Cloudflare is positioning itself to become nothing short of the most important and enduring platform for enterprise network security, declared Cloudflare co-founder and CEO Matthew Prince in a recent interview, emphasizing its drive to offer all of the services needed for securing a cloud-based corporate network.
For the last several years the company has aggressively sought to expand beyond its roots in application security and into zero-trust services, an increasingly pivotal focus for enterprise cybersecurity departments. And in that push, Cloudflare brings unique advantages — particularly its global network — that could be setting it up for serious growth in the enterprise security market, according to Prince, industry experts and equity research analysts who spoke with Protocol.
Looking ahead, Prince believes the biggest winners in cybersecurity will be those who can deliver security combined with an assortment of other cloud-based services that businesses need to operate in the modern world. Ten years from now, he predicted, "our customers will think of it less as cybersecurity and think of it more just as the network that they need to get their jobs done."
To be sure, deeply entrenched enterprise vendors can be harder to displace by upstarts than it might seem, and customers can have many reasons for their buying decisions. And for many enterprise buyers, Cloudflare is going to look very different from the vendors they’ve been traditionally familiar with, which Prince is quick to admit.
"We just come at [cybersecurity] differently than all of the other vendors that are out there," Prince told Protocol. In his view, Cloudflare will likely end up being more comparable to AWS than to any of the existing stand-alone security vendors given its recent investments in compute, storage and other application services.
As businesses look to shift their network security spend from hardware to cloud services, “I think they'll increasingly be choosing Cloudflare for their complete network security offering,” Prince said. Ultimately, “we want to solve all the network security issues that a company faces.”
"We just come at [cybersecurity] differently than all of the other vendors that are out there."
The road to achieving that vision will include having to take on some of the heavyweights of the cybersecurity industry — something that's already started happening more frequently, Prince said. Security vendors that specialize in zero trust such as Palo Alto Networks, Zscaler and Netskope "need to pay attention to the moves that Cloudflare is making," said Adam Borg, director in equity research at Stifel.
It will take time for this to play out, as Cloudflare builds up its enterprise salesforce and achieves enterprise-grade maturity for its products, Borg said. However, "there's no reason to think that they won't have success on the zero-trust side like they've had on the application security side," he said.
Network effects
Cloudflare is far from new to cybersecurity, of course. The company, founded in 2009, has long offered web security services such as distributed denial-of-service (DDoS) mitigation and web application firewalls. From early on, "we had to get good at stopping DDoS because it was the only way that we could help make sure our other services" functioned properly, Prince said.
Experts say that Cloudflare's worldwide network makes it one of the few vendors that can deliver a true zero-trust architecture for customers, particularly over the longer-term, as customers seek to consolidate vendors and tools.
Cloudflare's network covers 270 cities across more than 100 countries, allowing the company to reliably serve customers worldwide. The fact that Cloudflare doesn't rely on someone else's infrastructure is a key differentiator, enabling not only strong performance and security but also highly competitive pricing, analysts said.
Cloudflare's global network "is their critical advantage," said David Holmes, senior analyst at Forrester. "When everyone wants to consume something as a service, the bigger and faster your network is for delivering these services, the better the experience for the users."
It's no simple undertaking to build a network such as this, Holmes said. "A competitor can't come in and just say, 'Hey, we are now competing with Cloudflare.'"
Ultimately, "having a network like this is so important for all of the next technologies that everyone's going to consume as a service," he said.
"A competitor can't come in and just say, 'Hey, we are now competing with Cloudflare.'"
It also gives Cloudflare a view into major cyber events that few others have. Prince has become known for sharing some of the earliest details about such incidents on Twitter, such as the 2016 Mirai DDoS attacks that crippled servers across the Eastern U.S. and the worldwide exploitation of critical vulnerabilities in Apache Log4j in December 2021.
The advantages that Cloudflare's network provides could almost be called "unfair advantages" — due to how big of a leg-up they offer over some competitors — but they’ve been "fairly won” through the company’s continued efforts, said Jay Leek, the former CISO of The Blackstone Group and now managing partner at SYN Ventures.
All in on zero trust
Cloudflare is now seeking to leverage its network to simplify zero trust, a concept that many customers find overly complex. And simplicity has always been a strength for the company, said Andy Ellis, the former longtime chief security officer of Akamai, a perennial rival to Cloudflare in web content delivery services.
"One thing that Cloudflare has always been really good at is easy-to-consume security," said Ellis, who left Akamai in 2021 and is now an operating partner at YL Ventures. "Cloudflare really does try to shrink-wrap security when they deliver it."
The promise of zero trust is to ensure that only legitimate users are able to access corporate applications and data, a top priority for enterprises with distributed workforces, which are no longer protected effectively by traditional network security tools. Most organizations are expected to embrace zero trust as the starting point for their security strategies within the next few years, according to a recent Gartner survey.
Cloudflare has also invested heavily in recent years to assemble a portfolio of zero-trust services such as secure application access (also known as zero-trust network access, or ZTNA) as well as browser isolation and secure web gateway. As a result, "what we have really seen in the last six months is that we are getting pulled into more and more deals" with large customers, Prince told Protocol.
More than 15% of the company's paying customer base — or, more than 23,000 customers — have now adopted at least one of Cloudflare's zero-trust services, the company told Protocol. Overall revenue for the company's most recently reported quarter surged 54% year-over-year to $212.2 million.
"They're now in these discussions. And they weren't three years ago," said Neil MacDonald, vice president and distinguished analyst at Gartner. "They're quite credible on the security services side of things."
But today Cloudflare's wide range of services across web performance, security and infrastructure is both an advantage and also a bit tough to grasp for some. Prince acknowledged that, as the much-used analogy goes, people tend to focus on "different parts of the elephant" when it comes to their understanding of Cloudflare.
"They're now in these discussions. And they weren't three years ago."
What Prince hopes customers will start to see, however, is that Cloudflare is now a full platform for modern network security.
“We think that we have the network and the innovation machine that allows us to — regardless of what you need to do with network security — be able to solve it as a single vendor, in a way which will always be better than what point solutions can provide in other spaces,” he said.
What Cloudflare doesn't plan to pursue are products for endpoint or identity security, where there are already well-established players that the company partners with, he said.
But "between those two things, there's a role for network security. We want to play in every part of that space," Prince said.
Within that framework, Cloudflare recently expanded into email security with the $162 million acquisition of Area 1 Security. It also recently added cloud access security broker (CASB) capabilities with the acquisition of Vectrix. The company's overarching platform that unifies these capabilities, Cloudflare One, lines up with the very buzzy category of secure access service edge (SASE).
With Cloudflare One — which originally debuted in October 2020 and is now front and center in the company's product marketing — "I think we fit the model of what Gartner calls SASE better than any other company," Prince said. SASE is a cloud-driven architecture meant to secure all applications, data, users and devices using principles such as zero trust.
In SASE, "I fully expect them to be a player now," Gartner's MacDonald said. "They're investing, and they're taking advantage of their worldwide network of points of presence to do the new security functions."
Tool consolidation
Cloudflare's track record of taking a "mishmash of technologies, simplifying them and then creating a platform" is highly disruptive to traditional approaches, said Joel Fishbein, managing director at Truist Securities.
But even though Cloudflare's moves have been ambitious — even gutsy, he said — the company has "done everything and more that they've said they would do."
For customer Werner Enterprises, the opportunity to potentially consolidate cybersecurity tools with Cloudflare is highly appealing, according to CIO Daragh Mahon. Like many large businesses, the transportation and logistics company has a major problem with tool sprawl. "We're trying to just use a single vendor, as much as possible," Mahon said.
So far, Werner Enterprises has deployed Cloudflare's web application firewall and its Area 1 email security offering, and the company is now about to start a test of the Cloudflare One platform, to hopefully consolidate even further with Cloudflare. "So far, we've liked everything Cloudflare has sent our way," Mahon said.
The misperception that Cloudflare only serves small businesses is a hangover from how the company initially went to market, Prince said.
In cybersecurity, Cloudflare started out catering to businesses that were "completely underserved" by the existing security vendors at the time, he said. The company then moved upmarket over time; now, according to Prince, 13 of the world's 20 largest companies are customers of Cloudflare's security services.
Going forward, "you will see us in many more of those deals that come through system integrators and partners, which is a bit of a newer skill for us," he said. Still, practitioner-led deals have "always been the bread and butter of how we've gone to market. And I think that that's something that neither Palo [Alto Networks] or Zscaler are able to match," Prince said.
Cloudflare has been making plenty of big moves outside cybersecurity, too. The company offers a serverless compute service, Workers, and a cloud storage object service, R2, that went into open beta in May. R2 aims to stand out from Amazon S3 by not charging data-egress fees, and the company has said that, even apart from that, it will be 10% cheaper to operate than S3.
With Cloudflare's moves into infrastructure services, "this is your next AWS in the making," said Shaul Eyal, managing director at Cowen.
Prince previously told Protocol that Cloudflare is, in fact, "aiming to be the fourth major public cloud." In the most recent interview, he painted that potential outcome as a by-product of Cloudflare's strategy rather than the ultimate goal.
"It may be that the final step in this is that, yeah, we look like the fourth cloud, or whatever you want to call it," Prince said. "But we really think of ourselves as the network that connects together anything that's going to be online."
In other words, Cloudflare is looking to enable customers to reliably and securely use whatever cloud-based services they might want, including from other platforms, he said: "maybe storage from AWS, Office from Microsoft, machine learning from Google, post-quantum work from IBM, a database from Oracle." Cloudflare's larger goal, Prince said, is to provide the "programmable, secure network that hooks that all together."
Being able to provide that network combined with zero trust and other security services is something that'll have broad appeal among customers going forward, he said.
"The architects of the digital world have let [customers] down."
In the future, "I think the companies that are able to take cybersecurity and do it well — and build out a true cloud platform themselves — will dwarf anything that we're seeing in the cybersecurity space today," Prince said.
Prince is not alone in holding this view of the future.
Amid rampant ransomware attacks, the sentiment among many customers right now is that "the architects of the digital world have let them down," said Forrester's Holmes. What customers will demand more and more, he said, is to be able to work with "one trusted vendor, whom you trust with all of your network traffic and your cybersecurity."
From a customer point of view, "it's a single-vendor game in the distant future," Holmes said. "This might take 10 years or 15 years — we might be in year two or three."
That doesn't equate to having just one vendor to choose from, but the list of vendors able to provide all of that won't be lengthy — maybe five in the U.S. and 10 worldwide, akin to what's happened in public cloud, according to Holmes. And Cloudflare is a strong contender for becoming one of those five vendors in the U.S., he said.
"They've got the huge network. They have an understanding of zero trust. They're assembling the cybersecurity portfolio," Holmes said. "Things are looking good for them."
