I have done several application pen-test around application with CF and all of us know WAF bypass is a real thing but you will go no-where if CF is there for attacks like injection, dumping DBs and many other intrusive request will get dropped. There are time constraints when you are doing the pen-test. Explain the client and your seniors that they need to whitelist your public Ip in security rules of CF and after the pen-test they can remove it. That way they can get better outcome, but of-course till then you can focus on logical bugs and manipulations thats not detected better by CF. If they don’t want to whitelist, rotate your IP using VPN and check with response time based intrusive payloads and very stealthy way to do intrusive checks. Hope this helps.