How to Automate Zero Trust via Cloudflare One Stack Agents

On June 17, 2026, Cloudflare launched the Cloudflare One stack, a comprehensive library of AI agent skills designed to automate the planning, deployment, and management of Zero Trust environments. This toolkit serves as the operational knowledge layer for autonomous agents, allowing them to handle the complex auditing and provisioning required when transitioning from legacy Secure Access Service Edge (SASE) architectures. By integrating these skills into your deployment pipelines, you can eliminate manual migration calls and rely on agents to translate vendor-specific policies into Cloudflare equivalents.

The framework builds upon the infrastructure released during Agents Week, specifically Cloudflare Mesh for secure networking and Cloudflare Sandboxes for isolated execution. Here is how to utilize the primary components of the Cloudflare One stack to manage your network infrastructure.

Vendor Concept Translation

Migrating security and routing policies across different vendors requires deep domain knowledge of competing SASE architectures. The Cloudflare One stack provides agent skills that automate this translation process.

When you ingest an existing configuration file from a legacy provider, the agent references its structured knowledge base to map those specific routing rules and access policies to Cloudflare One equivalents. This reduces the barrier to switching providers by automating the translation of complex rule sets.

Because the skills are designed for agnostic integration, you can use these translation capabilities with any existing AI toolkit your organization deploys. You feed the legacy ruleset into your agent, and it outputs the validated Cloudflare configuration.

Network Diagram Interpretation

The Cloudflare One stack equips agents with the ability to both ingest and generate network diagrams. This capability bridges the gap between visual architecture planning and automated provisioning.

When planning a Zero Trust rollout, you can provide an agent with a current-state network diagram. The agent processes the visual and structural data to generate proposed architectural changes. Once the new architecture is approved, the agent can output updated diagrams reflecting the proposed Cloudflare One implementation.

Executing Blueprint Configurations

At the core of the stack is a central repository of pre-configured blueprints for Zero Trust deployments. These blueprints define the desired state for various organizational structures and security postures.

Instead of manually configuring access policies, secure web gateways, and data loss prevention rules, you instruct the agent to apply a specific blueprint. The agent then executes the automated workflows necessary for provisioning the entire environment. This approach allows security teams to shift from manual configuration to overseeing autonomous workflows, scaling deployments across multiple regions or organizational units rapidly.

Deployment Phase	Manual SASE Approach	Agent-Powered Approach
Planning	Manual network auditing and mapping	Diagram ingestion and automated mapping
Policy Translation	Line-by-line rule rewriting	Automated vendor concept translation
Provisioning	Manual console configuration	Blueprint execution via automated workflows
Troubleshooting	Manual log parsing	Automated root cause analysis via DEX

Integrated Troubleshooting with DEX

Post-deployment, network management requires continuous monitoring and issue resolution. The Cloudflare One stack integrates directly with the Digital Experience Monitoring (DEX) toolkit.

This integration provides agents with automated rule recommendations and diagnostic capabilities. When a user experiences connectivity issues or a security policy blocks legitimate traffic, the agent leverages the DEX telemetry to troubleshoot the event. The agent can then recommend or autonomously apply configuration changes to resolve the issue, minimizing downtime and reducing the load on human network administrators. If you need to evaluate and test AI agents before allowing autonomous remediation, you can run the DEX recommendations in a purely advisory mode.

Cloudflare One Design Partner Designation

For enterprise channel partners, Cloudflare released the Cloudflare One Design Partner Designation alongside the stack. This program targets elite partners handling high-volume architecture and migration support. The inaugural group includes Arctiq, Consortium, CMT, Presidio, and The Missing Link.

These partners receive specialized technical access and financial support to scale the platform. By utilizing the Cloudflare One stack, these organizations convert complex, labor-intensive migrations into scalable consulting services focused on secure AI innovation.

To begin leveraging these capabilities in your own environment, access the blueprint repository through your Cloudflare dashboard and integrate the specific SASE translation tools into your agent platform.