Cloudflare (NET) Deep Dive
How do enterprises ensure the resources and infrastructure they expose to the Internet are fast, reliable and safe from attack? Cloudflare.
Cloudflare is a recent IPO (Sept 13, 2019) that is a pick and shovels SaaS play, providing content & networking services to SaaS providers as well as enterprise web apps and sites. They are a leading cloud platform for managing the security and performance of resources on the Internet, and have become a top Content Delivery Network (CDN). They have built a vast global network to help deliver your content to your users as quickly, securely and reliably as possible. Their edge network spans 200 cities worldwide, making 99% of the world’s internet users within immediate reach of their data centers (within 100ms). They also have built up security capabilities to stop large-scale DDoS attacks and, like Crowdstrike, have created their own threat intelligence system to monitor all the traffic in and out of their massive global network.
What is so exciting about Cloudflare is that they have now begun leveraging their global network platform into brand new directions, greatly increasing their TAM. The most exciting one was released last month as a beta – Cloudflare for Teams creates a dual-sided SWG + Zero Trust combination to secure both outgoing and incoming enterprise traffic. This assures an enterprise’s global user base can securely access external SaaS services as well as internal enterprise ones.
Sound familiar? It turns out Cloudflare is now a direct competitor to Zscaler. Given Zscaler’s rapid deceleration while Cloudflare accelerates, Cloudflare now more revenue growth just from their existing cloud network platform (CDN and security), while their new product line – directly entering Zscaler’s turf! – is just getting started. This new product line, Cloudflare for Teams, is a carbon copy of Zscaler. Remember those 150+ data centers that gave Zscaler a moat? Well, Cloudflare has 200 access points into their global edge network. Within Teams, Cloudflare Gateway is equivalent to ZIA, and Cloudflare Access is their ZPA.
Bottom line excitement first: I now own a 8% position in NET. I foresee the existing revenue growth continuing just with their existing product line, but likely to increase further from here, as customers discover this new service. I think there is room for both NET and ZS to succeed in this space, but NET will be supplanting ZS in my portfolio. Primarily because they are way more multi-faceted of a company, not beholden JUST to the Zero Trust paradigm that traditionalists are slow to adopt. But also because their platform is easier to integrate, as they have 90% direct sales; Zscaler has a more difficult integration, requiring integration partners.
First let’s dig into what Cloudflare’s product lines, then look at their S-1, product announcements and 2 earnings reports since they’ve IPO’d.
Global Anycast Network https://www.cloudflare.com/network/
Cloudflare’s network spans 200 in over 90 countries, with 8,000+ networks globally.
Global Cloud Platform https://www.cloudflare.com/enterprise/
“Cloudflare provides a scalable, easy-to-use, unified control plane to deliver security, performance, and reliability for on-premises, hybrid, cloud, and SaaS applications.”
- Security: Cloud-based security platform to secure infrastructure, whether public or private cloud, on-premise, SaaS apps, or IoT. They learn from all free and paid users to improve security. They block 72B cyber-threats/day.
- Performance & Reliability: Improve app performance & reliability, to enhance visitor experience, raise conversions, and reduce churn.
Security: Web application firewall (WAF), DDoS protection, bot mgmt, IoT security, SSL, rate limiting, Zero Trust access, Web gateway (SWG)
Performance: Content Delivery (CDN), content optimization, mobile optimization, image optimization
Reliability: local edge routing (“Anycast”), virtual private backbone (private global network), smart routing (“Argo”, aka “Waze for the internet”), load balancing, managed DNS, caching
Developer tools: serverless workers, KV store, mobile SDK
Consumer tools: open DNS, VPN (“Warp”)
Platform ecosystem: Cloudflare has an integrated app store full of nearly 200 additional plugins you can enable in your Cloudflare account with a point-and-click. https://www.cloudflare.com/apps/
- Free = simple sites
- Pro $20/mo = pro sites needing basic security & performance
- Business $200/mo = adv security & performance, priority support
- Enterprise $?/mo = enterprise grade security & performance, emergency support
- 188.8.131.52: Open DNS https://184.108.40.206/ or https://one.one.one.one/ The internet’s fastest, privacy-first consumer DNS service https://blog.cloudflare.com/announcing-1111/
- WARP: VPN mobile app over 220.127.116.11 using Cloudflare’s network for better security and performance https://blog.cloudflare.com/1111-warp-better-vpn/
- Cloudflare for Campaigns: Helps political campaigns secure their websites https://www.cloudflare.com/campaigns/
- Workers: serverless edge computing https://workers.cloudflare.com/
Deploy serverless code across their entire edge network for ultimate performance and reliability.
- High performance global network
- Automatic scaling
- Affordable - first 100k daily requests free, then $5/10M after that
- Workers KV: Key/value store (akin to Redis) for data storage in edge computing
- Sites: Store static assets in edge network
- Mobile SDK: Network diag tools for mobile app monitoring
- Cloudflare Spectrum: Extends its security platform to work with non web-based networking protocols (email, FTP, SSH, or specialized TCP/UDP traffic like game protocols). Can add encryption to legacy protocols, at least from edge-to-edge on their platform. https://www.cloudflare.com/products/cloudflare-spectrum/
- Argo Tunnel: Creates a secure tunnel from any service to Cloudflare platform. https://www.cloudflare.com/products/argo-tunnel/
- Magic Transit: Extend enterprise Cloudflare features to on-premise networks. https://www.cloudflare.com/magic-transit/
S-1 Breakdown (Aug’19): https://medium.com/@alexfclayton/cloudflare-ipo-s-1-breakdow…
- 2M custs, 75k paying
- 20M internet properties
- 1069 empl
“Cloudflare is the leading cloud-first CDN and network services provider and has major trends moving in their favor — the move to cloud infrastructure and the increased need for secure and performant applications & websites. They also have a fairly efficient business and are ~40% bigger (and growing slightly faster) than their nearest competitor, Fastly, on an LTM-revenue basis.”
Revenue 1H19 129.2M +48%
Adj op margin -27%
- Paid Custs 75K +33%
– Custs >100K 408 +70%
- Revenue growth accelerating last 4Qs.
- Margins in high 70s.
- Investing more in sales team, showing up in 70% growth in >100K custs.
- 70% of enterprise custs use 4+ products
- Int’l is 52% of rev
- Free and monthly sub tiers are self-serve, user can implement in minutes
- Enterprise tier sold 91% direct and 9% through channel partners
* Heavily used free tier also gives a sales funnel that is easy to tap in to
- Sales cycle for Enterprise tier is <3mo, which turn into 1-3yr contract billed monthly
- 100 patents, 60 pending
- Does NOT sell user data, nor compete w/ custs (the biggest knock on AWS)
- Markets: CDN, WAN, VPN, firewalls, web security, DDoS protection, intrusion detection and prevention, adv threat detection, Zero Trust
- TAM 31.6B in 2018, rising to 47.1B in 2022
- Just entered Zero Trust & SWG market, competing with Zscaler
- Are developing new products for compute, storage, 5G and IoT markets (per S-1) - so more TAM expansion likely
Enterprise Customers: Marketo, DigitalOcean, Discard, IBM, Thomson Reuters, Discord, IBM, Zendesk
Serverless Customers: Discord, NPM, Timely, Optimizely
- CDN: Akamai, Fastly, AWS, Azure, GCP, Rackspace
- DDoS: Akamai, Fastly, Imperva, Oracle (Dyn), F5
- WAF: Imperva, Akamai, Fastly, Forinet, F5, AWS, Azure, GCP
- Security: Cisco, FireEye, Palo Alto, Juniper
- Zero Trust: Zscaler, Okta, Cisco, Akamai, Palo Alto, Symantec (Luminate)
- SWG: Zscaler, Cisco, McAfee, Symantec, Barracuda
Gartner MQ 2019 for WAF - Cloudflare is top challenger: https://www.cloudflare.com/gartner-mq-waf-2019/
Gartner customer reviews:
- WAF: https://www.gartner.com/reviews/market/web-application-firew…
- CDN: https://www.gartner.com/reviews/market/cdn-services/vendor/c…
- DDoS: https://www.gartner.com/reviews/market/ddos-mitigation-servi…
- App Economy
- Cloud computing
- Edge computing
- Zero Trust
HEAD TO HEAD vs FASTLY
Fastly is a direct competitor in the edge cloud space (CDN + DDoS protection). They IPO’d 5mo earlier, in May 2019.
Fastly Q319 (Nov’19):
Revenue 50M +34%
Gross Margin 56.1% +130bps
Adj Op Loss -9M
… margin -18%
Adj EPS -0.09
Enterprise custs 274 +35%
Enterprise avg spend 575K
66 Points of Presence (global network)
- announced Compute@Edge edge computing environ, in beta
Fool recap: https://www.fool.com/investing/2019/08/09/why-fastly-stock-p…
CC transcript: https://www.fool.com/earnings/call-transcripts/2019/11/08/fa…
Cloudflare Q319 (Nov’19):
Revenue 73.9M +48%
Gross Margin 78.9% +92bps
Adj Op Loss -18.1M (vs -11.9M)
… margin -24.5% (vs -23.7%)
Adj EPS -0.16 (flat)
FCF -33.6M (vs -22.1)
… margin -45% (vs -44%)
Empl 1200 +50%
… 565M of that from IPO
Paid Custs 77K +26%
- Custs >100K 475 +71%
Fool recap: https://www.fool.com/premium/coverage/investing/2019/11/16/c…
Fool takeaways: https://www.fool.com/investing/2019/11/13/3-big-takeaways-fr…
CC transcript: https://www.fool.com/earnings/call-transcripts/2019/11/08/cl…
Fastly Q419 (Feb’20):
Revenue 59M +44% ^^
Adj Op Loss -9M (vs -6M)
… margin -15.3% (vs -14.6%)
Adj EPS -0.10
Adj Gross Margin 57.6% +80bps
Enterprise custs 288
Enterprise avg spend 607K
68 Points of Presence (global network)
- CEO founder is moving to Chief Architect and Executive Chairman
- President (for past 3yr) is moving to CEO and joining BoD
Fool recap: https://www.fool.com/investing/2020/02/21/why-fastly-stock-d…
CC transcript: https://www.fool.com/earnings/call-transcripts/2020/02/21/fa…
Cloudflare Q419 (Feb’20):
Revenue 83.9M +51% ^^
Gross Margins 78.7% +180bps
Adj Op Loss -18.3M (vs -15.9M)
… margin -21.8% (vs -28.7%) +690bps !!
Adj EPS -0.06 (vs -0.18)
Opex 84.3M +44%
… margin -28% (vs -52%) +2400bps !!
Custs 2.6M +34%, +12% seq !!
- Paid Custs 82K +22%, +8 seq
– Custs >100K 550 +76% !!
$NER 112.1% +160bps
- announced Cloudflare for Teams (CfT)
- acquired S2 Systems for remote browser isolation (to integrate into CfT)
- opening new offices in Europe & Asia
CC transcript: https://www.fool.com/earnings/call-transcripts/2020/02/14/cl…
[Side note - CEO tells a story on CC call of being a student and friend of Clay Christensen, author of Innovator’s Dilemma who just passed away.]
My stance: I like NET overall more than FSLY – larger revenue that is growing faster, way better gross margins, improving op & FCF margins. Add in that they are moving into new markets (increasing TAM hugely), and have a massive pool of untapped free customers. $NER is very muted however with NET, the only thing FSLY wins hands down. [They talked a bit about it in Q419 CC call Q&A if you want more detail. CFO stated he felt it was a lagging indicator.]
Q4 was a vast improvement for Fastly however, with growth jumping +1000bps in 1Q. I’m going to keep my eye on them. Fastly is having a switch-a-roo in the C-suite, which seemed to spook markets a bit, but the founder is staying around and refocusing on the customer’s needs.
It’s interesting how different the storyline is of these two direct competitors. Cloudflare has a massive pool of free users with a fraction that pay, but it gives them a huge sales funnel. Fastly seems to focus on having a customer base of fewer, larger enterprises, then keeps their annual spend rising (high $NER). I was ready to dismiss Fastly outright after reviewing Q3, but their just released earnings is starting to pique my interest. However, Cloudflare has a way richer product line, and is taking their platform to all new places.
Speaking of that, let’s walk-through why I am most interested… and what I believe is will be driving their accelerating growth.
[First two came out 1.5yr ago but vital to my story.]
- New product: Argo Tunnel (Jun’18) https://blog.cloudflare.com/argo-tunnels-spread-the-load/
Allows enterprises to hook their applications into Cloudflare edge network. Creates an encrypted tunnel between your web server and Cloudflare’s nearest data center, without opening any public inbound ports. Can create multiple tunnels for automated load balancing.
- New product: Cloudflare Access (Aug’18) https://blog.cloudflare.com/cloudflare-access-now-teams-of-a…
Zero-trust access to replace VPNs. Directly competes against Zscaler ZPA, Okta Access Gateway, and Google BeyondCorp. [This competition to Zscaler ZPA was unbeknownst to me until now.] Uses
- Extends Cloudflare’s existing security platform.
- Access a private network via Cloudflare’s edge network of 150+ (now 200+) data centers. Very akin to Zscaler’s network layout.
- Basic tier at $3/user/mo, integrated with social identity providers like Facebook, Google and Github.
- Premium tier at $5/user/mo for enterprise identity providers like Okta, OneLogin or GSuite.
- New product: Magic Transit (Aug’19) https://blog.cloudflare.com/magic-transit/
Get all the benefit of Cloudflare’s SaaS network platform but extend it to your on-premise or data center networks. Protect entire enterprise network via software defined networking (SDN), with load balancing, advanced packet filtering, DDoS protection, next-gen firewall, traffic acceleration. Traffic originates on Cloudflare’s edge network, is inspected & then routed into on-prem network.
From CEO on Q419 CC call: A disturbing new trend we’re seeing is hackers targeting office networks and thereby paralyzing company. This is what happened to a Fortune 500 financial services firm last quarter. Like many similar firms, they use remote desktop software. Unfortunately, that meant when the hacker overwhelmed their office Internet connection, it shut down the ability for all their employees to get any work done. They turn to Cloudflare and our Magic Transit product to get back online. Magic Transit protected their infrastructure, without introducing latency.
- New product: WARP & WARP+ consumer VPNs (Sep’19) https://blog.cloudflare.com/announcing-warp-plus/
WARP was introduced in April 2019 as a free consumer VPN mobile app, built on top of their 18.104.22.168 (open DNS) app. WARP+ then extended it into a faster & more secure version, by leveraging Argo (virtual private backbone) to optimize routing and provide encryption edge-to-edge. It is a paid app w/ monthly subscription.
- Acquisition: S2 System (Jan’20) https://techcrunch.com/2020/01/07/cloudflare-acquires-stealt…
Remote browser isolation technology that went into Cloudflare Gateway (SWG side of Teams). [Zscaler acquired Appsulate for this in May '19.] 9 employees. CEO said in Q419 CC Q&A that they are normally averse to bolt-on acquisitions; they were going to partner with them but became great fit.
If you are curious on how remote browser isolation works, and why S2’s solution is best-of-breed, see this technical blog post on the acquisition: https://blog.cloudflare.com/cloudflare-and-remote-browser-is…
- New product: Cloudflare for Teams (Jan’20, now in beta) https://blog.cloudflare.com/introducing-cloudflare-for-teams…
This is the exciting stuff. Cloudflare platform has been about securing network traffic to your resources (apps, websites, content). Now they are pivoting their platform to be able to secure ALL OF YOUR ENTERPRISE’S TRAFFIC.
- runs on same global network as Enterprise products (CDN, Security)
- fast, reliable, scalable
- DDoS resistant
- informed by the platform’s threat intelligence, supplemented with add’l sources from “leading security vendors” (see partners below)
- built off 22.214.171.124 & WARP+ VPN, with added malware scanning
- both products have Good/Better/Best tiers
- easy deployment - Access can be deployed in < 1hr, Gateway can be provisioned in minutes
“We’ve partnered with some incredible organizations to create the ecosystem around Cloudflare for Teams. These include endpoint security solutions including VMWare Carbon Black, Malwarebytes, and Tanium. SEIM and analytics solutions including Datadog, Sumo Logic, and Splunk. Identity platforms including Okta, OneLogin, and Ping Identity.”
If you want more technical details: https://blog.cloudflare.com/cloudflare-for-teams-products/
Cloudflare Access is Zero Trust (protect incoming traffic) [akin to Zscaler ZPA or Okta Access] https://teams.cloudflare.com/access/
- Access (free), Access Pro and Access Enterprise tiers
- replaces VPNs with Cloudflare network
- uses Argo Tunnel to connect
- easily integrate on-prem, cloud, hybrid or multi-cloud resources
- added new Access App Launch dashboard to manage user apps available https://blog.cloudflare.com/announcing-the-cloudflare-access…
Cloudflare Gateway is an SWG next-gen firewall (to protect outgoing traffic), with SSL introspection and remote browser isolation [akin to Zscaler ZIA] https://teams.cloudflare.com/gateway/
- Gateway (free), Gateway Pro, Gateway Enterprise tiers
- all outbound traffic goes to Cloudflare edge network, placing Cloudflare between all requests
- actively blocks potential malware and phishing sites, while also applying content filtering based on policies from admins
- Pro ties into identity provider
- Enterprise tier adds remote browser isolation (from the S2 Systems acquisition), data loss prevention, and ties into SIEM
- provides deep packet inspection, SSL introspection, file type controls
- in centralized locations, can utilize Magic Transit as interconnect to edge network, for simpler deployment
To show you how Cloudflare thinks about how Teams fits in to their overall platfrom, here is a great quote from CEO on Q419 CC call:
"We started Cloudflare to solve one-half of every IT organization’s fundamental challenge. How do you ensure the resources and infrastructure you expose to the Internet are fast, reliable and safe from attack? That’s what our performance, firewall, bot management, rate limiting, load balancing and many other infrastructure protection products are for. The world is moving away from hardware and software and instead need scalable cloud services that work everywhere in the world. That’s the trend behind all of what we do.
To that end, we built one of the world’s largest cloud networks. Today, the Cloudflare network spans 200 cities worldwide and is within less than 100 milliseconds of nearly everyone connected to the Internet. What’s powerful is that we built that network to be flexible, not just to power the original products received and not just to scale to meet the needs of any size organization but critically, to be easily extensible to new products over time. Last month, we announced Cloudflare for Teams to solve the other half of every IT organization’s challenge, ensuring that the people and teams within our organization can access the tools they need to do their job while staying safe from malware and other online threats."
CEO is thinking big here - extrapolating out that this could be half the company’s solution. Okay, maybe not 1/2 of revenue… he’s being a bit metaphorical. But Teams has to massively expand TAM (by a Zscaler amount), so I fully expect growth rates to rise as the “two halves” become whole.
Here is what I really like about Cloudflare, from a tech investor standpoint.
They built an enormous global network across 200 cities in 90 countries in order to have a giant edge network. This is to serve up web content closer to the users in those countries, so a user in Hong Kong is not traversing the Pacific back and forth to browse an US online store on a lonely web server hosted in a data center outside Las Vegas, NV - it’s instead served up by an edge server local to Hong Kong; the latency remains minimal and the web site stays highly responsive. Content Distribution Networks, like Akamai and Cloudflare, were set up across the globe in order to cache and distribute content to edge servers that are closer to every single potential user on the planet. Fast forward several years of honing their craft and becoming a very successful CDN and, subsequently (because the edge, aka the servers that users are first hitting), became quite advanced at DDoS protection against hostile bot nets. This core skill set became their core platform around security, performance and reliability.
However, after building that global edge network to distribute and secure content, they are finding many paths to exploit that core platform in new directions. The new products I expanded on above all build upon themselves. They keep building more and more features, and then THOSE additions start inter-combining into all new product lines and TAMs. WARP+ leverages the better routing in the enterprise platform to make it a subscription-based consumer app. Argo Tunnel got used to make Access (Zero Trust). They then pivoted directly into Zscaler’s wheelhouse by combining Access with a new product (Gateway) bolstered by a new acquisition (S2 Systems). Gateway can also utilize the new Magic Transit product to simplify interconnect.
And it ALL leverages that the traffic must go through the same core edge network. What else can this massive global network do? This company has serious optionality.
- 3 Recent IPOs to Watch in 2020
… this writer likes DDOG, NET and CRWD. Me too! Interesting to look at them all head-to-head. NET looks a bit paler against that the massive growth of the other two, but with 1/2 the market cap, better margins and well contained opex.
- Wire article on Cloudflare Spectrum (security over non-web protocols)
… “Roughly five percent to 10 percent of web traffic now goes through CloudFlare” (as of May 2018. Wonder what that is now?
- OneZero blog post on Cloudflare for Teams
If it’s anywhere near as successful as Cloudflare’s existing business, it could move a big chunk of corporate security from hardware boxes to the cloud and make Cloudflare even more integral to the internet… With the services provided by Teams, it will face new sets of rivals, including Cisco, McAfee, Palo Alto Networks, and San Jose-based Zscaler, whose approach is perhaps the most similar to Cloudflare’s."
long NET ~8%