Cloudflare WAF , AI Infrastructure , Rewriting Git
Cloudflare WAF , AI Infrastructure , Rewriting Git
The WAF got smarter. The AI infrastructure bill keeps getting bigger. And someone finally rewrote Git in Rust.
What You Need to Know: Cloudflare shipped the inaugural 2026 Cloudflare Threat Report on March 3, 2026, alongside a new cf.intel WAF integration that lets teams use Cloudforce One threat intelligence directly inside custom firewall rules, the AI infrastructure buildout is now meaningfully outpacing revenue growth at the hyperscalers, and GitButler published "Grit" — a memory-safe, library-first Rust rewrite of Git that passes the entire C Git test suite, with significant portions built using AI coding agents.
Why It Matters
- The cf.intel WAF integration is the WAF feature Cloudflare should have shipped two years ago. Letting teams use Cloudforce One's threat intelligence directly inside WAF custom rules closes the gap between "we have threat intel" and "we can block traffic based on threat intel" — which used to require manual export/import workflows. For any team running Cloudflare WAF in production, this is the single biggest WAF capability improvement in 2026.
- AI infrastructure spending is now bigger than the revenue it's generating, and the gap is widening. The hyperscalers' combined capex on AI infrastructure in 2026 is running ahead of the revenue growth from AI products, and the gap is large enough that the financial press is starting to ask the "is this a bubble" question. The honest answer is "we don't know yet, and the people running the buildout don't know either."
- Grit is the first credible end-to-end Rust rewrite of Git. Built by the GitButler team (the same group behind the GitButler GUI client), Grit is library-first, memory-safe, and passes the entire C Git test suite. Significant portions were built using AI coding agents, which is itself a data point for the "AI can write substantial code" thesis. The library-first design is the part that matters most for the Rust ecosystem.
What Actually Happened
Cloudflare's 2026 Threat Report and the cf.intel WAF integration
On March 3, 2026, Cloudflare released the inaugural 2026 Cloudflare Threat Report — the company's first annual threat-intelligence report under the unified Cloudforce One brand. The report covers the industrialized attack patterns Cloudflare observed across its network over the previous year, with a focus on AI-generated attacks, laptop-farms (physical infrastructure used to bypass geolocation and behavioral checks), and the continued rise of automated credential-stuffing at scale.
The same release shipped the new cf.intel WAF integration, which lets Cloudflare customers use Cloudforce One threat intelligence feeds directly inside custom WAF rules. The integration exposes a new cf.intel.* field set in the WAF rules engine, which means you can write rules like "block any request from an IP that Cloudforce One has flagged as a known-bad actor in the last 24 hours" without having to export/import IP lists manually.
The Cloudflare blog post on the threat-intelligence platform evolution walks through the architecture: Cloudforce One maintains a real-time feed of high-confidence malicious IPs, ASNs, and user-agent patterns, the cf.intel.* fields expose that feed in the WAF rules engine, and customers can use the fields in any custom rule (the same rules engine that handles the rest of the WAF configuration). The integration is available to all WAF customers, not just enterprise tier, which is a meaningful change from the historical Cloudflare pattern of gating the best security features behind the highest tier.
For security teams running Cloudflare WAF in production, the practical implication is: you can now build "block-on-known-bad" rules that are continuously updated by Cloudflare's threat intelligence, without any manual feed management. The rule you write in 2026 is the rule that works in 2027, because the cf.intel.* fields stay current automatically. This is the kind of feature that used to require a SIEM integration and a custom IP-list maintenance workflow, and Cloudflare is now shipping it as a default capability.
The WAF intelligence story is also a useful reminder that the threat intelligence market is consolidating. The standalone threat intel vendors (Recorded Future, Mandiant, CrowdStrike's Falcon Intelligence) are all still around, but the hyperscalers and infrastructure providers (Cloudflare, AWS, Microsoft, Google) are increasingly building their own first-party threat intel and exposing it to customers as a feature of the platform. The third-party vendors are going to have to compete on the things the platforms can't do (cross-platform correlation, deep forensic analysis, attribution) rather than on raw IP reputation data.
AI infrastructure: the buildout, the spend, and the revenue gap
The second story in this digest is the AI infrastructure buildout and the widening gap between capex and revenue. The hyperscalers (Microsoft, Google, Amazon, Meta) collectively spent over $300B on AI infrastructure in 2025, and the 2026 capex run-rate is tracking higher — somewhere in the $400-500B range when you include the neocloud operators (CoreWeave, Lambda, Crusoe, etc.) and the sovereign AI builds.
The revenue side is harder to read. The hyperscalers report "AI services" revenue as a line item, but the line item is defined differently at each company and the accounting is inconsistent. Microsoft's "Azure AI" line is growing 80-100% year-over-year, Google's "Gemini API + Vertex AI" is growing at a similar rate, and Amazon's AWS Bedrock + custom silicon story is harder to read because of how the revenue is attributed. The honest read is that AI revenue is growing fast in absolute terms but is still a small percentage of total cloud revenue at any of the hyperscalers, and the capex is large enough that the AI businesses are not yet cash-flow positive on a standalone basis.
The market reaction has been mixed. The "AI is a bubble" framing has gotten more airtime in 2026 than it did in 2024-2025, with the bears pointing to the capex-revenue gap and the historical pattern of infrastructure buildouts that didn't pay back (the original dotcom telecom buildout, the 2010s solar buildout). The bulls point to the fact that AI is being used in production at every Fortune 500, the inference revenue is growing, and the unit economics are improving (model cost per token is falling faster than revenue per token, which is good for users but bad for the labs that are racing to the bottom on price).
The honest answer is that nobody knows. The infrastructure buildout is real, the demand is real, the unit economics are uncertain, and the timeline for payback depends on use cases that don't exist yet. The companies that survive the next two years are the ones that can fund the buildout without depending on capital-market access — which is why the hyperscalers and the well-capitalized neoclouds are the ones to watch, and the small neoclouds with thin balance sheets are the ones at risk if the capital markets tighten.
For developers, the practical implication is that the cost of inference is going to keep falling. The price-per-token curve is steep, the model labs are competing aggressively on price, and the open-weight model ecosystem (Qwen, GLM, Llama, Mistral) is providing a price floor that the closed labs have to match. The buildout is happening on the assumption that inference demand will grow fast enough to absorb the capacity, and if the demand materializes, the cost-per-token for users will keep falling.
Grit: the Rust rewrite of Git
The third story is the most surprising: GitButler published "Grit" — a memory-safe, library-first Rust rewrite of Git that passes the entire C Git test suite. The project was announced on the GitButler blog in early June 2026, and the headline finding is that significant portions of the rewrite were built using AI coding agents, which is itself a meaningful data point for the "AI can write substantial code" thesis.
The architecture decision that matters most is "library-first." The C Git implementation is famously hard to embed in other tools — the plumbing/porcelain split is more of an accident of history than a designed interface, and most non-Git tools that need Git functionality end up shelling out to the git binary or using one of the incomplete C bindings. Grit exposes a clean Rust API for the Git operations (commit, branch, merge, fetch, push, log, etc.) that can be consumed by any Rust application, which means a new generation of Git-aware tools can be built without depending on the git binary.
The test-suite coverage is the credibility check. The C Git test suite is the de facto specification of what Git does — if your implementation passes all the tests, your implementation is Git. Grit passes the entire suite, which means the rewrite is functionally equivalent to C Git for the supported operations. The performance numbers (per the GitButler blog) are competitive with C Git for most operations, with the Rust implementation winning on memory safety and the C implementation winning on raw speed for some operations.
The "built with AI agents" framing is the second-order story. The GitButler team is one of the more thoughtful groups in the Git tooling space, and their public commentary on the AI-agent-driven build is that the agents were useful for the "boilerplate-heavy, well-specified" portions of the rewrite (function signatures, error handling, struct definitions) and less useful for the "specification is the code" portions (the actual Git semantics, which require deep domain knowledge to get right). The honest read is that the AI agents made the rewrite faster but didn't replace the human work — the GitButler team still had to make all the architectural and design decisions, and the agents accelerated the parts that didn't require those decisions.
For the Rust ecosystem, Grit is the missing piece. The existing Rust Git libraries (git2-rs, Gitoxide, gix) all have trade-offs — git2-rs is bindings to libgit2, which means you carry the C dependency; Gitoxide is a clean Rust rewrite but is incomplete relative to C Git. Grit is the first Rust Git implementation that is both clean and complete, and the library-first API design means a new generation of Git-aware Rust applications can be built without compromise.
The long-term implication is that the Git ecosystem is going to fragment. The C Git implementation will remain the reference (and will remain what most production systems use), but the Rust rewrite will start to power a new generation of tools that need Git as a library rather than as a command-line tool. Over a 3-5 year horizon, the "Git is C" assumption that has held for 20 years is going to start to break.
The Take
The Cloudflare cf.intel integration is the WAF capability to deploy this week. If you're running Cloudflare WAF in production, the cf.intel.* fields should be in your custom rules today. The integration is available to all WAF customers (not gated to enterprise tier), the threat feed stays current automatically, and the rules you write are the rules that work in 2027. There is no reason to wait.
The AI infrastructure capex-revenue gap is the question of the year. The honest answer is that nobody knows whether the buildout will pay back, and the people making the buildout decisions are also uncertain. The right posture for a developer or operator is to plan for the "inference is cheap, models keep getting better" scenario (which is the most likely outcome) and to be ready for the "bubble pops, infra costs spike, neoclouds consolidate" scenario (which is the tail risk). Don't build a business that depends on a specific neocloud staying solvent.
Grit is the most important infrastructure news for the Rust ecosystem in 2026. The library-first design and the full C Git test-suite coverage mean that the next generation of Git-aware tools will be Rust-native, and the C Git implementation will start to look like a legacy system. The "built with AI agents" framing is the second-order story, but the first-order story is that the Rust ecosystem now has a credible Git library that doesn't carry a C dependency. If you're building a Rust tool that needs Git, Grit is the dependency to use.
Quick Summary
Cloudflare shipped the 2026 Threat Report alongside a new cf.intel WAF integration that exposes Cloudforce One threat intel directly in custom WAF rules, AI infrastructure capex continues to outpace AI revenue growth at the hyperscalers, and GitButler published Grit — a library-first, memory-safe Rust rewrite of Git that passes the entire C Git test suite.
Sources
- Cloudflare Blog: Introducing the 2026 Cloudflare Threat Report
- Cloudflare Blog: Evolving Cloudflare's Threat Intelligence Platform
- Cloudflare Blog: New WAF Intelligence Feeds (2022 baseline)
- GitButler Blog: Grit — rewriting Git in Rust with agents
- GitHub: GitoxideLabs/gitoxide
- Where Is Your Ed At: Microsoft moving all GitHub Copilot subscribers to token-based billing