped account dump.
Workflow

Move from validated access to exported evidence without leaving the app.

The value is not just reading Cloudflare settings. The value is running a posture review, triaging findings, preserving history, and shipping a defensible output from one local workflow.

Operator fit

The workflow replaces browser-tab hopping and fragile notes with a local desktop audit loop that is explicit about coverage and evidence.

01
Connect

Validate Cloudflare access before you trust the scan output

Create a workspace, add a read-oriented Cloudflare token, inspect capabilities, and discover zones before you spend time on a scan that cannot actually answer the question you care about.

Operator resultWorkspace boundary plus explicit capability baseline
  • Validation happens before the connection is treated as scan-ready.
  • Capability gaps are visible in the workflow instead of surfacing later as surprises.
  • Multi-workspace structure keeps client and environment boundaries intact.
Security

The credential and evidence boundary is treated like the product risk it actually is.

CF Guard Desk is built around the real trust model: Cloudflare secrets, local evidence, and explicit operator intent. Vault gating, OS-backed secret storage, backend execution, and visible license state are baseline behavior, not polish.

Vault

Vault lock and local passphrase gating

The vault is the operational gate for the desktop app. When the vault is locked, connections, scans, and sensitive workflows stay non-operational until local unlock succeeds.

Primary guardrailLocked means non-operational
  • The app does not pretend a cosmetic lock screen is a security model.
  • Passphrase handling remains local to the device.
  • Workspace state stays visible while operational commands stay gated.
Runtime posture

Trust model stays legible at a glance.

local-first / desktop-native / coverage-aware
vault statusrequired before scans
credential storageos secret store
api executiontauri backend
probe scopedns / tls / safe http
license modetrial first / local enforcement
desktop analyticsoff by default
Pricing

Visible pricing now, staged commerce and downloads where the rollout is still catching up.

CF Guard Desk is priced for solo operators, in-house teams, and consultants. The public site keeps the plan structure visible even while checkout and platform artifacts are still being wired or promoted in stages.

Launch mechanics

Pricing stays public even while download and checkout URLs remain config-driven. Annual pricing is emphasized and staged launch states stay explicit.

Indie
Visible now
$15/mo
For solo operators and smaller estates that need clear Cloudflare posture visibility without enterprise process overhead. Annual option: $149/year.
3 workspaces25 zones$149/year optionAdvanced exports unavailable
  • Quick Scan, Full Audit, and Focused Rescan profiles
  • Dashboard, findings, analytics, history, and local exports
  • Built for solo consultants and smaller estates
  • Advanced exports, policy packs, suppressions, and premium rules stay outside this tier
See launch statusRead quickstart
Pro
Recommended
$39/mo
For serious in-house operators who need the full audit workflow. Annual pricing is emphasized at $390/year.

Checkout URLs are config-driven. The pricing surface is live even when commerce links are still being wired.

15 workspaces250 zones$390/year emphasisSuppression workflow included
  • Advanced exports, policy packs, suppressions, and premium rules included
  • Best fit for in-house infrastructure or security operators
  • History, drift, analytics, and export workflows stay fully unlocked
  • Commercial workflow remains desktop-first with local enforcement
See pricing detailsDownload trial
Consultant
Yearly only
$990/yr
For agencies, contractors, and fractional operators managing multiple client environments from one desktop console.
50 workspaces1000 zonesCommercial use positioningYearly only
  • Designed for multi-client estates and consulting workflows
  • Includes advanced exports, policy packs, suppressions, and premium rules
  • Supports commercial consulting positioning without inventing a team SaaS backend
  • Best when local evidence handling matters as much as the scan output
Contact for rolloutSupport standard
Documentation

Documentation for operating CF Guard Desk like a real audit product.

The docs are part of the shipped surface. Product overview, install flow, scan profiles, findings, security, and release discipline need to be explicit enough that setup drift does not masquerade as a product defect.

Operator baseline

The docs cover the broader feature surface, the trial and licensing model, platform rollout, and the audit workflow operators actually need.

Overview

Product overview

Start with the broader CF Guard Desk picture: posture scoring, findings, scan profiles, pricing, staged downloads, and the operator workflow the app is designed to support.

CoveragePositioning + capability matrix + buyer fit
Use casePrimary product path
  • Use this first when you need the commercial and technical frame together.
  • It sets the line between posture console and generic dashboard wrapper.
  • This is the shortest route from landing page to product understanding.
Open resource
Overview

Product overview

Start with the broader CF Guard Desk picture: posture scoring, findings, scan profiles, pricing, staged downloads, and the operator workflow the app is designed to support.

CoveragePositioning + capability matrix + buyer fit
Quickstart

Install, connect, and run a first audit

Go from installer to first Cloudflare scan with the shortest safe workflow: vault setup, token validation, zone discovery, scan execution, and findings review.

Time to first successInstall / connect / scan / review
Security and licensing

Local security model and plan behavior

Review vault gating, secret storage, safe probes, offline grace, and plan caps before you decide whether Indie, Pro, or Consultant is the right commercial fit.

Commercial pathSecurity baseline + plan enforcement
Troubleshooting

Troubleshoot tokens, scan coverage, and platform issues

Concrete guidance for token capability gaps, empty zone lists, GraphQL fallbacks, build warnings, and local runtime problems across supported desktop platforms.

Failure handlingConnections / scans / build / runtime
Support

Support standard

The public support page sets the reporting bar: version, OS, reproducible steps, redacted evidence, and the docs route already followed.

Evidence baselineVersion / OS / repro / evidence
Changelog

Public release notes

Track what shipped in the public release line, how the product moved from R2 lineage into CF Guard Desk, and which surfaces are part of the current early-access build.

Release historyPublic release notes + build status
Legal

Terms of use

Commercial terms, use restrictions, and refund boundaries for CF Guard Desk, written to align with a local-first desktop security product rather than a SaaS account model.

PolicyCommercial terms and use restrictions
Support baseline

Good support starts with evidence and reproducibility.

Reports without version, environment, repro steps, and the docs page already followed are incomplete. This is the line between product support and avoidable setup drift.

  • Version from the About panel
  • Operating system and install type
  • Exact repro steps and expected result
  • Actual result with redacted evidence
  • The docs page already followed
Product FAQ

Questions buyers ask before they trust a serious Cloudflare audit workflow.

These are the recurring questions behind evaluation and rollout decisions: scope, platform state, trial behavior, visibility gaps, and how the current desktop workflow actually works.

What is CF Guard Desk?

CF Guard Desk is desktop-first Cloudflare security audit software. It focuses on posture discovery, evidence-backed findings, drift tracking, and prioritized hardening guidance across Cloudflare zones.

Is CF Guard Desk a hosted SaaS control plane?

No. The product is local-first desktop software. It stores workspace and scan data locally, keeps Cloudflare secrets in OS-backed storage, and does not require a hosted operator account to be useful.

What can the current build audit?

The current build audits WAF coverage, rule quality, DNS exposure, DNS hygiene, bot pressure, cache risk, TLS or edge posture, and visibility gaps across Cloudflare zones.

How do scan profiles work?

Quick Scan is for fast posture snapshots, Full Audit is for evidence-backed review and exports, and Focused Rescan is for validating a narrower set of zones or re-checking after a change.

Does the product treat missing API visibility as safe posture?

No. Capability gaps and entitlement limits are surfaced as visibility gaps. Missing data is never silently scored as safe.

How are findings triaged?

Findings carry severity, confidence, impact, remediation complexity, lifecycle state, and operator notes. Suppression workflow and history help teams separate accepted exceptions from regressions.

Which plans are visible today?

The public pricing surface is aligned around Indie, Pro, and Consultant. Annual pricing is emphasized, and checkout links remain config-driven until commerce wiring is finalized.

Does CF Guard Desk have a free trial?

Yes. Every public build starts with 7 days of full access before plan enforcement begins.

What happens offline after activation?

The current licensing model includes a 7-day offline grace window. After grace expires, the app moves into restricted mode while keeping local data visible.

Does the desktop app contain analytics or tracking SDKs?

No desktop telemetry is enabled by default. The marketing site can run consent-based analytics and download click tracking separately from the desktop runtime.

Who is the product best for?

The product is positioned for consultants, agencies, fractional operators, and internal platform or security teams that need Cloudflare posture evidence without adopting a collaborative SaaS platform first.

Downloads

Staged public builds, explicit platform status, and a local-first trial workflow.

Windows is the first verified public path. macOS and Linux stay visible on the site with honest rollout state instead of broken links or implied availability.

Current release

0.9.0 owner build anchors the current public site. Hosted URLs become live only when the corresponding Cloudflare-backed artifact path is actually ready.

Release path/releases/0.9.0/
3 staged desktop artifacts
Release Browser

Choose the desktop build that matches the current rollout stage, then use the trial before committing to a paid plan.

The browser is modeled more like a release index than a feature grid: artifact state, availability, and install context stay visible so the public site never outruns the real distribution path.

Windows 10/11NSIS setup installer
cdn-url-not-configured
Best for

Windows is the first public target. Set NEXT_PUBLIC_DOWNLOAD_WINDOWS_URL or NEXT_PUBLIC_CF_DESK_CDN_URL to turn this card into a live download.

Build
0.9.0 owner build.exex64Owner build available
DownloadWindows release pending CDN publish
macOSApple Silicon DMG
cdn-url-not-configured
Best for

A macOS handoff exists, but public CDN hosting should wait for a proper macOS build host, signing flow, and notarization readiness.

Build
0.9.0 owner build.dmgarm64Staged
DownloadmacOS coming soon
LinuxDebian package
cdn-url-not-configured
Best for

Linux public artifacts are planned after the Cloudflare-backed download host and release packaging flow settle around the early Windows-first rollout.

Build
0.9.0 owner build.debamd64Staged
DownloadLinux coming soon
Windows

Ready to publish

Unsigned early-access installers may still trigger SmartScreen on some Windows systems.

Confirm the artifact URL and version first, then use the troubleshooting guidance if Windows blocks the installer. Read troubleshooting for the full flow.

macOS

Coming soon

macOS packaging currently depends on a macOS host and Apple signing or notarization flow.

xattr -cr "/Applications/CF Guard Desk.app"

If unsigned evaluation builds are distributed, Gatekeeper recovery steps remain part of the documented install path. Read troubleshooting for the full flow.

Commercial state

Staged launch behavior

Pricing is public immediately. Checkout and download URLs become live when the corresponding Cloudflare-backed host and release artifact are actually ready.

Trial and pricing

Install the right build, unlock the local vault, and use the product for 7 days before deciding which plan matches your workflow.

Need the exact platform path first? Read quickstart. Need rollout details and plan comparison? Visit pricing.

Read quickstartSee pricing
Support standard

Support starts after the docs, not instead of them.

If the issue is real, the docs let you prove it. Version, operating system, exact repro steps, redacted evidence, and the documentation page already followed are the minimum baseline for a useful report.

Expectation

Good support starts with reproducible evidence, redacted diagnostics, and the exact doc path already followed.

Before support

Bring reproducible detail.

  • Version from the About panel
  • Operating system and install type
  • Exact repro steps
  • Expected and actual result
  • Redacted screenshots, activity, queue, or diagnostics evidence
Full reporting standard
Reference the docs first

A useful support request cites the exact documentation page followed before the workflow diverged.

Read the support requirements
Version and environment are mandatory

Include the app version, operating system, and whether this is a release installer or a local source build.

Read the support requirements
Reproducibility is the minimum bar

If the issue cannot be reproduced from your steps, there is not enough detail to distinguish operator drift from a product defect.

Read the support requirements
Secrets stay redacted

Zone names, rule IDs, and route patterns are useful. Tokens, auth headers, and unredacted support bundles are not.

Read the support requirements