Acts of Cloudflare: Its Evolution Toward Becoming An Enterprise Platform
Exploring Cloudflare's ambitions across application services, enterprise networking, cybersecurity, and developer infrastructure
Folks,
We’re peeking into Cloudflare! This is a company with a fair share of fervent followers but also invokes Ire divide on Wall Street. Cloudflare has consistently ranked as the most-valued public software company (on a revenue multiple), along with Snowflake and Datadog. It has consistently ranked high, Top 5, using any SaaS framework like Clouded judgement or Meritech comps table, even during the macro meltdown in SaaS. Why has it commanded such a premium valuation for so long? This piece aims at exploring these reasons from a neutral view. The more I dug, the more I thought it was necessary to go deeper.
If you only have 5 minutes today, I’ll recommend reading the Actionable Insights and the Acts key takeaways within each major sub-heading. Thanks for reading.
🚨 Quick Announcement 🚨
Exciting News for Cybersecurity Operators or Investors:
Ex. Morgan Stanley Wall Street Analyst Thomas Robb and myself, are happy to announce our second inaugural Cybersecurity + SaaS Modelling bootcamp.
Cybersecurity Industry Breakdown: Are you a professional who wants to understand the complex cybersecurity industry in a simplistic framework? We’ve built a bootcamp that explains these technologies and explores the key security players like Crowdstrike, Palo Alto Networks and many startups.
Software Modeling Foundations: Are you a professional who wants to get better at SaaS financials and analyzing software companies like Snowflake, Datadog and more? The bootcamp also delves into building a SaaS financial model, differentiating between bookings vs. billings, SaaS FCF, and more.
Full details are here: Cybersecurity & SaaS Modelling Bootcamp.
To receive monthly write-ups on cybersecurity and data infra co’s, join the newsletter:
Acts of Cloudflare: Actionable Insights:
Horizontal enterprise platforms: Over the last decade, we’ve witnessed the rise of Gen 3 (Eric Vrishia), cloud-native enterprise platforms built around a core horizontal, such as Crowdstrike (security), Datadog (Observability), MongoDB (databases) or, Snowflake (data warehouses). However, many struggle to label Cloudflare as a platform in the right category. Is it a security player or the next cloud? or increasingly, are they yet a platform?
Why is Cloudflare expensive? Cloudflare is one of the most controversial names on Wall Street because of its valuation. Using SaaS benchmarks like Clouded Judgement; they trade at a premium relative to many software companies (it’s been in the top 10 of the most expensive SaaS companies 100% of the time over the past 2-yrs. Often ranking #2. Only Datadog and Snowflake come close). It often gets a higher valuation than companies growing faster and more profitable. What do investors see in the Cloudflare story?
20% of the internet runs on Cloudflare: In 2010, Matt Prince, Lee Holloway, and Michelle founded Cloudflare with the objective of building a better internet, which translated into improving website performance, reliability, and security. They made a critical decision to invest in building hardware servers around the world to create a network to power those websites. That decision has led to them owning almost a quarter of the internet and led to their current product velocity.
Acts of Cloudflare: The company has increasingly become complex as it now has 50+ products across over 10 technology sub-industries. Their evolution from 2010 to 2023 can be broken down into three acts:
Act 1, Application services (2010-Present). It covers all the services they offer to protect and optimize customers’ websites and apps.
Act 2, Networking and zero-trust security (2020-Present). This refers to all the services they use to connect and protect a company’s internet-facing network, employees, and cloud-hosted SaaS applications.
Act 3, Developer and AI services (2022-Present). This refers to all the software development infrastructure they provide for building, deploying, and scaling applications globally.
Challenges becoming enterprise scale: Historically, Cloudflare sold to developers. It developed a successful PLG freemium and bottoms-up GTM. However, over the past 3-yrs, they’ve built newer products with the potential to become an overarching enterprise networking, security, and software infrastructure platform for the largest enterprises. This flips the switch, requiring a top-down GTM strategy and re-architecting of their sales team.
GTM challenges ahead: They are currently facing several challenges around restructuring their Go-To-Market (GTM) org. Their remarkable product cadence (50+) has created a selling problem. They need to resolve the recent GTM team turnover, productivity, and alignment issues as of Q1 2023 call.
Previous Reports: In 2021, I actually wrote a smaller deep dive comparing Cloudflare's advantages against Fastly. Remarkable how things aged quickly.
Summary of this piece: To summarize everything in a few words. Cloudflare has developed a superior architecture that gives them huge platform potential for the largest enterprises, but they have a lot of work to restructure their GTM org to align their 50+ products (many in early stages) into a cohesive platform story. The speed at which they can solve these problems will determine their success over the next few years.
Outline for This Piece:
[Feel free to open in your browser to help you navigate through this piece easily]
Understanding Cloudflare’s Network
Acts of Cloudflare:
Act 1: Application Services
Act 2: Network Services Security Services
Act 3: Developer & AI Services
Platform Challenges
Financial & Customer Overview
Summary
Understanding Cloudflare's Network (The Secret Sauce):
In a podcast with Kleiner Perkins, Michelle Zatlyn, Co-founder & COO, talked about the fact that in 2010 at the onset of the cloud, they made the conscious decision to invest in building out a global network across the world, knowing that it would require significant capital expenditure into hardware resources. This ran counter to those days when companies were building on AWS, and we saw the rise of cloud/mobile companies. It also meant they didn’t grow as quickly in the early days, as it has served them well now.
The key to understanding Cloudflare’s story and product lines begins by understanding its network. I looked at their past 3 earnings call and investor conferences, and the word “network” was the most used word after the obvious “AI”. On their recent investor day, it was mentioned 127 times. Whenever the leaders are asked questions about the company’s competitive advantage, either on the top or bottom line, they constantly refer to the network. So, what is this network?
Let’s go back to where we started. Cloudflare started as a platform to secure and boost web apps. This translates into enhancing shopping websites like Shopify, so customers get a fast-shopping experience or the MLB, to enhance sports streaming. So, how do they make these experiences possible?
In their early days, Cloudflare built out a network of “supercomputers” - servers, mini-data centers, and Points of Presence (PoPs) located in 300+ cities around the world. This commodity hardware was built on Intel & AMD chips to run only proprietary Cloudflare software. The decision to build these servers beyond the US, but within distant places like Pakistan, Rwanda, China and across the globe was a smart choice.
Understanding the role of a PoP is central to understanding Cloudflare’s architecture and network.
💡 What is a PoP?
A "Point of Presence" - PoP location refers to a data center or smaller network access point device like routers where a network provider uses to provide connectivity to their network. These PoP are small and are placed at strategic geographic locations to optimize internet traffic, improve network performance and reduce latency. Internet service providers (ISPs), content delivery networks (CDNs), and telco network providers use these PoPs to interconnect with one another and provide faster connectivity for their customers.
As a result of the infrastructure built out globally, they are within 50ms of 95% of the world’s population which gives them a big advantage. They have over 12,000 networks across 100+ countries directly connected to them, including ISPs, and cloud providers. They have a single, intelligent network that routes traffic across their PoPs and to users' devices. This enables Cloudflare to roll out updates quickly and leverage the entire network surface to balance supply and demand while also dynamically prioritizing high-paying customers and serving free customers with excess capacity. Many of the benefits of this extensive network can be read here.
Cloudflare Was Built on Edge Networks:
The nature of Cloudflare was built around an edge network. Formally, an Edge network is a distributed network that leverages a PoP architecture to bring computing resources and services closer to end-users. Edge computing aims to reduce latency and improve performance by processing data and running applications closer to the source of data generation (the end-user). Historically (and in many cases today), data processing and computing were centralized in data centers or cloud hyperscaler servers located far away from end users. This led to higher latency, especially for apps that required real-time responses like video streaming.
When you and I visit a website or use an online app (powered by Cloudflare or edge networks like Akamai, Fastly, or Limelight), we send a request, and this request travels through the internet and hits these servers. The closer the servers you make your website request from, the faster and more performant your website or experience feels. Imagine someone from Rwanda having to watch a soccer game, but whenever they make a web request, it has to go to the US and back. Edge computing eliminates this roundtrip. Additionally, an Edge network complements an existing cloud infrastructure in its architecture and delivery. Cloudflare runs on this paradigm.
Competitive Advantage of this Network (And Architecture):
Cloudflare runs 20% of the internet - providing scale and data advantage: This means that almost 20% of the most popular websites on the Internet have Cloudflare’s reverse proxy in front of them. No other commercial competitor is close. The company provided many of their earlier services for free or extremely cheap to attract developers to use its product and network. This has led to a feedback loop whereby as more developers use its network, it becomes better (and they get to gather data on how customers utilize their network). The added feedback loop is that Cloudflare becomes a more attractive partner to the Internet service providers (ISPs) since many of these ISPs want to reduce their need to backhaul traffic over long distances; it leads to favourable terms on bandwidth and co-location costs for Cloudflare.
Network effects on Networking: Cloudflare benefits from a ‘network’ networking effect (no pun intended). It’s PoPs were built to route traffic efficiently to different physical locations and individual machines as a single network. Every time a new server or location is added to the Cloudflare network, the entire network performance improves because it serves as an extra hub for Cloudflare to route its traffic. Hence, being located in 300+ cities allow them to serve clients in any region quickly. Additionally, if one PoP or DC experiences issues or unavailability, traffic can be re-routed nearby, thereby minimizing outages.
Product cadence and experiments at a lower cost: Since the company is built around its own infrastructure and network, it allows them to experiment on products or services without as much cost to the hyperscalers (compared to the typical SaaS company whose gross margins are paid to the hyperscalers on compute/storage). They operate most of their co-location facilities and network and manage bandwidth costs. Additionally, they’ve built a culture for rapid product cadence and moving into new markets leveraging this network advantage.
Serverless modularity & optionality: The nature of their network allows them to leverage their existing distributed infrastructure in new ways, such as leveraging excess compute for Workers and excess storage for R2.
Faster online experiences: Cloudflare can serve content and process user requests from anywhere in the world. Since they have servers in almost 300+ cities, close to 95% of the world, this reduces the physical distance data must travel for any company using Cloudflare. Thereby resulting in lower latency, redundancy and lower fault tolerance. All of which lead to faster response and load times for web applications.
The network enables caching and faster global content delivery: Caching simply refers to the ability of a server or website to make “photocopies” of frequently accessed content from websites like images, videos and files. Cloudflare leverages its widespread network to cache and distribute content closer to end-users. It does this well because caching reduces the load on the origin servers, thereby making websites load faster.
Web traffic load balancing and optimization: Cloudflare can efficiently balance and optimize traffic across its global network, ensuring even distribution of requests and resource utilization. This dynamic traffic management improves overall network efficiency and prevents performance bottlenecks.
Data Localization: Cloudflare's global presence enables it to comply with local data protection laws and regulations in different countries. Data can be stored and processed in compliance with regional requirements, providing customers with a reliable and compliant service. The network rules and controls allow customers to set the network edge where data is stored and protected, making data localization management possible.
In summary, Cloudflare runs and operates its entire network primarily on its own infrastructure. All services and products run on hosts in all their data centers and PoPs globally. This architecture allows product optionality and builds a long-term competitive advantage. The nature of their network is what allows them to build a wide variety of services across multiple acts - from cybersecurity all the way to developer infrastructure or services for AI companies. Many of which I uncover below.
Act 1 - Application Services:
The goal of Act 1 was to create a platform for developers to create web apps that scaled across the globe and ensure they could protect those apps from attackers. Their early goals were focused on ensuring that the day-to-day developers or SMB got the best website performance, reliability, and security.
Cloudflare’s role on the internet:
After a developer creates an application either hosted on a company’s data center or on the cloud, Cloudflare has a wide variety of services within their global network (highlighted below) that act as intermediaries to enhance and secure websites so the user has a good web experience.
Application Performance & Reliability:
Cloudflare started as a content delivery network (CDN) to make websites faster and guarantee web reliability through all the services listed here. CDNs are geographically distributed networks of proxy servers and data centers that work together to ensure a customer gets the best web experience (e.g. streaming services or shopping apps). They provide the following core services:
Performance: Making websites faster through their Content delivery network (CDN) services, content & image optimization, and routing.
Reliability: Making websites reliable and improving uptime through load balancing/dynamically distributing web traffic, Domain name service (DNS) services and caching/website waiting room.
💡 Real world example: When you and I click on a website by entering a URL / domain name (e.g., www.substack.com) into their web browsers. Devices like laptops, phones, and servers communicate with each other via a series of numbers known as internet protocol (IP) addresses. DNS converts domain names into unique IP addresses, enabling users and computers to effectively communicate with each other to load webpages. Cloudflare handles this web traffic to make it smooth as well as protects you against attacks.
Web Application Security:
From its early days, Cloudflare provided basic but important security services for developers. They offer Distributed Denial of Service (DDoS) protection, bot management, and Web Application Firewall (WAF). These services are often offered to developers for free or much cheaper compared to the cost they would need to spend on a platform like Akamai or F5 Networks. Additionally, they provide a WAF that sits between a user and an app to protect against attackers.
DDoS protection: One of Cloudflare’s strengths in web security is its DDoS protection which aims to prevent attackers from flooding a system with harmful requests. Cloudflare's multiple PoPs allow them to distribute the load of DDoS attacks across their network when attackers hit a customer. Their ability to filter malicious traffic at the edge makes Cloudflare more effective at mitigating DDoS attacks and makes it harder for attackers to overwhelm a single data center.
Act 1 - Key takeaway:
Cloudflare has over 20+ products in this category. However, these are the top ones to monitor that could create monetizable opportunities. They recently expanded into Cloudflare email security (through the acquisition of Area 1 Security), Cloudflare threat intelligence security, API management, and data localization/compliance (Allows them to handle the pain for customers that want to keep data in their local area but serve products globally). They specifically highlighted data localization and API as becoming more priority. Primarily because 80% of global online traffic is through APIs, and over 50% of Cloudflare traffic is API driven.
Cloudflare made critical decisions early on in Act 1 that served them well. They offered many of these Act 1 services at a freemium cost and attracted millions of developers to use their product (4+ million as of 2021, Stifel). This has led to a huge data advantage and flywheel effect to see a significant amount of internet traffic on their network. This has further led to better products based on well-trained AI models. Their customer diversity across the globe (47% of revenue is international) allows them better network performance and to pass on cost efficiencies to customers. According to the IDC’s CDN Market share, they still have a 6% market share compared to 33% for Akamai. If can educate the market on the benefits of their architecture, they would hope to capture more green space over the next few years as the CDN space grows over 10% over the next 3-5 yrs.
Act 2 - Enterprise Networking and Security (SASE)
Cloudflare has two ambitions for Act 2. First, to become the core networking infrastructure for companies (similar to what Cisco does). Secondly, to provide security and protection layers for these large enterprises.
As previously discussed, Cloudflare developed its global network to improve web application experiences. Importantly, most of the infrastructure they built out allows enables them also to provide enterprise networking services and network security. Over recent years, they’ve had to build out more functionalities to make this enterprise mature and ready. Cloudflare has two advantages that might make them successful in Act 2. First, their proprietary global private network. Secondly, leveraging software-defined networking architecture, which they built upon early on.
Software-Defined Networking (SDN) and Wireless Area Network (WAN) Architecture: Cloudflare’s platform was built around an SDN and WAN architecture; this is an architecture that centralizes network traffic control. In the past, network administrators had to manually configure each device, which was time-consuming, error-prone and relied upon hardware cables. However, SDN introduced a way to separate the control and data planes (the brain), creating a central point for network flow control which decides the best path for network traffic. This makes enterprise internet performance much faster and cheaper.
Cloudflare’s Global Private Network vs. Internet: Cloudflare’s global network (discussed earlier) gives companies a private tunnel or backbone to manage traffic end-to-end on a secure network. Companies use Cloudflare's magic transit and network interconnect rather than relying on the public internet.
Cloudflare’s Enterprise Networking Services:
The core premise around Cloudfare’s networking services is to provide solutions that allow enterprises to purchase networking-as-a-service and reduce spend on existing network hardware. Branch locations (e.g. banks or international conglomerates with extension offices) that demand greater network capacity and bandwidth have historically depended on legacy players like Cisco or Juniper network boxes.
Enter Cloudflare’s networking services. They were built on Software-defined WAN (SD-WAN) networks, which virtualizes a network, removing the intelligence from past networking hardware (like private MPLS systems) into a more programmable software that runs entirely on Cloudflare and public broadband internet connections (like 5G, LTE) to enable employees to access the internet faster. This provides greater bandwidth at significantly reduced costs, as broadband internet is cheaper than MPLS. Importantly, Cloudflare’s WAN offerings route traffic and connect branches with data centers for on-premise apps (if needed), and it can bypass the corporate network when people need to access cloud-based apps. This prevents backhauling traffic to a company’s HQ data center, which slows down web performance, especially if you’re a remote employee. Most of these services through the following:
Cloudflare Magic Wireless Area Network (WAN): This is their core WAN-as-a-service that enables enterprises replace legacy hardware appliances/cables with cloud, software-defined networks. They offer a variety of services that enables data to travel efficiently between devices and locations no matter the distance for large corporations.
Cloudflare Magic Transit: This is an enterprise network that sits at the center of a company’s IT stack, inspecting web traffic and providing a number of security services. It helps manages secure connections between on-premises infrastructure and cloud services.
Cloudflare for Offices: This is a network service whereby Cloudflare installs network boxes and fibre optics within corporate office buildings, making it easier for businesses to connect to Cloudflare’s network and gain faster internet connections, as well as increased reliability and security. It can reduce the money organizations spend managing hardware.
Cloudflare Magic Firewall: This is the security product. A firewall that attaches security to these networking services. It filters unwanted traffic in the cloud, reducing network congestion and enabling companies to reduce their hardware footprint. Cloudflare’s vision is to displace legacy providers like Cisco, VMware or Juniper Networks and become a much more modern networking platform for large enterprises.
Network Security & Secure Access Services Edge (SASE):
Cloudflare offers SASE through Cloudflare One and its Zero-Trust security offerings. Before delving into Cloudflare SASE products, it’s important to define SASE and how it works for those not familiar. SASE is simply a concept where networking and security are merged into one single architecture to protect a company’s network. It’s an architecture to simplify how remote employees connect to a company’s office resources.
Additionally, SASE provides visibility and holistic security into users, data, and apps across a corporate network. SASE is mostly applicable to Large enterprises with multiple branch locations and employees that span continents. If we dissect SASE, it comes down to the following:
Secure Access: The tech that verifies user access + connects them to the internet or internal company apps instead of using a Virtual Private Network (VPN)
Service Edge: The networking infrastructure deployed over a cloud or edge network infrastructure closest to the user to allow quick access.
SASE has four key elements/product features, many of which include the following:
CASB (Cloud Access Security Brokers): Protects user access to a company’s SaaS applications.
SWG (Secure Web Gateway) & FWaaS (Firewall-As-A-Service): Protects users when browsing the internet.
SD-WAN & ZTNA (Zero-trust Network Access): Verifies and protects a company’s user when accessing internal company apps hosted on a data center or cloud environment.
What is Cloudflare’s SASE Advantage Over Competitors?
Fully Integrated Networking, SDWAN + Security Service In One Package: Many SASE providers like ZScaler or Netskope do not have native networking capabilities (earlier explanations in this section around WANs). Many of the SASE companies rely on partnerships with SDWAN networking companies like Velo Cloud or Silverpeak to deliver Full SASE service.
However, because Cloudflare started as a networking company around the globe, with high-edge networking density, they can deliver this service in one package and makes many of their SASE services much faster technologically than competitors (many of the features listed here).
Cloudflare’s Networking Partnerships Globally: The fact that Cloudflare is connected to over 12,000 networks around the world and runs over 21% of the Internet, gives them an advantage to their Zero Trust offering. It means that enterprise customers already using their services for Act 1 use-cases can easily transition to the Cloudflare Zero Trust network because they can reach a large portion of Internet services without leaving the Cloudflare network. No other Zero Trust vendor can refer to this benefit because none of them also provide application hosting and DDoS mitigation services (typical of the performance and speed of a CDN provider). For more on this, I encourage reading this specific blog on software stack investing
Since the key feature of SASE is processing security at the edge or as close to users as possible, Cloudflare has an advantage in SASE (due to earlier points discussed). Additionally, the nature of their architecture enables them to provide SASE to customers at a lower cost than peers in security, together with the networking performance. This makes them stand out from competitors with a smaller network footprint globally.
💡 SASE Breakdown: If you want to dive deep into understanding SASE? The biggest drivers of SASE & differences amongst key vendors?
This report covers the following:
SASE Breakdown: A Deep-dive And The Key Players To Watch In 2023
·Today’s piece is an exploration into the fastest-growing category within cybersecurity. We’re going deep on everything you need to know about Secure Access Service Edge (SASE).
Act 2 - Key Takeaway:
The company has ambitious plans for Act 2. Their goal is to become the core enterprise network for businesses and, secondly, layer security onto that network. In my opinion, Act 2 represents the biggest opportunity for Cloudflare, potentially than even AI services. However, they still have a long way to go to fully develop an enterprise-grade mature networking platform. For example, they recently highlighted the need to purchase servers and boxes to manage heavy firewall traffic for some of their larger customers.
The biggest obstacle in Act 2 would be the sales motion of displacing hardwired incumbents from large enterprises. They will be highly dependent and need to build out a strategy on winning system integrators and channel partners (in which companies like ZScaler have strong moats). Cloudflare only has around 15% of revenue from channel partners as opposed to over 92% for ZScaler, according to S1 Filings. Networking products are extremely sticky, and companies don't easily replace vendors. Hence, Cloudflare faces an uphill battle in creating a compelling argument to win these large accounts.
That being said, Cloudflare for Offices, Magic Transit and Cloudflare One compete in large markets that can capture spending from telco giants like AT&T, which provide hardware enterprise MPLS internet services. If they can capture only a slice of any of these markets, they have the potential of growing significantly over the next few years.
🤓 If you want to learn more about the cybersecurity industry or develop the skill of SaaS modelling or analyzing SaaS financials, consider joining our bootcamp: Cybersecurity & SaaS Modelling Bootcamp. If you’re finding this valuable, feel free to join the newsletter! 🚀
Act 3 - Developer (& AI) Services:
Cloudflare’s Act 3 ambitions are focused on building a software infrastructure platform for developers and companies. These infra products include the computing, storage, and networking required when building and scaling applications (aka. a form of new cloud platform). In hindsight, this should have been the real Act 1 before Act 3. There are several services in Act 3, but the key ones that can move the needle are Cloudflare workers and R2 object storage.
Cloudflare Workers:
Workers allow developers to build and deploy applications globally without worrying about infrastructure. It leverages Cloudflare’s programmable network and serverless infrastructure to allow developers to write and deploy code on Cloudflare’s network. The benefit of a programmable network is that it allows developers to build features or customize solutions based on their organization’s unique requirements/needs.
Returning to our original premise on Cloudflare's global edge network across 300+ cities, they have been able to utilize their extensive points of presence (PoP) to run code and process data closer to end-users. Cloudflare Workers leverages Javascript to run code functions at the edge, allowing serverless functions to operate in the closest possible proximity to the data. Developers can use Javascript and utilize Cloudflare to build lightweight, fast, and performant applications.
Cloudflare’s Advantages compared to the hyperscalers (AWS, GCP, Azure):
Serverless platforms: Cloudflare’s architecture has an advantage over serverless platforms that run on public cloud infrastructure because most of these serverless apps on hyperscalers’ networks rely on centralized data centers, which have relatively higher latency (No AWS no data center is close to your home or office). Therefore, Cloudflare Workers cuts down on latency using PoPs and does not require region selection because it leverages its globally distributed network across many cities. Since Workers utilizes JavaScript code that includes either all or a portion of an application, it doesn’t need to be hosted on proprietary servers and therefore removes having to backhaul data to a distant data center.
This serverless architecture gives Cloudflare an advantage for real-time apps. It reduces costs for companies with applications that see inconsistent usage, with peak periods alternating with times of little to no traffic (Think Streaming or Sports team). For such applications, purchasing a server or a block of servers that are constantly running and always available, even when unused, maybe a waste of resources. It’s important to note that Cloudflare’s workers cannot handle large applications like Salesforce with high/consistent workload demands. Those will always be run on IaaS or PaaS.
Faster setup for building and scaling apps: The second benefit is that each Cloudflare PoPs uses the V8 JavaScript engine (V8 translates JavaScript code into machine code, so computers can understand this code and execute the compiled code). Anybody using Cloudflare doesn’t need to create new containers or virtual machines for each function. This enhances time to value as it accelerates compute time and reduces compute overhead for builders. As seen below, developers can develop and spin up new apps using workers because they don’t have to spend as much time configuring new environments like VMs. Cloudflare handles many of these app deployment and scaling requirements, as outlined below.
Cloudflare Pages: Pages is another developer tool offered by Cloudflare that allows front-end developers to develop, build, and deploy websites fast. Pages: This product is built around a JAMstack framework, which frontend developers use to collaborate and deploy websites - improving its speed, security and scalability. it allows front-end developers to build and deploy websites quickly. Pages enhances collaboration among product designers and engineers.
Cloudflare R2 & Object Storage:
Cloudflare’s R2 storage is their cloud object storage service. A direct competitor to Amazon’s S3, but with the advantage that they don’t charge data-egress fees (hyperscaler taxes for transferring data out of their cloud). Cloudflare claims it’s overall cheaper to operate than S3. *Latest figures put AWS at $909.93/month.
Again, the best use cases for Cloudflare’s R2 include unstructured data such as media files, videos, security logs, and static events. They’ve made R2 fully compatible with AWS S3’s APIs which enables the automatic transfer of data from AWS S3 to R2. It also easily integrates with Cloudflare workers. With R2, Cloudflare hopes they can put pressure on cloud providers to reduce or eliminate their egress fees around storage. This will take time, but if they pull it off, it could be huge (amongst AI companies, more later below).
Cloudflare’s durable objects is another service that helps store data within a given data center and move those data sets as required. The only compelling case when durable object would make them money is when it becomes a collaboration tool for technical teams.
Cloudflare AI Services:
Cloudflare does not provide any direct AI service for LLM building or model capabilities. However, they provide networking, particularly modern networks like edge computing, which are better suited to AI-native companies.
AI Inferencing: They particularly have cited AI inferencing as increasingly becoming the main use case for companies.
As a side note, OpenAI primarily uses them for basic CDN, DDoS, Bot management, and Gateway DNS services when users make requests.
AI inferencing refers to the process of using an ML model to make predictions or decisions based on new data after it has been heavily trained on seen/old data. It involves taking an existing trained model and applying it to data in real-time to generate insights or make decisions. Most of inference happens in the "real world," such as an autonomous vehicle and the model learns “on-the-go.“
Cloudflare believes that its edge network provides an advantage for inferencing as it can utilize its network to process data on the edge or as close to the device as possible, reducing latency and improving performance. AI inferencing is usually much faster and less computationally intensive than the deep learning/training phase because it doesn't involve updating the model's parameters (which require large Nvidia GPUs).
R2 Usage: The second primary AI company use-case on Cloudflare is the storage of training data for LLMs on R2. This appears to be an increasingly bigger use case for companies as they try to locate the most cost-efficient compute for generating their training models. R2 provides a way for companies to access data across cloud environments. For AI companies, this means that R2 gives them flexibility in finding GPU availability across regions and cloud providers. The benefit of R2 is that it's a cloud-neutral storage engine that allows developers to switch between cloud providers easily.
At the moment, it’s important to note there is no significant revenue being generated from many of these services. It's likely less than 3-5% of total revenue. Management in Q1 & Q2 has said they are focused on a freemium model to attract as many free users to utilize the platform (10+ million workers’ apps have been built so far, 490% YoY and R2, sequential growth of 25% with 13 petabytes of data stored). They are experiencing good traction with these products. It’ll be important to see how they monetize these products once they understand customer demand patterns, but it’ll be interesting to see what changes in the competitive landscape (alternatives) are in response and how their customers respond.
Act 3 - Key takeaway (4th Cloud + AI??):
Don’t accuse me of trying to call them the next 4th cloud or the next company powering OpenAI. I have no clue if they will ever become the 4th or 10th largest cloud, but they’ve made important strides in this direction. They are building a supercloud platform that is arbitraging and interconnecting across all the major clouds to provide all the infrastructure for developers to build applications or do anything. No doubt, there is potential here, but it’s gonna be a major hurdle to even reduce a significant chunk of spend from the hyperscalers.
It’s important to note that many of these storage and compute platforms are still in very, very early and haven’t developed at scale. However, something to watch is how much R2 acts as a funnel for customers to adopt the worker’s platform. If you store lots of data on Cloudflare, it’s easier to build apps in the same environment. If they are successful in creating a network effect and successfully capturing the monetization funnel, this could be a major revenue driver for the business. The biggest challenge they will face is competing against the major hyperscalers that provide similar services across the stack.
Financial & Customer Overview:
The purpose of this report was primarily to look at Cloudflare’s technology evolution. However, I’ll give a brief commentary on the business and customer metrics since it’s closely tied to their story.
Back in Q3 2022, Cloudflare set a goal of $5B in revenue by 2027. Based on their recent guidance of 31% on $1.6B this year, this would require compounding close to 40% CAGR for the next four years to achieve this goal. This is going to be a steep hill based on the current macro slowdown within enterprises and the resulting long sales cycle. During their investor conference, they revealed 25% of their revenue comes from Act 2 & Act 3 products.
Customers:
Cloudflare had 4.1M+ total customers (free and paid customers) as of January 2022 (Stifel, Initiation report). They no longer disclose total customer growth. As of Q2 2023, they have 174K paying customers, albeit growing at a slower pace.
Large customer growth spending over 100K will be one of the most important metrics to watch to gauge their success in Act 2. They have 2,352 spending 100K+. This growth has decelerated, which indicates the company has a lot of work to do here. However, in Q2 2023, compared to Q1 2023, they incrementally added 196+ customers. It’ll be important to see this number increase for their Act 2 and Act 3 products.
During the Q2 2023 call, when asked if those customers are net new or existing customers increasing spending. Management mentioned that historically it had always been 50-50, but in the recent quarter,
“It was pretty even, 50-50 between new customer sign-ons the defender expansions. I would say in the last quarter, specifically, we have probably a larger share of new customers signing up right beyond the $1 million range. So it shifted slightly away from expansion into a new logo sign-on.”
A key part of their growth will be dependent on how much these customers and standardize most of their infrastructure on Cloudflare
It’s important to highlight the product attach rates per contracted customer. They define contracted customers as those who agree to term contracts, ranging between one and three years and are billed monthly. It should be no surprise that 90% of their contracted customers use Act 1 products which shows they still rely heavily on their earlier products to drive revenue today.
Peter, at Software stack investing, has some great analysis taking a closer peek under-the-cover to see the actual numbers. If we use their metrics as of the end of 2022, they are experiencing growth amongst their zero trust and networking customers.
Morgan Stanley had a report earlier this year showing that as at March 2023, Cloudflare had been gaining some share amongst SASE customers.
Margin & Cost Structure:
The company has started turning the corner on profitability. As they try to grow over 40% over the next 4-yrs while expanding their sales team for all their products, it’ll be important to see how they manage their cost structure. It’s going to be really tricky, in my opinion.
One of the reasons Cloudflare has a higher premium compared to peers like Akamai and Fastly is its higher gross margin profile:
Cloudflare has a gross margin of 78%
Akamai has a gross margin of 64%
Fastly has a gross margin of 57%
Most of it goes back to the earlier product and architecture decisions by the company. Additionally, their software stack is built around proprietary software/chips that preclude anyone else from running software on their equipment. Cloudflare’s integrated stack across the globe has made scaling, debugging, optimizing, and operating its platform easier and less costly than other competitors without that infrastructure. Their serverless architecture has allowed the company to manage their network efficiently and costs today.
ETR Enterprise Spending Surveys:
Enterprise Technology Research (ETR) has a platform that provides in-depth insights into CTOs and CISOs’ spending intentions quarterly. Using ETR data’ from 400+ enterprise respondents, their data shows pervasion (the number of times a vendor is mentioned amongst executives for planned spending) is high for Cloudflare. This is happening across different enterprise sizes and is now more than ~20% higher than 8% last year, more than double the levels seen two years ago.
Some of the key highlights of their report include that 40% of customers indicated the desire to spend more on the company’s cloud product, compared to around 25% in January 2022. The company is also rapidly gaining share within the networking category of enterprises especially amongst legacy networking companies like Juniper, Imperva etc.
The key takeaway from this report is that enterprises are increasingly talking about Cloudflare products/have intentions to start spending (freemium or smaller products to start). The enterprise networking products in Act 2 are getting the most traction. However, ZScaler remains its fiercest competition across many sectors, still eating most of their spending. This likely explains why Cloudflare has single-handedly targeted ZScaler in its campaigns.
For more details on what 400+ Fortune 500 said about Cloudflare, visit ETR.AI to see the full report or contact mark.
Platform Challenges Ahead:
Consolidation of multiple products into a cohesive platform: One of the biggest challenges ahead is bundling and consolidating all 50+ products into one platform story. It’s great to have high product velocity, but if those products are not synergic to a broader platform strategy, it makes it difficult for sales teams and potential buyers. Now, to their credit, at the recent investor conference, they’ve laid out the story into multiple acts. However, if you dig deeper, the integration of those products are still complex due to overlaps or distinct technologies, so this is going to be a key priority over the next year.
Go-To-Market Challenges: Cloudflare has increasingly become complex. They have a wide range of products and customers spending as little as just $5/month all to the way to enterprise customers spending as much as $6M, to their largest customer spending over $20M (2021 Investor conference). The fast pace at which they’ve moved has presented multiple GTM issues that have become apparent in recent quarters. Issues around productivity, building a top-down sales organization and lengthening the sales cycle.
Building a top-down sales org to match enterprise products: Many of their Act 2 products need to be sold to the largest corporations. These are high 7-8 digit ACV deals that have longer sales cycles and implementation timelines than their typical one-month cycle. Cloudflare’s Act 1 products which generate over 75% of revenue, were mostly built around on bottom-up sales team. It’s going to require them to build out extensive channel partnerships with system integrators and resellers to drive those Act 2 deals. As mentioned earlier in Q2 2023, Cloudflare generated around 15% of revenue from channel partners as opposed to the likes of ZScaler, with over 92% partner generated, according to S1 Filings. Most of the Act 2 products need to be partner driven to be implemented unless it drives a hole into their S&M expense. With the new CRO, it will take time to build these partnerships and a challenge to develop a true enterprise-grade sales team.
Lengthening Sales Cycle: The macro situation has compounded challenges as they currently face lengthening cycles. Sales cycles for Cloudflare have historically been less than a quarter (due to the small nature of their Act 1 product). However, in Q1 2023, the average number of days required to close a deal increased by 27% overall and by 49% for expansion deals with existing customers. If we remove the macro environment, longer sales cycle should be something they would need to get used too, as it’s similar for many enterprise-scale companies. They risk losing to existing legacy providers with better product consolidation and large install bases as it’s an easier appeal to CISOs, so this is something they’ll need to work through.
Productivity/Turnover in Sales: As if 1 & 2 were not significant issues enough. They’re dealing with productivity issues on their sales team with many inefficient internal processes, turnover and low productivity amongst their low-performing AEs. There is also this Repvue data point showing declining quota achievement for Cloudflare. During a period of vast product rollouts and changing GTM dynamics, the worst thing that can happen is having talent issues on your sales team. How fast the new CRO, can fix these issues will determine their success. I’m afraid sales turnarounds, especially as a company moves up-market, will be a minimum of 3-4 qtrs, which creates risks associated with our next point.
Intense Competition across Key Categories: The GTM alignment and sales issues discussed earlier are problematic because of the intense competition they face across their products.
Act 1 (Application and Edge services): Notable competitors include Fastly and Akamai. However, it’s fair to say Cloudflare has significantly better technologies than its peers on almost all public metrics. They’ll have an easier time here.
Act 2 (Networking and Zero-Trust/SASE Security): Notable competitors include ZScaler, Palo Alto Networks and Netskope. Within Networking, Cisco, Versa Networks, VMware and HPE. They have a harder time competing in SASE, as discussed earlier and in my SASE report. The challenge they face in Networking is displacing hardwired and sticky legacy players and educating customers about their benefits in SSE security.
Act 3 (Developer & Infrastructure Services): Notable competitors include Hyperscalers (AWS, Azure and GCP). These providers provide most computing, storage and other application services. On the startup scene, companies like Vercel and Netlify are very popular and should be watched closely.
Declining Dollar-based Net Retention & Large Customer: I’d argue that the most important metric for Cloudflare’s next acts is the number of large customers they are adding, signing contracts and how many are expanding/consolidating spend on their platform. Cloudflare is currently at its lowest Dollar-based Net Retention (DBNRR) going back to June 2020. It went from a high of 127% in Q1 2022 to 115% in Q1 2023. To their credit, the new CRO laid out concrete steps at their investor day to fix all these issues. However, my opinion is that it’ll take more time.
Summary:
I didn’t expect to go this deep. Cloudflare’s evolution toward becoming a fully mature enterprise platform will be fascinating to watch over the years. Cloudflare has built a superior architecture that is going to increase its moat over time. Their technology stack is a vertically integrated global network that provides pricing and cost advantages. It doesn't rely on someone else's infrastructure, especially the hyperscalers, as much as your typical SaaS company.
The fact they manage 20% of the internet on their network makes them a mission-critical platform since If Cloudflare goes down, most of the web goes down like this situation in 2020 and recently in 2022. This ability to see 20% of the web provides them a massive data advantage to improve their products as well as good intelligence to launch future products. Most of their services are in categories with high barriers to entry, as it would be difficult for a new competitor to replicate what they’ve built over the years.
They face critical execution risks around GTM and truly building a cohesive platform consolidation story. Ultimately, this will involve having to choose their battles on a few product lines that truly move the needle and cutting down on product features that are a drag on its expenses. The cloud providers have limitless resources to invest in multiple cost areas because they have major cash cow businesses, but unlike them, Cloudflare’s Act 1 haven’t become major cash cows to drive Act 2 & 3, so they’ll need to thread the needle carefully. Many of these issues need to be solved within the next 6-8 months if they are going to capitalize on their superior technology. If they do, this has the potential to be one of the largest software companies over the next decade.
If you made it to the end, thank you for reading! If you found the report valuable, I’ll appreciate it - if you gave it a like or wanted to share the report 🙏
🚨 Cybersecurity & SaaS Modelling Bootcamp 🚨
🤓 If you want to learn more about the cybersecurity industry or become better at analyzing SaaS financials or building a financial model, consider joining our bootcamp: Cybersecurity & SaaS Modelling Bootcamp.
If you found this valuable, feel free to join the newsletter for more on cybersecurity, AI & ML Companies and Dev Infrastructure companies!
Credits & Further Reading Resources:
Cloudflare CIO Week - A Maturing SASE by Muji @ Hhhypergrowth
Cloudflare’s Security Week & Cloudflare Q2,2023 by Muji @ Hhhypergrowth
Compiled list of all Cloudflare deep dive & quarterly earning updates by Peter @ Software Stack
Cloudflare business economics deep dive by Mostly borrowed Ideas.
Loved the detailed analysis and how you summarized the three acts, Francis.
Great write up. Simply fantastic!