The company I work for operates in the IPsec space and to be entirely fair to cloudflare here, serving captcha to anyone from a tor exit node is probably a fairly reasonable way to approach it. The amount of threats that rely on tor (and cheap untrustworthy vpn services) for anonymization more than justifies it. Any statistical model trying to block threats will naturally start flagging tor exit-nodes just by nature of the amount of attacks people try to abuse it for.