As I continue to research Content Delivery Networks, I become less and less interested in Fastly as an investment. I am still looking into Cloudflare, an up and coming IPO.
This TechCrunch article talks a little about what is going on.
Bottom line is, Akamai is getting disrupted. What I am unsure of if Akamai’s misfortunes are all going to land in Fastly’s lap. The article says this:
Ernie Regalado, editor-in-chief of market research publication Bizety, says, “Edge security as a business model has taken off and it is the fastest growing segment in the industry. Companies like Cloudflare, Incapsula and Distil Networks are pushing to offer DDoS Mitigation, WAF and Bot Mitigation.” Window Snyder, chief security officer at Fastly, echoes the sentiment, “We see data / traffic patterns, understand vulnerabilities and can enhance edge security to further protect our customers in specific ways.”
In this classic innovator’s dilemma, the newcomers are able to start with a clean slate, while incumbents work from their position of strength. Fastly recently announced a $50 million funding round claiming a $100 million annual run rate. Yet Fastly could become slowly if another “edge CDN” StackPath continues down its war path. With 45 PoPs in 25 cities, StackPath has grown rapidly via five acquisitions, including MaxCDN and Highwinds, offering integrated acceleration and security.
James Leaverton, VP Ecosystem Development, StackPath, says, “Legacy CDNs are not ready for the shifts to online video and IoT. They have Frankenstein platforms — a user might have to log into a dozen different portals. They have aging infrastructures that were optimized for CDN, but not built to adapt or scale. That’s why companies like ours exist. The StackPath platform is an integrated response to a fragmented problem created by too many delivery and security solutions.”
So this is another sign of writing on the wall for Akamai, but in this article alone, another player is mentioned. StackPath.
StackPath had $157 million in revenue in 2017, ended the year at $200 million run rate. Fastly is not even doing that now. Some of that revenue was acquired. Organic growth rate was roughly 30% that year.
So while legacy CDN players are going to have to modernize, who benefits during the meantime is yet to be seen. Of all the players I have looked into, Cloudflare seems to be the most interesting.
Here is what I had to say about Cloudflare:
Cloudflare is the largest cloud-based Web Appliance Firewall vendor. Cloudflare protects websites from malware and hacking attacks such as DDOS. DDOS standing for Distributed Denial of Service. When a website is overloaded by hackers attacking it, they can shut a server down and make the website inoperable. The largest attack Cloudflare has seen is 600 Gbps,but can handle more. Cloudflare mitigates a DDoS attack every 3 minutes. Cloudflare’s network capacity is 15x bigger than the largest DDoS attack ever recorded. With 30 Tbps of capacity, it can handle any modern distributed attack, including those targeting DNS infrastructure. While Cloudflare may be the largest cloud-based Web Application Firewall vendor, it competes with other cloud based WAF vendors as well as legacy physical appliance vendors such as Barracuda Networks, Fortinet and F5 Networks. As we have seen with other security markets, there is a broad shift from appliance based to purely software, and more recently, cloud based.
Per the company’s S-1: "We believe our platform disrupts several large and well-established IT markets. The key markets that are addressed by our platform include VPN, internal and external firewalls, web security (including web application firewalls and content filtering), distributed denial of service (DDoS) prevention, intrusion detection and prevention, application delivery controls, content delivery networks, domain name systems, advanced threat prevention (ATP), and wide area network (WAN) technology. From our analysis based on IDC data, $31.6 billion was spent on those products in 2018, which is expected to grow to $47.1 billion in 2022, representing a compound annual growth rate of 10.5%. We also are actively developing new products to address adjacent markets including compute, storage, 5G, and Internet of Things (IoT) that are not included in the estimate of our addressable market. "
Much like Crowdstrike and Okta take advantage of their large userbase for cloud-based enterprise security, Cloudflare takes advantage of their leadership position in cloud based website security to recognize threats and protect other customers, thus giving them a networking effect. Today, approximately 10% of the Fortune 1,000 are paying Cloudflare customers. Additionally, across the broader Internet, approximately 10% of the top million, 17% of the top 100,000, and 18% of the top 10,000 websites use at least one product on their platform on a paid or free basis. Due to the nature of their business, they require excess capacity to prevent failures during DDOS attacks, which, in turn, allows them to offer their product free for limited feature customers with little overhead cost. Their financials have been impressive and showing strong, and most recently, accelerating revenue growth; Per the S-1: "We have experienced significant growth, with our revenue increasing from $84.8 million in 2016 to $134.9 million in 2017 and to $192.7 million in 2018, increases of 59% and 43%, respectively. As we continue to invest in our business, we have incurred net losses of $17.3 million, $10.7 million, and $87.2 million for 2016, 2017, and 2018, respectively. For the six months ended June 30, 2018 and 2019, our revenue increased from $87.1 million to $129.2 million, an increase of 48%, and we incurred net losses of $32.5 million and $36.8 million, respectively. "
The case for disruption is clear. Legacy security appliances are being phased out. As more websites move to the cloud, they need a cloud based security architecture, because, as Cloudflare says, there is literally no place for an appliance in the cloud. This is forcing a major architectural shift in how enterprises address security, performance, and reliability at the network layer. The functionality provided by companies such as Cisco Systems, Juniper Networks, F5 Networks, Check Point Software, Palo Alto Networks, FireEye, Riverbed Technology, and others is being elevated, abstracted, and unified into the cloud.
I highlighted some of what I felt was important in their S-1. I bill Cloudflare as a web security company, but, by extension, the nature of their business makes them direct competitors to Akamai, Fastly, and many other Contend Distribution Network providers, due to the fact they are controlling and directing traffic to your website via their global network of data centers. And they are doing so in a very cost efficient manner compared to other CDN providers. Akamai and AWS are therefore competitors, not just in the CDN arena, but they too offer security services. But not on the scale as Cloudflare. Cloudflare appears as a “contender” on the WAF Magic Quadrant. Imperva ranks in the top right, and while were bigger as of 2016, they were growing much slower and a legacy vendor now competing in the cloud arena. They have since been acquired by a private equity firm.
Another interesting feature of Cloudflare is their “Workers” network: https://developers.cloudflare.com/workers/ A way to develop code and use pre-built code to disburse onto their network. I’m not too knowledgeable about this yet but it seems to tie into making their CDN service differentiated and useful.
The Gartner Magic Quadrant for Web Applications Firewalls details pretty clearly that while Only roughly 10% of WAF is cloud based today, it’s expected to be roughly 30% by 2022. Incumbents are retrofitting their WAF to be cloud based and feature rich, but legacy code prevents them from fully taking advantage of the power the cloud has to offer.
I would say, despite all of this, Cloudflare does have alternatives. They aren’t in a league of their own like ZScaler. More like a Crowdstrike.