Not to shill but I just found the other day that cloudflare has a csam scanning and reporting engine built into their proxies. In theory it gives them a window into the data stream by them decrypting and re-encrypting that could snatch a password hash, but 2FA makes that useless after a minute. Basically it scans anything that gets put in the cache and reports it, notifies you to pull it down, and automatically puts up a 451 block on the link.
Not to shill but I just found the other day that cloudflare has a csam scanning and reporting engine built into their proxies. In theory it gives them a window into the data stream by them decrypting and re-encrypting that could snatch a password hash, but 2FA makes that useless after a minute. Basically it scans anything that gets put in the cache and reports it, notifies you to pull it down, and automatically puts up a 451 block on the link.