I've been on panels at Cloudflare twice as an interviewer, and I also went through their loop as a candidate for an EM role last year. So I have a bit of an unusual angle here.
Cloudflare's behavioral bar is genuinely specific. They're not just running generic leadership principle questions. The things they care about most, based on what I saw debrief after debrief:
Ownership under ambiguity. Not just 'tell me about a time you took initiative.' More like: 'when you had no clear owner and things were breaking, what did you actually do?' They want to see that you ran toward the mess, not away from it. Vague answers get flagged.
Security and privacy as default thinking. Even for non-security roles, they expect you to have considered security implications in your projects. If you're a product engineer who has never thought about what data you're exposing, that's a yellow flag. Their products are infrastructure, and they take this seriously.
Technical credibility at every level. Even for senior ICs and managers, the behavioral round isn't separate from technical thinking. They'll ask a behavioral question and probe on the technical decisions behind your story. 'You said you redesigned the auth layer. Walk me through why.'
For 2026, the questions I saw most: Tell me about a time you had to make a call with incomplete data. Describe a situation where you disagreed with a technical direction. How did it end? Tell me about a system you built that you'd design differently today.
CALIBRATION TIP: They use a structured debrief rubric. The people who get rejected on behavioral usually either (a) give stories that are too vague or (b) give stories where they weren't actually the driver. Make sure YOU are the protagonist, not your team.