Cloudflare’s unique network could make it the most essential security vendor of the zero-trust era

As Cloudflare seeks to win over enterprises with its array of zero-trust security services, CEO Matthew Prince told Protocol, “We just come at [cybersecurity] differently than all of the other vendors that are out there.” The company will need to take on some of the most-established vendors in the industry to achieve its vision.

Signage reading "Cloudflare" outside the company headquarters in San Francisco

The company has aggressively sought to expand beyond its roots in application security and into zero-trust services.

Photo: Michael Short/Bloomberg via Getty Images

Cloudflare is positioning itself to become nothing short of the most important and enduring platform for enterprise network security, declared Cloudflare co-founder and CEO Matthew Prince in a recent interview, emphasizing its drive to offer all of the services needed for securing a cloud-based corporate network.

For the last several years the company has aggressively sought to expand beyond its roots in application security and into zero-trust services, an increasingly pivotal focus for enterprise cybersecurity departments. And in that push, Cloudflare brings unique advantages — particularly its global network — that could be setting it up for serious growth in the enterprise security market, according to Prince, industry experts and equity research analysts who spoke with Protocol.

Looking ahead, Prince believes the biggest winners in cybersecurity will be those who can deliver security combined with an assortment of other cloud-based services that businesses need to operate in the modern world. Ten years from now, he predicted, "our customers will think of it less as cybersecurity and think of it more just as the network that they need to get their jobs done."

To be sure, deeply entrenched enterprise vendors can be harder to displace by upstarts than it might seem, and customers can have many reasons for their buying decisions. And for many enterprise buyers, Cloudflare is going to look very different from the vendors they’ve been traditionally familiar with, which Prince is quick to admit.

"We just come at [cybersecurity] differently than all of the other vendors that are out there," Prince told Protocol. In his view, Cloudflare will likely end up being more comparable to AWS than to any of the existing stand-alone security vendors given its recent investments in compute, storage and other application services.

As businesses look to shift their network security spend from hardware to cloud services, “I think they'll increasingly be choosing Cloudflare for their complete network security offering,” Prince said. Ultimately, “we want to solve all the network security issues that a company faces.”

"We just come at [cybersecurity] differently than all of the other vendors that are out there."

The road to achieving that vision will include having to take on some of the heavyweights of the cybersecurity industry — something that's already started happening more frequently, Prince said. Security vendors that specialize in zero trust such as Palo Alto Networks, Zscaler and Netskope "need to pay attention to the moves that Cloudflare is making," said Adam Borg, director in equity research at Stifel.

It will take time for this to play out, as Cloudflare builds up its enterprise salesforce and achieves enterprise-grade maturity for its products, Borg said. However, "there's no reason to think that they won't have success on the zero-trust side like they've had on the application security side," he said.

Network effects

Cloudflare is far from new to cybersecurity, of course. The company, founded in 2009, has long offered web security services such as distributed denial-of-service (DDoS) mitigation and web application firewalls. From early on, "we had to get good at stopping DDoS because it was the only way that we could help make sure our other services" functioned properly, Prince said.

Experts say that Cloudflare's worldwide network makes it one of the few vendors that can deliver a true zero-trust architecture for customers, particularly over the longer-term, as customers seek to consolidate vendors and tools.

Cloudflare's network covers 270 cities across more than 100 countries, allowing the company to reliably serve customers worldwide. The fact that Cloudflare doesn't rely on someone else's infrastructure is a key differentiator, enabling not only strong performance and security but also highly competitive pricing, analysts said.

Cloudflare's global network "is their critical advantage," said David Holmes, senior analyst at Forrester. "When everyone wants to consume something as a service, the bigger and faster your network is for delivering these services, the better the experience for the users."

It's no simple undertaking to build a network such as this, Holmes said. "A competitor can't come in and just say, 'Hey, we are now competing with Cloudflare.'"

Ultimately, "having a network like this is so important for all of the next technologies that everyone's going to consume as a service," he said.

"A competitor can't come in and just say, 'Hey, we are now competing with Cloudflare.'"

It also gives Cloudflare a view into major cyber events that few others have. Prince has become known for sharing some of the earliest details about such incidents on Twitter, such as the 2016 Mirai DDoS attacks that crippled servers across the Eastern U.S. and the worldwide exploitation of critical vulnerabilities in Apache Log4j in December 2021.

The advantages that Cloudflare's network provides could almost be called "unfair advantages" — due to how big of a leg-up they offer over some competitors — but they’ve been "fairly won” through the company’s continued efforts, said Jay Leek, the former CISO of The Blackstone Group and now managing partner at SYN Ventures.

All in on zero trust

Cloudflare is now seeking to leverage its network to simplify zero trust, a concept that many customers find overly complex. And simplicity has always been a strength for the company, said Andy Ellis, the former longtime chief security officer of Akamai, a perennial rival to Cloudflare in web content delivery services.

"One thing that Cloudflare has always been really good at is easy-to-consume security," said Ellis, who left Akamai in 2021 and is now an operating partner at YL Ventures. "Cloudflare really does try to shrink-wrap security when they deliver it."

The promise of zero trust is to ensure that only legitimate users are able to access corporate applications and data, a top priority for enterprises with distributed workforces, which are no longer protected effectively by traditional network security tools. Most organizations are expected to embrace zero trust as the starting point for their security strategies within the next few years, according to a recent Gartner survey.

Cloudflare has also invested heavily in recent years to assemble a portfolio of zero-trust services such as secure application access (also known as zero-trust network access, or ZTNA) as well as browser isolation and secure web gateway. As a result, "what we have really seen in the last six months is that we are getting pulled into more and more deals" with large customers, Prince told Protocol.

More than 15% of the company's paying customer base — or, more than 23,000 customers — have now adopted at least one of Cloudflare's zero-trust services, the company told Protocol. Overall revenue for the company's most recently reported quarter surged 54% year-over-year to $212.2 million.

"They're now in these discussions. And they weren't three years ago," said Neil MacDonald, vice president and distinguished analyst at Gartner. "They're quite credible on the security services side of things."

But today Cloudflare's wide range of services across web performance, security and infrastructure is both an advantage and also a bit tough to grasp for some. Prince acknowledged that, as the much-used analogy goes, people tend to focus on "different parts of the elephant" when it comes to their understanding of Cloudflare.

"They're now in these discussions. And they weren't three years ago."

What Prince hopes customers will start to see, however, is that Cloudflare is now a full platform for modern network security.

“We think that we have the network and the innovation machine that allows us to — regardless of what you need to do with network security — be able to solve it as a single vendor, in a way which will always be better than what point solutions can provide in other spaces,” he said.

What Cloudflare doesn't plan to pursue are products for endpoint or identity security, where there are already well-established players that the company partners with, he said.

But "between those two things, there's a role for network security. We want to play in every part of that space," Prince said.

Within that framework, Cloudflare recently expanded into email security with the $162 million acquisition of Area 1 Security. It also recently added cloud access security broker (CASB) capabilities with the acquisition of Vectrix. The company's overarching platform that unifies these capabilities, Cloudflare One, lines up with the very buzzy category of secure access service edge (SASE).

With Cloudflare One — which originally debuted in October 2020 and is now front and center in the company's product marketing — "I think we fit the model of what Gartner calls SASE better than any other company," Prince said. SASE is a cloud-driven architecture meant to secure all applications, data, users and devices using principles such as zero trust.

In SASE, "I fully expect them to be a player now," Gartner's MacDonald said. "They're investing, and they're taking advantage of their worldwide network of points of presence to do the new security functions."

Tool consolidation

Cloudflare's track record of taking a "mishmash of technologies, simplifying them and then creating a platform" is highly disruptive to traditional approaches, said Joel Fishbein, managing director at Truist Securities.

But even though Cloudflare's moves have been ambitious — even gutsy, he said — the company has "done everything and more that they've said they would do."

For customer Werner Enterprises, the opportunity to potentially consolidate cybersecurity tools with Cloudflare is highly appealing, according to CIO Daragh Mahon. Like many large businesses, the transportation and logistics company has a major problem with tool sprawl. "We're trying to just use a single vendor, as much as possible," Mahon said.

So far, Werner Enterprises has deployed Cloudflare's web application firewall and its Area 1 email security offering, and the company is now about to start a test of the Cloudflare One platform, to hopefully consolidate even further with Cloudflare. "So far, we've liked everything Cloudflare has sent our way," Mahon said.

The misperception that Cloudflare only serves small businesses is a hangover from how the company initially went to market, Prince said.

In cybersecurity, Cloudflare started out catering to businesses that were "completely underserved" by the existing security vendors at the time, he said. The company then moved upmarket over time; now, according to Prince, 13 of the world's 20 largest companies are customers of Cloudflare's security services.

Going forward, "you will see us in many more of those deals that come through system integrators and partners, which is a bit of a newer skill for us," he said. Still, practitioner-led deals have "always been the bread and butter of how we've gone to market. And I think that that's something that neither Palo [Alto Networks] or Zscaler are able to match," Prince said.

Cloudflare has been making plenty of big moves outside cybersecurity, too. The company offers a serverless compute service, Workers, and a cloud storage object service, R2, that went into open beta in May. R2 aims to stand out from Amazon S3 by not charging data-egress fees, and the company has said that, even apart from that, it will be 10% cheaper to operate than S3.

With Cloudflare's moves into infrastructure services, "this is your next AWS in the making," said Shaul Eyal, managing director at Cowen.

Prince previously told Protocol that Cloudflare is, in fact, "aiming to be the fourth major public cloud." In the most recent interview, he painted that potential outcome as a by-product of Cloudflare's strategy rather than the ultimate goal.

"It may be that the final step in this is that, yeah, we look like the fourth cloud, or whatever you want to call it," Prince said. "But we really think of ourselves as the network that connects together anything that's going to be online."

In other words, Cloudflare is looking to enable customers to reliably and securely use whatever cloud-based services they might want, including from other platforms, he said: "maybe storage from AWS, Office from Microsoft, machine learning from Google, post-quantum work from IBM, a database from Oracle." Cloudflare's larger goal, Prince said, is to provide the "programmable, secure network that hooks that all together."

Being able to provide that network combined with zero trust and other security services is something that'll have broad appeal among customers going forward, he said.

"The architects of the digital world have let [customers] down."

In the future, "I think the companies that are able to take cybersecurity and do it well — and build out a true cloud platform themselves — will dwarf anything that we're seeing in the cybersecurity space today," Prince said.

Prince is not alone in holding this view of the future.

Amid rampant ransomware attacks, the sentiment among many customers right now is that "the architects of the digital world have let them down," said Forrester's Holmes. What customers will demand more and more, he said, is to be able to work with "one trusted vendor, whom you trust with all of your network traffic and your cybersecurity."

From a customer point of view, "it's a single-vendor game in the distant future," Holmes said. "This might take 10 years or 15 years — we might be in year two or three."

That doesn't equate to having just one vendor to choose from, but the list of vendors able to provide all of that won't be lengthy — maybe five in the U.S. and 10 worldwide, akin to what's happened in public cloud, according to Holmes. And Cloudflare is a strong contender for becoming one of those five vendors in the U.S., he said.

"They've got the huge network. They have an understanding of zero trust. They're assembling the cybersecurity portfolio," Holmes said. "Things are looking good for them."

A 'Soho house for techies': VCs place a bet on community

Contrary is the latest venture firm to experiment with building community spaces instead of offices.

Contrary NYC is meant to re-create being part of a members-only club where engineers and entrepreneurs can hang out together, have a space to work, and host events for people in tech.

Photo: Courtesy of Contrary

In the pre-pandemic times, Contrary’s network of venture scouts, founders, and top technologists reflected the magnetic pull Silicon Valley had on the tech industry. About 80% were based in the Bay Area, with a smattering living elsewhere. Today, when Contrary asked where people in its network were living, the split had changed with 40% in the Bay Area and another 40% living in or planning to move to New York.

It’s totally bifurcated now, said Contrary’s founder Eric Tarczynski.

Keep Reading Show less
Biz Carson

Biz Carson ( @bizcarson) is a San Francisco-based reporter at Protocol, covering Silicon Valley with a focus on startups and venture capital. Previously, she reported for Forbes and was co-editor of Forbes Next Billion-Dollar Startups list. Before that, she worked for Business Insider, Gigaom, and Wired and started her career as a newspaper designer for Gannett.

Sponsored Content

Great products are built on strong patents

Experts say robust intellectual property protection is essential to ensure the long-term R&D required to innovate and maintain America's technology leadership.

Every great tech product that you rely on each day, from the smartphone in your pocket to your music streaming service and navigational system in the car, shares one important thing: part of its innovative design is protected by intellectual property (IP) laws.

From 5G to artificial intelligence, IP protection offers a powerful incentive for researchers to create ground-breaking products, and governmental leaders say its protection is an essential part of maintaining US technology leadership. To quote Secretary of Commerce Gina Raimondo: "intellectual property protection is vital for American innovation and entrepreneurship.”

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.

Binance CEO wrestles with the 'Chinese company' label

Changpeng "CZ" Zhao, who leads crypto’s largest marketplace, is pushing back on attempts to link Binance to Beijing.

Despite Binance having to abandon its country of origin shortly after its founding, critics have portrayed the exchange as a tool of the Chinese government.

Photo: Akio Kon/Bloomberg via Getty Images

In crypto, he is known simply as CZ, head of one of the industry’s most dominant players.

It took only five years for Binance CEO and co-founder Changpeng Zhao to build his company, which launched in 2017, into the world’s biggest crypto exchange, with 90 million customers and roughly $76 billion in daily trading volume, outpacing the U.S. crypto powerhouse Coinbase.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Google Voice at (925) 307-9342.


How I decided to leave the US and pursue a tech career in Europe

Melissa Di Donato moved to Europe to broaden her technology experience with a different market perspective. She planned to stay two years. Seventeen years later, she remains in London as CEO of Suse.

“It was a hard go for me in the beginning. I was entering inside of a company that had been very traditional in a sense.”

Photo: Suse

Click banner image for more How I decided seriesA native New Yorker, Melissa Di Donato made a life-changing decision back in 2005 when she packed up for Europe to further her career in technology. Then with IBM, she made London her new home base.

Today, Di Donato is CEO of Germany’s Suse, now a 30-year-old, open-source enterprise software company that specializes in Linux operating systems, container management, storage, and edge computing. As the company’s first female leader, she has led Suse through the coronavirus pandemic, a 2021 IPO on the Frankfurt Stock Exchange, and the acquisitions of Kubernetes management startup Rancher Labs and container security company NeuVector.

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.


UiPath had a rocky few years. Rob Enslin wants to turn it around.

Protocol caught up with Enslin, named earlier this year as UiPath’s co-CEO, to discuss why he left Google Cloud, the untapped potential of robotic-process automation, and how he plans to lead alongside founder Daniel Dines.

Rob Enslin, UiPath's co-CEO, chats with Protocol about the company's future.

Photo: UiPath

UiPath has had a shaky history.

The company, which helps companies automate business processes, went public in 2021 at a valuation of more than $30 billion, but now the company’s market capitalization is only around $7 billion. To add insult to injury, UiPath laid off 5% of its staff in June and then lowered its full-year guidance for fiscal year 2023 just months later, tanking its stock by 15%.

Keep Reading Show less
Aisha Counts

Aisha Counts (@aishacounts) is a reporter at Protocol covering enterprise software. Formerly, she was a management consultant for EY. She's based in Los Angeles and can be reached at acounts@protocol.com.

Latest Stories