> Based on data across the CloudFlare network, 94% of requests that we see across the Tor network are per se malicious.

I'm skeptical about their metrics. If I try to access a cloudfare protected site and never manage to finish the infinite captcha look or just change my mind after seeing the captcha, do they consider it a successful block? Even if we think they have some magic way of actually knowing whether all requests are malicious or not:

> That doesn’t mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers. A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network.

Personally I don't think content scraping and vulnerability scanning are "malicious per se", by that metric even Google (and every other search engine) would be malicious.

For comparison, I'm curious what the percentage is excluding Tor.