CONFIDENTIAL — FOR BHP USE ONLY

BHP Security Findings

Cloudflare Application & Network Security Review

February 2025 — February 2026

Prepared by

Jason Clarke

Solutions Engineer, Cloudflare ANZ

Security at a Glance

Over the past 12 months, Cloudflare has protected BHP's global web presence — blocking attacks, managing automated traffic, and securing 300M+ DNS queries every month across 6 domains.

22.7M

Peak monthly
threats blocked

Aug 2025

~65%

Traffic to bhp.com
is automated/bot

Monthly avg

300M+

DNS queries
protected / month

6 domains

89%

Support tickets
resolved / closed

19 total tickets

WAF & Firewall

10× growth in events since May 2025

Bot Activity

Two major attack waves identified

Multi-Layer Defence

CDN, DNS, Spectrum, API Shield active

Application Security

WAF · Bot Management · API Shield

WAF & Firewall — CF Managed Rules

22.68M

Peak blocks
Aug 2025

22.18M

Second wave
Jan 2026

10×

Growth since
May 2025

bhp.com zone · May 2025 – February 2026 · CF Managed Rules

Automated Traffic Analysis — bhp.com

~65%

Non-human traffic
per month

500M+

Requests/month
analysed

Finding

Aug 2025 saw 22.4% likely-automated traffic — highest in 12 months. Correlates with WAF attack spike.

bhp.com zone · March 2025 – February 2026 · Bot Management classification

API Shield & Application Security

550M

API requests/month
detected by Cloudflare

150M

API Shield contracted
request allowance

Capacity Alert

BHP's actual API traffic (550M requests/month) exceeds the contracted API Shield allowance of 150M. Coverage gap warrants a contract review to ensure all endpoints are protected.

API Schema Validation Active

Positive-security model blocking non-schema-conformant requests before they reach origin.

Rate Limiting Configured

Protects API endpoints against brute-force and credential stuffing attacks.

Shadow API Discovery Recommended

33% more API endpoints found via ML than self-reported. Running discovery on all BHP zones would identify uncovered endpoints.

Strong Internal Endorsement

BHP's cyber security team has expressed strong positive feedback on API Shield capability and value.

Network & DNS Protection

CDN · DNS · Spectrum

CDN Usage — Multi-Zone Coverage

bhp.com

Primary zone · Highest traffic

bhpbilliton.com

Legacy brand zone

ozminerals.com

Acquired entity

bhpconnect.cn

China region

thinkactdiff...

Campaign zone

All BHP zones · Feb 2025 – Feb 2026 · bhp.com dominates all months · Peak 37.33 TB (Sep 2025) · Avg ~22 TB/month

DNS Query Protection

360M

Peak queries
Jul 2025

~305M

Avg monthly
queries

6 Active Zones

bhp.com leads with ~70% of all queries. Multi-region presence including .cn TLD.

All BHP DNS zones · Mar 2025 – Feb 2026 · Gateway DNS queries: 180M/month contracted

Spectrum — TCP/UDP Protocol Protection

21.29 TB

Peak usage
Aug 2025

Spike Event

Aug 2025 usage exceeded the prior 10 TB limit. Limit was upgraded to 15 TB from Sep 2025.

Status: Healthy

Current usage (8.32 TB) is well within contracted 15 TB limit. Good headroom available.

Spectrum TCP/UDP · Mar 2025 – Feb 2026 · IOT & non-HTTP workloads protected · Contracted limit shown as dashed line

Traffic Intelligence

Real-Time Analysis · Geographic Origins · Cache Performance

DATA: April 9–10, 2026 · 24-hour snapshot

Live Request Volume — 24 Hour Window

26M+

Total requests
in 24 hours

835K

Peak requests
in 15 min (06:30 UTC)

CF Blocked at Edge

During 06:15–06:30 UTC spike, Cloudflare served 57–60% of traffic from edge — intercepting a live attack wave without origin impact.

bhp.com · April 9–10, 2026 UTC · 30-min intervals · Spike at 03:30–04:00 UTC = business hours AWST (Perth) boot-up · 06:00–06:30 UTC = likely automated scanning wave

Traffic Origins — Geographic Distribution

Anomalous Traffic

IL (Israel)

963 req/visit (normal: 30–40)
32,764 requests · only 34 visits

HR (Croatia)

964 req/visit
964 requests · only 1 visit

T1 (Tor Network)

36 requests · 0 visits detected
Anonymous proxy access active

Mining Footprint

CL, ZM, PG, ZA, PH & PE traffic confirms BHP's global operational reach. 80+ countries total.

bhp.com · April 9–10, 2026 · Top 10 countries shown · AU = 67.6% · US = 21.0% · CL = 8.7%

Cache Performance — Critical Optimisation Gap

0.09%

Current cache
HIT rate

40–60%

Possible with
Cache Rules

Top Static Assets Bypassing Cache

Type

Requests

Data to Origin

JPEG images

342K

302 GB

ZIP files

345K

71 GB

JavaScript (JS)

688K

24 GB

PNG images

125K

18.6 GB

CSS stylesheets

198K

4.0 GB

Fonts (woff/ttf)

38K

1.6 GB

Optimisation Opportunity

Cache Rules for images, JS, CSS & fonts could serve 40–60% of traffic from edge, eliminating ~420 GB of avoidable origin data transfer per snapshot period.

Cache status · April 10, 2026 · 26.3M total requests · "Dynamic" = cache bypassed by current application config

Service Health

Support · Incident Response · Reliability

Support & Incident Overview

Total tickets
12 months

89%

Closed / resolved
successfully

~1.6

Avg tickets
per month

Ticket Volume Trend

Spikes in May–Jul 2025 and Sep–Nov 2025 correlate directly with Cloudflare platform incidents — reactive support activity rather than BHP configuration issues.

From Jan 2026 onwards, ticket volume dropped to near zero — indicating platform stability has improved significantly.

Ticket Composition

Low Volume — 19 tickets over 12 months

Well below industry average for enterprise network security platforms at this scale. Demonstrates platform reliability.

Spikes tied to Cloudflare incidents — not BHP config

Ticket spikes in 2025 were reactive, triggered by Cloudflare platform events. BHP was not at fault in any case.

2026 tracking toward zero support tickets

Consistent stability through Jan–Feb 2026 with no new tickets raised.

Key Findings &
Recommendations

Key Security Findings

Two Major Attack Waves Blocked

Aug 2025 (22.68M) & Jan 2026 (22.18M) blocked at edge. Zero impact to BHP operations.

Cache HIT Rate: 0.09% (Effectively Zero)

302 GB JPEG, 71 GB ZIP, 24 GB JS — all hitting origin. Cache Rules could offload 40–60% to Cloudflare edge.

~65% Traffic is Automated — No Bot Management

Only ~33% verified human. Aug 2025 peak: 22.4% "Likely Automated" — correlated directly with the WAF spike.

Anomalous Geographic Traffic Detected

Israel: 963 req/visit (32K requests, 34 visits). Croatia: 964:1 ratio. Tor network access confirmed (T1).

API Exposure: 550M/mo vs 150M Contracted

Actual API traffic is 3.7× the contracted allowance. Uncovered endpoints are BHP's largest unmitigated attack surface.

Spectrum Capacity Event — IOT at Risk

Aug 2025: 21.29 TB spiked above 10 TB limit. BHP's IOT operations depend on Spectrum — capacity planning needed.

WAF Activity Grew 10× Since Deployment — Legacy Rule Debt Accumulating

1.31M events in May 2025 → 22M+ peaks. 6+ years of accumulated rules across teams creates conflicting logic amplifying false positives. A joint WAF audit is overdue.

Recommendations & Next Steps

Deploy Bot Management

Challenge suspicious bots, protect logins, and reduce WAF noise. ~65% of bhp.com traffic is non-human — Bot Management provides granular control beyond classification.

WAF Rules Audit & Consolidation

6+ years of legacy rules need rationalisation. Joint SE review + App Security Reports (now GA) to retire duplicates, reduce false positives, and modernise to WAF 2.0.

Expand API Shield Coverage

Actual API traffic (550M/month) is 3.7× the contracted allowance. Run API Discovery to surface shadow endpoints — BHP's cyber team is already a strong internal champion.

AI Gateway & AI Security

Govern 400 AI developers with visibility into LLM API usage. Firewall for AI protects AI-enabled apps. Addresses BHP's data leakage concerns without blocking innovation.

Zero Trust Access — Developer SSO

Complete Entra ID + group RBAC integration. This is the blocker for the developer platform and expanding Zero Trust coverage beyond the current 50-seat pilot.

Cache Rules — Reduce Origin Load 40–60%

BHP's current cache hit rate is 0.09%. Adding Cache Rules for images, JS, CSS & fonts could serve the majority of static traffic from Cloudflare's edge — cutting origin costs and improving global load time.

Thank You

Questions & Discussion