Cloudflare (NET) Deep Dive

Cloudflare (NET) Deep Dive

How do enterprises ensure the resources and infrastructure they expose to the Internet are fast, reliable and safe from attack? Cloudflare.

Cloudflare is a recent IPO (Sept 13, 2019) that is a pick and shovels SaaS play, providing content & networking services to SaaS providers as well as enterprise web apps and sites. They are a leading cloud platform for managing the security and performance of resources on the Internet, and have become a top Content Delivery Network (CDN). They have built a vast global network to help deliver your content to your users as quickly, securely and reliably as possible. Their edge network spans 200 cities worldwide, making 99% of the world’s internet users within immediate reach of their data centers (within 100ms). They also have built up security capabilities to stop large-scale DDoS attacks and, like Crowdstrike, have created their own threat intelligence system to monitor all the traffic in and out of their massive global network.

What is so exciting about Cloudflare is that they have now begun leveraging their global network platform into brand new directions, greatly increasing their TAM. The most exciting one was released last month as a beta – Cloudflare for Teams creates a dual-sided SWG + Zero Trust combination to secure both outgoing and incoming enterprise traffic. This assures an enterprise’s global user base can securely access external SaaS services as well as internal enterprise ones.

Sound familiar? It turns out Cloudflare is now a direct competitor to Zscaler. Given Zscaler’s rapid deceleration while Cloudflare accelerates, Cloudflare now more revenue growth just from their existing cloud network platform (CDN and security), while their new product line – directly entering Zscaler’s turf! – is just getting started. This new product line, Cloudflare for Teams, is a carbon copy of Zscaler. Remember those 150+ data centers that gave Zscaler a moat? Well, Cloudflare has 200 access points into their global edge network. Within Teams, Cloudflare Gateway is equivalent to ZIA, and Cloudflare Access is their ZPA.

Bottom line excitement first: I now own a 8% position in NET. I foresee the existing revenue growth continuing just with their existing product line, but likely to increase further from here, as customers discover this new service. I think there is room for both NET and ZS to succeed in this space, but NET will be supplanting ZS in my portfolio. Primarily because they are way more multi-faceted of a company, not beholden JUST to the Zero Trust paradigm that traditionalists are slow to adopt. But also because their platform is easier to integrate, as they have 90% direct sales; Zscaler has a more difficult integration, requiring integration partners.

First let’s dig into what Cloudflare’s product lines, then look at their S-1, product announcements and 2 earnings reports since they’ve IPO’d.


Global Anycast Network
Cloudflare’s network spans 200 in over 90 countries, with 8,000+ networks globally.

Global Cloud Platform
“Cloudflare provides a scalable, easy-to-use, unified control plane to deliver security, performance, and reliability for on-premises, hybrid, cloud, and SaaS applications.”

  • Security: Cloud-based security platform to secure infrastructure, whether public or private cloud, on-premise, SaaS apps, or IoT. They learn from all free and paid users to improve security. They block 72B cyber-threats/day.
  • Performance & Reliability: Improve app performance & reliability, to enhance visitor experience, raise conversions, and reduce churn.

Platform capabilities:

Security: Web application firewall (WAF), DDoS protection, bot mgmt, IoT security, SSL, rate limiting, Zero Trust access, Web gateway (SWG)
Performance: Content Delivery (CDN), content optimization, mobile optimization, image optimization
Reliability: local edge routing (“Anycast”), virtual private backbone (private global network), smart routing (“Argo”, aka “Waze for the internet”), load balancing, managed DNS, caching
Developer tools: serverless workers, KV store, mobile SDK
Consumer tools: open DNS, VPN (“Warp”)

Platform ecosystem: Cloudflare has an integrated app store full of nearly 200 additional plugins you can enable in your Cloudflare account with a point-and-click.

Pricing tiers:

  • Free = simple sites
  • Pro $20/mo = pro sites needing basic security & performance
  • Business $200/mo = adv security & performance, priority support
  • Enterprise $?/mo = enterprise grade security & performance, emergency support

Free services:

Developer services:

  • Workers: serverless edge computing
    Deploy serverless code across their entire edge network for ultimate performance and reliability.
  • High performance global network
  • Automatic scaling
  • Affordable - first 100k daily requests free, then $5/10M after that
  • Workers KV: Key/value store (akin to Redis) for data storage in edge computing
  • Sites: Store static assets in edge network
  • Mobile SDK: Network diag tools for mobile app monitoring

Specialty products:


S-1 Breakdown (Aug’19):…

  • 2M custs, 75k paying
  • 20M internet properties
  • 1069 empl

“Cloudflare is the leading cloud-first CDN and network services provider and has major trends moving in their favor — the move to cloud infrastructure and the increased need for secure and performant applications & websites. They also have a fairly efficient business and are ~40% bigger (and growing slightly faster) than their nearest competitor, Fastly, on an LTM-revenue basis.”

Revenue 1H19 129.2M +48%
ARR 269.7M
Adj op margin -27%
Custs 2M

  • Paid Custs 75K +33%
    – Custs >100K 408 +70%
    ACV 3.6K
    $NER 111%
  • Revenue growth accelerating last 4Qs.
  • Margins in high 70s.
  • Investing more in sales team, showing up in 70% growth in >100K custs.
  • 70% of enterprise custs use 4+ products
  • Int’l is 52% of rev
  • Free and monthly sub tiers are self-serve, user can implement in minutes
  • Enterprise tier sold 91% direct and 9% through channel partners
    * Heavily used free tier also gives a sales funnel that is easy to tap in to
  • Sales cycle for Enterprise tier is <3mo, which turn into 1-3yr contract billed monthly
  • 100 patents, 60 pending
  • Does NOT sell user data, nor compete w/ custs (the biggest knock on AWS)
  • Markets: CDN, WAN, VPN, firewalls, web security, DDoS protection, intrusion detection and prevention, adv threat detection, Zero Trust
  • TAM 31.6B in 2018, rising to 47.1B in 2022
  • Just entered Zero Trust & SWG market, competing with Zscaler
  • Are developing new products for compute, storage, 5G and IoT markets (per S-1) - so more TAM expansion likely

Enterprise Customers: Marketo, DigitalOcean, Discard, IBM, Thomson Reuters, Discord, IBM, Zendesk

Serverless Customers: Discord, NPM, Timely, Optimizely


  • CDN: Akamai, Fastly, AWS, Azure, GCP, Rackspace
  • DDoS: Akamai, Fastly, Imperva, Oracle (Dyn), F5
  • WAF: Imperva, Akamai, Fastly, Forinet, F5, AWS, Azure, GCP
  • Security: Cisco, FireEye, Palo Alto, Juniper
  • Zero Trust: Zscaler, Okta, Cisco, Akamai, Palo Alto, Symantec (Luminate)
  • SWG: Zscaler, Cisco, McAfee, Symantec, Barracuda

Gartner MQ 2019 for WAF - Cloudflare is top challenger:
Gartner customer reviews:

Driving Trends:

  • App Economy
  • Cloud computing
  • Edge computing
  • Serverless
  • Zero Trust
  • IoT
  • 5G


Fastly is a direct competitor in the edge cloud space (CDN + DDoS protection). They IPO’d 5mo earlier, in May 2019.

Fastly Q319 (Nov’19):
Revenue 50M +34%
Gross Margin 56.1% +130bps
Adj Op Loss -9M
… margin -18%
Adj EPS -0.09
Enterprise custs 274 +35%
Enterprise avg spend 575K
$NER 135%
66 Points of Presence (global network)

  • announced Compute@Edge edge computing environ, in beta

Fool recap:…
CC transcript:…

Cloudflare Q319 (Nov’19):
Revenue 73.9M +48%
Gross Margin 78.9% +92bps
Adj Op Loss -18.1M (vs -11.9M)
… margin -24.5% (vs -23.7%)
Adj EPS -0.16 (flat)
FCF -33.6M (vs -22.1)
… margin -45% (vs -44%)
Empl 1200 +50%
Cash 645M
… 565M of that from IPO
Paid Custs 77K +26%

  • Custs >100K 475 +71%
    $NER 111%

Fool recap:…
Fool takeaways:…
CC transcript:…

Fastly Q419 (Feb’20):
Revenue 59M +44% ^^
Adj Op Loss -9M (vs -6M)
… margin -15.3% (vs -14.6%)
Adj EPS -0.10
Adj Gross Margin 57.6% +80bps
Enterprise custs 288
Enterprise avg spend 607K
$NER 136%
68 Points of Presence (global network)

  • CEO founder is moving to Chief Architect and Executive Chairman
  • President (for past 3yr) is moving to CEO and joining BoD

Fool recap:…
CC transcript:…

Cloudflare Q419 (Feb’20):
Revenue 83.9M +51% ^^
Gross Margins 78.7% +180bps
Adj Op Loss -18.3M (vs -15.9M)
… margin -21.8% (vs -28.7%) +690bps !!
Adj EPS -0.06 (vs -0.18)
Opex 84.3M +44%
FCF -23.5M
… margin -28% (vs -52%) +2400bps !!
Cash 636.9M
Empl 1270
Custs 2.6M +34%, +12% seq !!

  • Paid Custs 82K +22%, +8 seq
    – Custs >100K 550 +76% !!
    $NER 112.1% +160bps
  • announced Cloudflare for Teams (CfT)
  • acquired S2 Systems for remote browser isolation (to integrate into CfT)
  • opening new offices in Europe & Asia

CC transcript:…

[Side note - CEO tells a story on CC call of being a student and friend of Clay Christensen, author of Innovator’s Dilemma who just passed away.]

My stance: I like NET overall more than FSLY – larger revenue that is growing faster, way better gross margins, improving op & FCF margins. Add in that they are moving into new markets (increasing TAM hugely), and have a massive pool of untapped free customers. $NER is very muted however with NET, the only thing FSLY wins hands down. [They talked a bit about it in Q419 CC call Q&A if you want more detail. CFO stated he felt it was a lagging indicator.]

Q4 was a vast improvement for Fastly however, with growth jumping +1000bps in 1Q. I’m going to keep my eye on them. Fastly is having a switch-a-roo in the C-suite, which seemed to spook markets a bit, but the founder is staying around and refocusing on the customer’s needs.

It’s interesting how different the storyline is of these two direct competitors. Cloudflare has a massive pool of free users with a fraction that pay, but it gives them a huge sales funnel. Fastly seems to focus on having a customer base of fewer, larger enterprises, then keeps their annual spend rising (high $NER). I was ready to dismiss Fastly outright after reviewing Q3, but their just released earnings is starting to pique my interest. However, Cloudflare has a way richer product line, and is taking their platform to all new places.

Speaking of that, let’s walk-through why I am most interested… and what I believe is will be driving their accelerating growth.


[First two came out 1.5yr ago but vital to my story.]

Allows enterprises to hook their applications into Cloudflare edge network. Creates an encrypted tunnel between your web server and Cloudflare’s nearest data center, without opening any public inbound ports. Can create multiple tunnels for automated load balancing.

Zero-trust access to replace VPNs. Directly competes against Zscaler ZPA, Okta Access Gateway, and Google BeyondCorp. [This competition to Zscaler ZPA was unbeknownst to me until now.] Uses

  • Extends Cloudflare’s existing security platform.
  • Access a private network via Cloudflare’s edge network of 150+ (now 200+) data centers. Very akin to Zscaler’s network layout.
  • Basic tier at $3/user/mo, integrated with social identity providers like Facebook, Google and Github.
  • Premium tier at $5/user/mo for enterprise identity providers like Okta, OneLogin or GSuite.

Get all the benefit of Cloudflare’s SaaS network platform but extend it to your on-premise or data center networks. Protect entire enterprise network via software defined networking (SDN), with load balancing, advanced packet filtering, DDoS protection, next-gen firewall, traffic acceleration. Traffic originates on Cloudflare’s edge network, is inspected & then routed into on-prem network.

From CEO on Q419 CC call: A disturbing new trend we’re seeing is hackers targeting office networks and thereby paralyzing company. This is what happened to a Fortune 500 financial services firm last quarter. Like many similar firms, they use remote desktop software. Unfortunately, that meant when the hacker overwhelmed their office Internet connection, it shut down the ability for all their employees to get any work done. They turn to Cloudflare and our Magic Transit product to get back online. Magic Transit protected their infrastructure, without introducing latency.

WARP was introduced in April 2019 as a free consumer VPN mobile app, built on top of their (open DNS) app. WARP+ then extended it into a faster & more secure version, by leveraging Argo (virtual private backbone) to optimize routing and provide encryption edge-to-edge. It is a paid app w/ monthly subscription.

  • Acquisition: S2 System (Jan’20)…
    Remote browser isolation technology that went into Cloudflare Gateway (SWG side of Teams). [Zscaler acquired Appsulate for this in May '19.] 9 employees. CEO said in Q419 CC Q&A that they are normally averse to bolt-on acquisitions; they were going to partner with them but became great fit.

If you are curious on how remote browser isolation works, and why S2’s solution is best-of-breed, see this technical blog post on the acquisition:…

This is the exciting stuff. Cloudflare platform has been about securing network traffic to your resources (apps, websites, content). Now they are pivoting their platform to be able to secure ALL OF YOUR ENTERPRISE’S TRAFFIC.

  • runs on same global network as Enterprise products (CDN, Security)
  • fast, reliable, scalable
  • DDoS resistant
  • informed by the platform’s threat intelligence, supplemented with add’l sources from “leading security vendors” (see partners below)
  • built off & WARP+ VPN, with added malware scanning
  • both products have Good/Better/Best tiers
  • easy deployment - Access can be deployed in < 1hr, Gateway can be provisioned in minutes

“We’ve partnered with some incredible organizations to create the ecosystem around Cloudflare for Teams. These include endpoint security solutions including VMWare Carbon Black, Malwarebytes, and Tanium. SEIM and analytics solutions including Datadog, Sumo Logic, and Splunk. Identity platforms including Okta, OneLogin, and Ping Identity.”

If you want more technical details:

Cloudflare Access is Zero Trust (protect incoming traffic) [akin to Zscaler ZPA or Okta Access]

  • Access (free), Access Pro and Access Enterprise tiers
  • replaces VPNs with Cloudflare network
  • uses Argo Tunnel to connect
  • easily integrate on-prem, cloud, hybrid or multi-cloud resources
  • added new Access App Launch dashboard to manage user apps available…

Cloudflare Gateway is an SWG next-gen firewall (to protect outgoing traffic), with SSL introspection and remote browser isolation [akin to Zscaler ZIA]

  • Gateway (free), Gateway Pro, Gateway Enterprise tiers
  • all outbound traffic goes to Cloudflare edge network, placing Cloudflare between all requests
  • actively blocks potential malware and phishing sites, while also applying content filtering based on policies from admins
  • Pro ties into identity provider
  • Enterprise tier adds remote browser isolation (from the S2 Systems acquisition), data loss prevention, and ties into SIEM
  • provides deep packet inspection, SSL introspection, file type controls
  • in centralized locations, can utilize Magic Transit as interconnect to edge network, for simpler deployment

To show you how Cloudflare thinks about how Teams fits in to their overall platfrom, here is a great quote from CEO on Q419 CC call:

"We started Cloudflare to solve one-half of every IT organization’s fundamental challenge. How do you ensure the resources and infrastructure you expose to the Internet are fast, reliable and safe from attack? That’s what our performance, firewall, bot management, rate limiting, load balancing and many other infrastructure protection products are for. The world is moving away from hardware and software and instead need scalable cloud services that work everywhere in the world. That’s the trend behind all of what we do.

To that end, we built one of the world’s largest cloud networks. Today, the Cloudflare network spans 200 cities worldwide and is within less than 100 milliseconds of nearly everyone connected to the Internet. What’s powerful is that we built that network to be flexible, not just to power the original products received and not just to scale to meet the needs of any size organization but critically, to be easily extensible to new products over time. Last month, we announced Cloudflare for Teams to solve the other half of every IT organization’s challenge, ensuring that the people and teams within our organization can access the tools they need to do their job while staying safe from malware and other online threats."

CEO is thinking big here - extrapolating out that this could be half the company’s solution. Okay, maybe not 1/2 of revenue… he’s being a bit metaphorical. But Teams has to massively expand TAM (by a Zscaler amount), so I fully expect growth rates to rise as the “two halves” become whole.


Here is what I really like about Cloudflare, from a tech investor standpoint.

They built an enormous global network across 200 cities in 90 countries in order to have a giant edge network. This is to serve up web content closer to the users in those countries, so a user in Hong Kong is not traversing the Pacific back and forth to browse an US online store on a lonely web server hosted in a data center outside Las Vegas, NV - it’s instead served up by an edge server local to Hong Kong; the latency remains minimal and the web site stays highly responsive. Content Distribution Networks, like Akamai and Cloudflare, were set up across the globe in order to cache and distribute content to edge servers that are closer to every single potential user on the planet. Fast forward several years of honing their craft and becoming a very successful CDN and, subsequently (because the edge, aka the servers that users are first hitting), became quite advanced at DDoS protection against hostile bot nets. This core skill set became their core platform around security, performance and reliability.

However, after building that global edge network to distribute and secure content, they are finding many paths to exploit that core platform in new directions. The new products I expanded on above all build upon themselves. They keep building more and more features, and then THOSE additions start inter-combining into all new product lines and TAMs. WARP+ leverages the better routing in the enterprise platform to make it a subscription-based consumer app. Argo Tunnel got used to make Access (Zero Trust). They then pivoted directly into Zscaler’s wheelhouse by combining Access with a new product (Gateway) bolstered by a new acquisition (S2 Systems). Gateway can also utilize the new Magic Transit product to simplify interconnect.

And it ALL leverages that the traffic must go through the same core edge network. What else can this massive global network do? This company has serious optionality.


… this writer likes DDOG, NET and CRWD. Me too! Interesting to look at them all head-to-head. NET looks a bit paler against that the massive growth of the other two, but with 1/2 the market cap, better margins and well contained opex.

… “Roughly five percent to 10 percent of web traffic now goes through CloudFlare” (as of May 2018. Wonder what that is now?

If it’s anywhere near as successful as Cloudflare’s existing business, it could move a big chunk of corporate security from hardware boxes to the cloud and make Cloudflare even more integral to the internet… With the services provided by Teams, it will face new sets of rivals, including Cisco, McAfee, Palo Alto Networks, and San Jose-based Zscaler, whose approach is perhaps the most similar to Cloudflare’s."

long NET ~8%



Nice post as usual. Just a couple questions for you:

  1. If ZScaler’s sales cycle is long, why wouldn’t Net’s have the same issue?
  2. Since you are part of the FOOL, why did the FOOL choose FSLY for its CDN over Net?
  3. You seem to imply that from a functionality perspective and zero trust, ZS vs NET is mox nix? There are no performance differences between them??

This is an interesting background piece which also mentions ZS in passing…


A few more links worth exploring…

Comments on competitive positioning here

Cloudflare, Inc. 2019 Q4 - Results - Earnings Call Presentation $NET

Thanks muji.


Thanks for the great write up Muji.

CloudFlare has been on my watch list since IPO, but I haven’t pulled the trigger yet - I don’t yet understand the competitive landscape with companies like Fastly

I’ve been a very satisfied customer for quite a few years, however. They are very easy to start with with a Fremium offering, have a fantastic interface, and in a very natural way, without pushing, entice you into paid subscription. They have saved my bacon in my side business a number of times, when it became part of a DOD attack because I was just in the wrong place at the wrong time.

The question of course is how much all the the free customers cost them, and if they can convert to enough revenue. Also, I’d love to know why Fastly is growing so fast as well, what the competitive positioning is.


I noticed the difference between Cloudflare and Fastly’s gross margins as Muji pointed out.

There may be a reason for that as was pointed out to me in another forum.

From Cloudflare’s S1:

Sales and marketing expenses consist primarily of employee-related costs, including salaries, benefits, and stock-based compensation expense, sales commissions that are recognized as expenses over the period of benefit, marketing programs, certificate authority services costs for free customers, travel-related expenses, bandwidth and co-location costs for free customers, and allocated overhead costs

Instead of including the bolded costs as COGS that would hit gross margins, they include it as S&M expenses which would impact Operating Margins. In my opinion it is six of one and half of the other.

Operating margins would be the ultimate factor to consider.
Finally, I have no idea to what degree the costs above impact gross margins.

Just wanted to point this distinction out, and I’m appreciative of the person who informed me of it.



Steppenwulf, cloudflare says they have to have a lot of excess capacity in order to thwart DDOS attacks. Their free customers use this excess capacity so the free customers do not cost that much. The only reason this company is even in the CDN business is because their web application security business basically puts them in the CDN industry because they are putting their customers website on a proxy server. So in this regard they are very similar to ZS as they have their customers traffic flow on their servers. And most CDNs charge per data usage whereas Cloudflare charges a fixed cost. This is because they consider themselves first and foremost a security company and legacy security companies that Cloudflare competes with such as Barracuda, F5, and anyone else out there offering a WAF appliance sells them at fixed costs. So they felt their service and therefore CDN should be fixed prices regardless of data volume. This is disruptive to the CDN industry and it is also disruptive to the WAF appliance industry because cloudflare becomes 100% software SaaS based.

I wrote about cloudflare on here months ago but it got no interest. So glad to see muji writing about them now. I stopped following them in much detail after seeing so many complaints about their WARP service released in September. It was an impressive quarterly though.

Cloudflare should be seeing increased revenue growth though. Last year they began spending more heavily on S&M expense and their rev growth had been falling.


Its interesting that CloudFlare competes with both ZS and FSLY and they go through freemium model and upgrade customers… whereas both ZS and FSLY focus on large customers at the top of the market.

I guess all three of them have room to grow as market is quite large and they are disrupting existing players. NET has a more linear model for go to market, however, ZS may have better ability to generate cash…

Muji - one point I worry about NET is just too broad a product portfolio too early in the companys’ life cycle? just reminds me NTNX - getting de-focus while trying to do too much! Agree that they have may be cohesive product line and large freemium funnel, but still its hard to see a CDN sell relate to security sell… very different need and decision making process in large companies. CDN being fixed price and almost comes for free with security may be a good selling point in some cases but it may not be enough for large CDN customers on board, right?
Bottomline, NET profitability picture will look very different from FSLY or ZS.

Anyway, I for sure admire the way company is able to expand and sustain revenue growth at rapid pace.