Cloudflare’s unique network could make it the most essential security vendor of the zero-trust era

As Cloudflare seeks to win over enterprises with its array of zero-trust security services, CEO Matthew Prince told Protocol, “We just come at [cybersecurity] differently than all of the other vendors that are out there.” The company will need to take on some of the most-established vendors in the industry to achieve its vision.

Signage reading "Cloudflare" outside the company headquarters in San Francisco

The company has aggressively sought to expand beyond its roots in application security and into zero-trust services.

Photo: Michael Short/Bloomberg via Getty Images

Cloudflare is positioning itself to become nothing short of the most important and enduring platform for enterprise network security, declared Cloudflare co-founder and CEO Matthew Prince in a recent interview, emphasizing its drive to offer all of the services needed for securing a cloud-based corporate network.

For the last several years the company has aggressively sought to expand beyond its roots in application security and into zero-trust services, an increasingly pivotal focus for enterprise cybersecurity departments. And in that push, Cloudflare brings unique advantages — particularly its global network — that could be setting it up for serious growth in the enterprise security market, according to Prince, industry experts and equity research analysts who spoke with Protocol.

Looking ahead, Prince believes the biggest winners in cybersecurity will be those who can deliver security combined with an assortment of other cloud-based services that businesses need to operate in the modern world. Ten years from now, he predicted, "our customers will think of it less as cybersecurity and think of it more just as the network that they need to get their jobs done."

To be sure, deeply entrenched enterprise vendors can be harder to displace by upstarts than it might seem, and customers can have many reasons for their buying decisions. And for many enterprise buyers, Cloudflare is going to look very different from the vendors they’ve been traditionally familiar with, which Prince is quick to admit.

"We just come at [cybersecurity] differently than all of the other vendors that are out there," Prince told Protocol. In his view, Cloudflare will likely end up being more comparable to AWS than to any of the existing stand-alone security vendors given its recent investments in compute, storage and other application services.

As businesses look to shift their network security spend from hardware to cloud services, “I think they'll increasingly be choosing Cloudflare for their complete network security offering,” Prince said. Ultimately, “we want to solve all the network security issues that a company faces.”

"We just come at [cybersecurity] differently than all of the other vendors that are out there."

The road to achieving that vision will include having to take on some of the heavyweights of the cybersecurity industry — something that's already started happening more frequently, Prince said. Security vendors that specialize in zero trust such as Palo Alto Networks, Zscaler and Netskope "need to pay attention to the moves that Cloudflare is making," said Adam Borg, director in equity research at Stifel.

It will take time for this to play out, as Cloudflare builds up its enterprise salesforce and achieves enterprise-grade maturity for its products, Borg said. However, "there's no reason to think that they won't have success on the zero-trust side like they've had on the application security side," he said.

Network effects

Cloudflare is far from new to cybersecurity, of course. The company, founded in 2009, has long offered web security services such as distributed denial-of-service (DDoS) mitigation and web application firewalls. From early on, "we had to get good at stopping DDoS because it was the only way that we could help make sure our other services" functioned properly, Prince said.

Experts say that Cloudflare's worldwide network makes it one of the few vendors that can deliver a true zero-trust architecture for customers, particularly over the longer-term, as customers seek to consolidate vendors and tools.

Cloudflare's network covers 270 cities across more than 100 countries, allowing the company to reliably serve customers worldwide. The fact that Cloudflare doesn't rely on someone else's infrastructure is a key differentiator, enabling not only strong performance and security but also highly competitive pricing, analysts said.

Cloudflare's global network "is their critical advantage," said David Holmes, senior analyst at Forrester. "When everyone wants to consume something as a service, the bigger and faster your network is for delivering these services, the better the experience for the users."

It's no simple undertaking to build a network such as this, Holmes said. "A competitor can't come in and just say, 'Hey, we are now competing with Cloudflare.'"

Ultimately, "having a network like this is so important for all of the next technologies that everyone's going to consume as a service," he said.

"A competitor can't come in and just say, 'Hey, we are now competing with Cloudflare.'"

It also gives Cloudflare a view into major cyber events that few others have. Prince has become known for sharing some of the earliest details about such incidents on Twitter, such as the 2016 Mirai DDoS attacks that crippled servers across the Eastern U.S. and the worldwide exploitation of critical vulnerabilities in Apache Log4j in December 2021.

The advantages that Cloudflare's network provides could almost be called "unfair advantages" — due to how big of a leg-up they offer over some competitors — but they’ve been "fairly won” through the company’s continued efforts, said Jay Leek, the former CISO of The Blackstone Group and now managing partner at SYN Ventures.

All in on zero trust

Cloudflare is now seeking to leverage its network to simplify zero trust, a concept that many customers find overly complex. And simplicity has always been a strength for the company, said Andy Ellis, the former longtime chief security officer of Akamai, a perennial rival to Cloudflare in web content delivery services.

"One thing that Cloudflare has always been really good at is easy-to-consume security," said Ellis, who left Akamai in 2021 and is now an operating partner at YL Ventures. "Cloudflare really does try to shrink-wrap security when they deliver it."

The promise of zero trust is to ensure that only legitimate users are able to access corporate applications and data, a top priority for enterprises with distributed workforces, which are no longer protected effectively by traditional network security tools. Most organizations are expected to embrace zero trust as the starting point for their security strategies within the next few years, according to a recent Gartner survey.

Cloudflare has also invested heavily in recent years to assemble a portfolio of zero-trust services such as secure application access (also known as zero-trust network access, or ZTNA) as well as browser isolation and secure web gateway. As a result, "what we have really seen in the last six months is that we are getting pulled into more and more deals" with large customers, Prince told Protocol.

More than 15% of the company's paying customer base — or, more than 23,000 customers — have now adopted at least one of Cloudflare's zero-trust services, the company told Protocol. Overall revenue for the company's most recently reported quarter surged 54% year-over-year to $212.2 million.

"They're now in these discussions. And they weren't three years ago," said Neil MacDonald, vice president and distinguished analyst at Gartner. "They're quite credible on the security services side of things."

But today Cloudflare's wide range of services across web performance, security and infrastructure is both an advantage and also a bit tough to grasp for some. Prince acknowledged that, as the much-used analogy goes, people tend to focus on "different parts of the elephant" when it comes to their understanding of Cloudflare.

"They're now in these discussions. And they weren't three years ago."

What Prince hopes customers will start to see, however, is that Cloudflare is now a full platform for modern network security.

“We think that we have the network and the innovation machine that allows us to — regardless of what you need to do with network security — be able to solve it as a single vendor, in a way which will always be better than what point solutions can provide in other spaces,” he said.

What Cloudflare doesn't plan to pursue are products for endpoint or identity security, where there are already well-established players that the company partners with, he said.

But "between those two things, there's a role for network security. We want to play in every part of that space," Prince said.

Within that framework, Cloudflare recently expanded into email security with the $162 million acquisition of Area 1 Security. It also recently added cloud access security broker (CASB) capabilities with the acquisition of Vectrix. The company's overarching platform that unifies these capabilities, Cloudflare One, lines up with the very buzzy category of secure access service edge (SASE).

With Cloudflare One — which originally debuted in October 2020 and is now front and center in the company's product marketing — "I think we fit the model of what Gartner calls SASE better than any other company," Prince said. SASE is a cloud-driven architecture meant to secure all applications, data, users and devices using principles such as zero trust.

In SASE, "I fully expect them to be a player now," Gartner's MacDonald said. "They're investing, and they're taking advantage of their worldwide network of points of presence to do the new security functions."

Tool consolidation

Cloudflare's track record of taking a "mishmash of technologies, simplifying them and then creating a platform" is highly disruptive to traditional approaches, said Joel Fishbein, managing director at Truist Securities.

But even though Cloudflare's moves have been ambitious — even gutsy, he said — the company has "done everything and more that they've said they would do."

For customer Werner Enterprises, the opportunity to potentially consolidate cybersecurity tools with Cloudflare is highly appealing, according to CIO Daragh Mahon. Like many large businesses, the transportation and logistics company has a major problem with tool sprawl. "We're trying to just use a single vendor, as much as possible," Mahon said.

So far, Werner Enterprises has deployed Cloudflare's web application firewall and its Area 1 email security offering, and the company is now about to start a test of the Cloudflare One platform, to hopefully consolidate even further with Cloudflare. "So far, we've liked everything Cloudflare has sent our way," Mahon said.

The misperception that Cloudflare only serves small businesses is a hangover from how the company initially went to market, Prince said.

In cybersecurity, Cloudflare started out catering to businesses that were "completely underserved" by the existing security vendors at the time, he said. The company then moved upmarket over time; now, according to Prince, 13 of the world's 20 largest companies are customers of Cloudflare's security services.

Going forward, "you will see us in many more of those deals that come through system integrators and partners, which is a bit of a newer skill for us," he said. Still, practitioner-led deals have "always been the bread and butter of how we've gone to market. And I think that that's something that neither Palo [Alto Networks] or Zscaler are able to match," Prince said.

Cloudflare has been making plenty of big moves outside cybersecurity, too. The company offers a serverless compute service, Workers, and a cloud storage object service, R2, that went into open beta in May. R2 aims to stand out from Amazon S3 by not charging data-egress fees, and the company has said that, even apart from that, it will be 10% cheaper to operate than S3.

With Cloudflare's moves into infrastructure services, "this is your next AWS in the making," said Shaul Eyal, managing director at Cowen.

Prince previously told Protocol that Cloudflare is, in fact, "aiming to be the fourth major public cloud." In the most recent interview, he painted that potential outcome as a by-product of Cloudflare's strategy rather than the ultimate goal.

"It may be that the final step in this is that, yeah, we look like the fourth cloud, or whatever you want to call it," Prince said. "But we really think of ourselves as the network that connects together anything that's going to be online."

In other words, Cloudflare is looking to enable customers to reliably and securely use whatever cloud-based services they might want, including from other platforms, he said: "maybe storage from AWS, Office from Microsoft, machine learning from Google, post-quantum work from IBM, a database from Oracle." Cloudflare's larger goal, Prince said, is to provide the "programmable, secure network that hooks that all together."

Being able to provide that network combined with zero trust and other security services is something that'll have broad appeal among customers going forward, he said.

"The architects of the digital world have let [customers] down."

In the future, "I think the companies that are able to take cybersecurity and do it well — and build out a true cloud platform themselves — will dwarf anything that we're seeing in the cybersecurity space today," Prince said.

Prince is not alone in holding this view of the future.

Amid rampant ransomware attacks, the sentiment among many customers right now is that "the architects of the digital world have let them down," said Forrester's Holmes. What customers will demand more and more, he said, is to be able to work with "one trusted vendor, whom you trust with all of your network traffic and your cybersecurity."

From a customer point of view, "it's a single-vendor game in the distant future," Holmes said. "This might take 10 years or 15 years — we might be in year two or three."

That doesn't equate to having just one vendor to choose from, but the list of vendors able to provide all of that won't be lengthy — maybe five in the U.S. and 10 worldwide, akin to what's happened in public cloud, according to Holmes. And Cloudflare is a strong contender for becoming one of those five vendors in the U.S., he said.

"They've got the huge network. They have an understanding of zero trust. They're assembling the cybersecurity portfolio," Holmes said. "Things are looking good for them."


Climate startups' secret weapon to meet their missions

Climate tech startups are embracing the public benefit corporation, a formerly niche way of incorporating, as a way of holding themselves accountable.

An increasing number of mission-driven companies are incorporating as PBCs.

Illustration: Christopher T. Fong/Protocol

Nearly every company today claims to be mission-driven. But the quest for profits and shareholder demands can often get in the way of more altruistic goals.

A new wave of climate-focused startups is trying to mitigate those competing interests using a wonky and somewhat dry piece of business incorporation status that’s existed for more than a decade: the public benefit corporation. Ultimately, PBCs are just one attempt — albeit a still untested one — to better align the capitalist system with combatting the climate crisis.

Keep Reading Show less
Michelle Ma

Michelle Ma (@himichellema) is a reporter at Protocol covering climate. Previously, she was a news editor of live journalism and special coverage for The Wall Street Journal. Prior to that, she worked as a staff writer at Wirecutter. She can be reached at mma@protocol.com.

Sponsored Content

How cybercrime is going small time

Blockbuster hacks are no longer the norm – causing problems for companies trying to track down small-scale crime

Cybercrime is often thought of on a relatively large scale. Massive breaches lead to painful financial losses, bankrupting companies and causing untold embarrassment, splashed across the front pages of news websites worldwide. That’s unsurprising: cyber events typically cost businesses around $200,000, according to cybersecurity firm the Cyentia Institute. One in 10 of those victims suffer losses of more than $20 million, with some reaching $100 million or more.

That’s big money – but there’s plenty of loot out there for cybercriminals willing to aim lower. In 2021, the Internet Crime Complaint Center (IC3) received 847,376 complaints – reports by cybercrime victims – totaling losses of $6.9 billion. Averaged out, each victim lost $8,143.

Keep Reading Show less
Chris Stokel-Walker

Chris Stokel-Walker is a freelance technology and culture journalist and author of "YouTubers: How YouTube Shook Up TV and Created a New Generation of Stars." His work has been published in The New York Times, The Guardian and Wired.


Red tape is holding back the EV transition

Charging infrastructure is getting held up by local bureaucracy, creating a conundrum for would-be EV drivers.

Lengthy administrative processes are causing significant delays as EV charging companies and local businesses seek to provide access to charging.

Photo illustration: Kena Betancur/VIEW press/Getty Images; Protocol

Building out charging infrastructure as quickly as possible has never been more critical to getting people in electric vehicles.

Yet as states and the federal government embark on ambitious plans to transition from gas-powered to electric vehicles, local government bureaucracies often stand in the way. From acquiring multiple permits to zoning requirements, lengthy administrative processes are causing significant delays as EV charging companies and local businesses seek to provide access to charging. That could slow down EV adoption at a time when the climate crisis depends on getting more of them on the road.

Keep Reading Show less
Kwasi Gyamfi Asiedu

Kwasi (kway-see) is a fellow at Protocol with an interest in tech policy and climate. Previously, he covered global religion news at the Associated Press in New York. Before that, he was a freelance journalist based out of Accra, Ghana, covering social justice, health, and environment stories. His reporting has been published in The New York Times, Quartz, CNN, The Guardian, and Public Radio International. He can be reached at kasiedu@protocol.com.


Proximity bias is real. Here's how Prezi is fixing it.

Going back to the office isn’t the answer, but better virtual meetings could be.

"As simple as that sounds, creating that sense of place and purpose with a digital workspace and branding, those are the key things that we do internally and that we've productized for our customers."

Photo: Prezi

Jim Szafranski, CEO of presentation software company Prezi, started developing video meeting and presentation software Prezi Video as a “hobby project” toward the end of 2019. Then the pandemic hit.

“What was typically thought of as a presentation company suddenly was involved in the virtual work world,” Szafranski said.

Keep Reading Show less
Nat Rubio-Licht

Nat Rubio-Licht is a Los Angeles-based news writer at Protocol. They graduated from Syracuse University with a degree in newspaper and online journalism in May 2020. Prior to joining the team, they worked at the Los Angeles Business Journal as a technology and aerospace reporter.


Why Microsoft needs to drag Call of Duty into the future

Microsoft’s biggest challenge with Call of Duty has nothing to do with Sony. It’s about modernizing the franchise for a cross-platform and subscription future.

Call of Duty: Modern Warfare II premiered the biggest entertainment advertisement ever at the port of Los Angeles in May 2022.

Photo: Jerod Harris/Getty Images for Activision

Microsoft and Sony have been waging an increasingly bitter battle over Call of Duty. Over the past two weeks, the feud has spilled out into the public through regulatory filings in countries like Brazil and New Zealand, which, unlike the U.S., publish such documents for all to see.

Microsoft’s goal is to convince regulators worldwide that its landmark acquisition of Call of Duty parent Activision Blizzard for close to $70 billion should get the greenlight. Sony's goal, on the other hand, is to raise the alarm about its primary gaming rival owning one of its biggest cash cows, and whether the PlayStation playbook of platform exclusivity might be turned against Sony if Microsoft decides to make Call of Duty exclusive in some way to Xbox or its Game Pass subscription service.

Keep Reading Show less
Nick Statt

Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at nstatt@protocol.com.

Latest Stories