After a break of just a few months, Cloudflare scheduled two of their Innovation Weeks back to back. The first was dubbed GA Week and brought a number of beta products to general availability. This served to clear the decks for Birthday Week, which is when Cloudflare traditionally introduces their next wave of future products. While expectations are always high, Cloudflare really delivered A LOT.
They announced so much, that I have to break my coverage into two posts and limit the depth to the major announcements. I consolidated all the GA Week news into this blog post summarizing the major changes, including perspective on what this means for Cloudflare’s evolving product offering. As I write this, Birthday Week is ongoing, delivering even more exciting announcements. I plan to cover that as well and will publish a summary sometime next week.
Audio Version
View all Podcast Episodes and Subscribe
Overview
GA Week kicked off with the standard blog post introducing the themes for the week. This innovation week provided an opportunity for Cloudflare to close out on a number of product launches that have occurred over the last year, with some going back to the prior Birthday Week in 2021. The scope was enormous – Cloudflare brought over 20 products and enhancements to general availability over the course of the week. Many of these have a direct revenue component, or represent an add-on to an existing customer bundle. Several were highlighted as popular customer requests. As an investor, I like to see products enter GA and get assigned pricing, because that represents the opportunity for them to generate revenue.
Overall, I liked the concept behind GA Week, bringing closure to the many product introductions over the past year. This represents a sound strategy by Cloudflare leadership and builds confidence with customers. It demonstrates an iterative product development process and delivers real substance behind their parade of blog post announcements.
Each product transitioned to general availability was preceded by a beta period, in which customers provided feedback. What is important to appreciate is that if a product was brought to GA, then it was validated by customers as adding value. Otherwise, why incur the overhead of customer support, code maintenance, testing and documentation, if Cloudflare doesn’t expect customer value and revenue?
As part of their end of week summary blog post, Cloudflare’s CTO included the graphic above from their S-1 back in 2018. He used it to illustrate Cloudflare’s history of bringing an increasing number of products to market each year, highlighting their product development process and reach. The other reality that this graphic reflects is the sustained growth in annualized billings, that appears to correlate with the pace of product releases.
As investors consider how Cloudflare will maintain its pace of 50% annualized revenue growth, this chart provides a clue from their past. Bringing an ever increasing number of products to market allows Cloudflare to reach more customers and keep expanding spend with existing ones. As part of their recent Q2 2022 earnings report, the CEO discussed how they are committed to reaching a revenue net retention rate of 130% or greater. With more products to cross-sell into existing enterprise customers, we can start to see how that growth rate would be feasible.
The other interesting take-away was how Cloudflare leadership emphasized not just the breadth of products released, but their commitment to continually improve them until they are considered “best-of-breed”.
But it’s not just about making products work and be available, it’s about making the best-of-breed. We ship early and iterate rapidly. We’ve done this over the years for WAF, DDoS mitigation, bot management, API protection, CDN and our developer platform. Today analyst firms such as Gartner, Forrester and IDC recognize us as leaders in all those areas.
Over the years we’ve heard criticism that we’re the new kid on the block. The latest iteration of that is Zero Trust vendors seeing us as novices. It sounds all too familiar. It’s what the DDoS, WAF, bot management, DNS, API protection, and serverless vendors used to say before we blew past them.
Cloudflare GA Week Blog Post, September 2022
What I like about this statement is the commitment to improve their products, not just against their own quality bar, but taking into consideration what industry analysts consider. While industry analyst reports can get a little political, they do generally provide a reasonably objective measure of product completeness and positioning relative to competition. To have Cloudflare leadership embrace these reports means that they are seriously analyzing what they need to do to bring newer products to best-of-breed status. This is reassuring as one might assume that Cloudflare risks spreading themselves too thin – a mile wide and an inch deep.
The second point is how leadership is specifically targeting Zero Trust, a large market which Cloudflare entered just a few years ago. While new to the space, leadership appears confident that they will make rapid progress in ascending the product rankings in Zero Trust. As investors will recall, in Gartner’s last magic quadrant for SSE (Zero Trust category), Cloudflare was named an Honorable Mention. They were not included because their CASB solution didn’t support an API interface before the cut-off for evaluation. At this point, it does. I think it will be interesting to see if Cloudflare starts to iterate through the magic quadrants for Zero Trust solutions and eventually lands in the Leaders quadrant (perhaps mirroring the trajectory that Datadog took with APM).
With that intro, let’s look at the major GA releases from last week. While I will focus on the product announcements, our partners over at Cestrian Capital Research recently published an update on Cloudflare, including financials and some technical analysis. Interested readers can check out that coverage as a supplement to this blog post.
Cestrian Capital Research provides extensive investor education content, including a free stocks board focused on helping people become better investors, webinars covering market direction and deep dives on individual stocks in order to teach financial and technical analysis.
The Cestrian Tech Select newsletter delivers professional investment research on the technology sector, presented in an easy-to-use, down-to-earth style. Sign-up for the basic newsletter is free, with an option to subscribe for deeper coverage.
Software Stack Investing members can subscribe to the premium version of the newsletter with a 33% discount.
Cestrian Capital Research’s services are a great complement to Software Stack Investing, as they offer investor education and financial analysis that go beyond the scope of this blog. The Tech Select newsletter covers a broad range of technology companies with a deep focus on financial and chart analysis.
Product Releases
The Cloudflare team provided a useful chart in the closing blog post for GA Week. It includes all 20 product announcements, organized by day. For each, the chart provides a summary of the changes and which customer packages have it available. This provides a useful reference for all the announcements. I’ll describe the major changes in some detail below and then list the rest with a short summary. Thorough readers can comb through each of the GA Week blog posts and Cloudflare TV segments for more details.
Zero Trust
A lot of emphasis was put on Cloudflare’s progress in Zero Trust leading up to GA Week. As investors will recall, Cloudflare held a separate innovation week for just Zero Trust solutions from June 20th – 24th. They called this Cloudflare One Week and introduced a number of new Zero Trust product offerings and solidified their positioning around providing a full-featured SASE platform. For a full review of the announcements from Cloudflare One Week, please see my previous write-up.
To kick off the Cloudflare One week, the team set the stage by making the case for a Zero Trust architecture. They reviewed the concepts behind Zero Trust, what is needed by enterprises and then argued why the Cloudflare One platform is best positioned to address the Zero Trust SASE space. One of the goals of Cloudflare One Week was to educate. Based on their discussions with customers, the Cloudflare team found that many security leaders realize that they need to transition to a Zero Trust architecture, but aren’t sure how.
To help guide those decisions, the Cloudflare team published a stand-alone site called the Zero Trust Roadmap. This outlines the components of a Zero Trust architecture, suggested solutions for each and even a list of providers by category. It is designed to be vendor-agnostic, listing competitor offerings like Zscaler and Netskope side-by-side with Cloudflare’s product. The vendor listings are even in alphabetical order to be fair (acknowledging that “C” comes before “Z”).
To complement this roadmap, they published a second blog post that maps all of the components of a SASE architecture and speaks to how Cloudflare’s platform aligns with these. The goal of course is to demonstrate that Cloudflare has a feature-complete Zero Trust SASE offering at this point.
Based on this mapping of Cloudflare products to the core components of a full-featured SASE offering, Cloudflare One Week delivered a number of announcements. These included new product releases to round out Cloudflare’s SASE offering and capabilities that further improve a typical customer’s security posture. As the week wrapped up, the Cloudflare team also published an analysis of how their Zero Trust platform lines up with those of competitors.
With the releases from Cloudflare One Week, Cloudflare checked all the boxes for a full-featured SASE solution. The primary capabilities introduced during the Week were new product additions, like Data Loss Prevention (DLP), Email Security, CASB and a threat detection service. There were also a number of extensions to existing products. Finally, they announced a new emphasis on creating a partner program.
Most of the new product announcements were introduced to customers in a private or closed beta format. Over the subsequent months, the Cloudflare team solicited customer feedback and made adjustments to the product offerings. As part of GA Week, several of those new product introductions were moved to GA status. Considering that they were brought to a customer beta just 3 months prior underscores how important Cloudflare considers their investment in Zero Trust solutions and reflects very fast progress.
Cloudflare closed the loop on four of their top level secure access functions – specifically DLP, CASB, RBI and Email Security. At this point, all seven top-level product offerings that are part of Cloudflare’s SASE product stack are in GA, meaning that they can be sold to customers and generate revenue. Given the high demand for Zero Trust solutions, as evidenced by Zscaler’s strong Q4 results recently, I think this places Cloudflare in a favorable position to drive incremental revenue for their Zero Trust business.
With that set-up, let’s walk through the Zero Trust product launches as part of GA Week.
CASB
In February 2022, Cloudflare announced the introduction of a new API–driven Cloud Access Security Broker (CASB) via the acquisition of Vectrix. Cloudflare’s CASB service helps IT and security teams detect security issues in and across their SaaS applications. The service examines both data and users in popular SaaS applications to alert teams to issues including unauthorized user access, file exposure, software misconfigurations and shadow IT. Adding an API-driven CASB solution to the Zero Trust platform was also a missing feature in order for Cloudflare to be included in Gartner’s SSE Magic Quadrant.
Even with the new service, CASB only reported access and misconfiguration issues to the security teams. Customers still needed a way to move beyond a CASB report of issues to investigate, and actually take action to limit user access to affected applications. This would transition the security team from awareness to remediation regarding an application, limiting user access to some functionality or blocking it altogether.
To solve this problem, Cloudflare added the ability to create Cloudflare Gateway policies from CASB security findings as a new capability during Cloudflare One Week in June. Using the security findings from CASB allows for fine-grained Gateway policies which prevent future unwanted behavior, while still allowing usage that aligns to company security policy. This means going from viewing a CASB security issue, like the use of an unapproved SaaS application, to preventing or controlling access. This provides a cross-product experience from a single, unified platform.
At the conclusion of Cloudflare One Week in June, Cloudflare’s API-driven CASB was in closed beta with new customers being onboarded weekly. The new integration with Gateway was available to beta customers as well. The CASB beta program continued from June through September, during which the system identified more than 5M potential security issues across beta users, with some organizations seeing several thousand files flagged as requiring a sharing setting review.
Customers can connect their SaaS applications to Cloudflare CASB in just a few clicks. Once connected, customers will begin to see the results of a scan (identified security issues) appear on their CASB home page. CASB utilizes each vendor’s API to identify a range of application-specific security issues that span several domains of information security, including misconfigurations and insecure settings, file sharing security, Shadow IT, best practices not being followed and more.
As part of GA Week, Cloudflare brought the CASB product out of closed beta to GA. It is now available for all Cloudflare customers as part of the Zero Trust product suite. Today CASB supports integrations with Google Workspace, Microsoft 365, Slack, and GitHub, with a growing list of other critical applications being added.
DLP
As part of Cloudflare One week in June, the team announced that Data Loss Prevention was added as a native part of the Cloudflare One platform. It was being tested in a closed beta for a subset of customers. GA Week moved this product into general availability. All customers now have access to the service as part of the Cloudflare One product suite.
Data Loss Prevention is a strategy for detecting and preventing data exfiltration or data destruction. Many DLP solutions analyze network traffic and internal endpoint devices to locate leakage or loss of confidential information. Organizations use DLP to protect their sensitive business data and personally identifiable information (PII), which helps them stay compliant with industry and data privacy regulations.
To prevent data exfiltration, DLP tracks data moving within the network, on employee devices and when stored on corporate infrastructure. When data is in danger of leaving the corporate network, DLP can send an alert, change permissions for the data or in some cases block its flow.
Sensitive or confidential data is usually tracked through identification methods like keywords, pattern matching, explicit fingerprinting and file identification. These indicators help understand the information being transmitted across or out of the network. Role-based access control (RBAC) also helps identify users who are trying to access data that isn’t aligned with their job function (engineers retrieving financial data).
Cloudflare currently provides several measures for preventing data loss. The platform logs DNS and HTTP requests, and controls user permissions across all applications via RBAC. With this announcement, customers will be able to use Cloudflare’s network to scan all traffic leaving devices and locations for data loss, without compromising performance. Some of the capabilities included in Cloudflare’s DLP solution are:
- Customers can build rules to check data against common patterns like PII
- Add keywords and craft regexes to identify the presence of sensitive data. Profiles for common checks, like credit card numbers, will be provided by Cloudflare.
- Label and index specific data to be protected.
- Combine DLP rules with other Zero Trust rules. As an example, customers could create a policy that prevents users outside of a specific group from uploading a file that contains certain key phrases to any location other than the corporate cloud storage provider.
After configuring a DLP profile, customers can then create a Cloudflare Gateway HTTP policy to allow or block the sensitive data from leaving the organization. Gateway will parse and scan HTTP traffic for strings matching the keywords or regexes specified in the DLP profile.
DLP runs inline on the same hardware that accelerates traffic to the rest of the Internet. This is an important advantage, as Cloudflare doesn’t need to route corporate traffic to another location or central hub for inspection. DLP is performed inline, on the same servers that are supporting all of Cloudflare’s other services. This capability could have additional benefits, as Cloudflare’s platform is used for other functions, like application development.
DLP protections are initially targeted at credit card numbers and US Social Security numbers. This is a limited set of pre-built detections, but the Cloudflare team intends to rapidly iterate towards a robust library of DLP detections. Next steps are to add custom and additional predefined detections, including more international identifiers and financial record numbers. In the meantime, enterprise customers can activate DLP detections on their CASB, SWG, ZTNA and Browser Isolation configurations.
Browser Isolation
For Cloudflare’s Browser Isolation product, the team made it easier for system administrators to integrate it into their WAN-as-a-service product, Magic WAN. This new capability enables administrators to connect on-premise networks to Cloudflare and protect Internet activity from browser-borne malware and zero day threats, without installing any endpoint software or nagging users to update their browsers.
To combat the risk of malware executing in a browser directly on a user’s machine, Browser Isolation applies the Zero Trust approach to web browsing and executes all website code in a remote browser. Should malicious code be executed, it occurs remotely from the user in an isolated container. The end-user and their connected network are insulated from the impact of the attack. Customers who have networks protected by Magic WAN can now enable Browser Isolation through HTTP policies.
Administrators can set rules for applying Browser Isolation to their dashboard configuration for Cloudflare Gateway. These rules can trigger on HTTP traffic. As an example, the configuration could specify that any new domains (often used by hackers for phishing) have to be processed through Browser Isolation first. This additional level of integration was rolled out during GA Week.
Area 1 Email Security
In order to add email security capabilities to its Zero Trust SASE security offering, Cloudflare acquired Area 1 Security in April 2022. With the acquisition, Cloudflare provided organizations with a tool to block phishing, malware, business email compromise and other advanced threats. Area 1 Security’s capabilities were being integrated into Cloudflare’s Zero Trust strategy.
The first step was to rebrand the product as Cloudflare Area 1 and make email security capabilities available for purchase to all Cloudflare enterprise plan customers. This provided Cloudflare customers with a cloud-native email security platform that proactively hunts for attacker infrastructure email campaigns.
With GA Week, Cloudflare announced that the integration of Area 1 Security’s product and Cloudflare’s Zero Trust platform was complete. Starting last week, customers have a dedicated Email Security section on their Cloudflare dashboard, providing an easy way for any Cloudflare customer to start using Cloudflare Area 1 Email Security. Customers can view a demo of the service in action or activate a trial, which gives them access to the full product for 30 days.
Customers can configure Area 1 inline or through an API. None of these options disrupts mail flow or the end user experience. Customers don’t need any new hardware, appliances or agents. During the trial, customers will be able to review detection metrics and forensics in real time, and will receive updates from the Area 1 team on incidents that require immediate attention. At the end of the trial, customers will receive a Phishing Risk Assessment where the Cloudflare team will review mitigated attacks. Customers can then activate the product as part of the Enterprise Zero Trust plan.
Cloudforce One
During Cloudflare One week, the team introduced Cloudforce One, their new threat operations and research team. The team’s primary objective is to track threat actors and disrupt them by publishing tactics, techniques and procedures (TTPs) for Cloudflare One products to harness. Customers will get better protection without having to take any action and can read a subset of research published within the Cloudflare Security Center.
With GA Week, Cloudflare announced that Cloudforce One is open for business and has begun conducting threat briefings. Customers can gain access to the team through an add-on subscription, which includes threat data and briefings, security tools, and the ability to make requests for information (RFIs) to the team.
The Cloudforce One team is being led by Area 1 Security’s co-founder and head of their threat intelligence function. He was a founding member of CrowdStrike’s services organization, and before that a Computer Network Exploitation Analyst at the National Security Agency (NSA). Other team members possess similar expertise in security analysis and operations. Collectively, they have tracked many of the most sophisticated cyber criminals on the Internet while at the National Security Agency (NSA), USCYBERCOM, Area 1 Security, and have worked closely with similar organizations and governments to disrupt these threat actors.
The Cloudforce One team has been sub-divided into five subteams: Malware Analysis, Threat Analysis, Active Mitigation and Countermeasures, Intelligence Analysis, and Intelligence Sharing. They have been prolific in publishing “finished intel” reports on security topics of significant geopolitical importance, such as targeted attacks against governments, technology companies, the energy sector, and law firms. They have regularly briefed top organizations around the world.
One advantage that Cloudflare possesses over other cloud security companies is the sheer scope of their network and service reach. These go far beyond what can be gleaned from the traffic of several thousand enterprise customers. By hosting 20% of all web sites on the Internet and a large number of infrastructure services, Cloudflare receives trillions of signals every day that they can examine for nefarious activity. More data from more users all over the globe will yield security insights faster than competitive services. Some analysts question why Cloudflare bothers with millions of free accounts. That is a big reason.
The best way to understand threats facing networks and applications connected to the Internet is to operate and protect critical, large scale Internet infrastructure. And to defend attacks against millions of customers, large and small. Since our early days, Cloudflare has set out to build one of the world’s largest global networks to do just that. Every day we answer trillions of DNS queries, track the issuance of millions SSL/TLS certificates in our CT log, inspect millions of emails for threats, route multiple petabytes of traffic to our customers’ networks, and proxy trillions of HTTP requests destined for our customers’ applications. Each one of these queries and packets provides a unique data point that can be analyzed at scale and anonymized into actionable threat data—now available to our Cloudforce One customers.
Cloudflare Blog Post, September 2022
In addition to threat intel, a Cloudforce One subscription will include a few new services to expedite threat hunting and remediation.
- Threat Investigation Portal. This screen will be located within the Security Center. Customers can use it to investigate threat data on IPs, ASNs, domains and even individual URLs. URLs can be scanned for phishing content, with heuristic and machine-learning scored results.
- Brand Protection. Another tab in the Security Center allows customers to enter keywords or digital asset references (logos, corporate images) that customers wish to monitor on the Internet. The system will notify them if these become associated with suspicious activity.
- Sinkholes. These can be created on-demand as a service to monitor infected hosts and prevent them from communicating with hacker-controlled command servers. Sinkholes can also be used to intercept SMTP traffic and route traffic away from the command servers. In the future, sinkholes will be extended to the network layer, where they can be leveraged with Magic Transit and Magic WAN.
Subscriptions to Cloudforce One will come in two packages, that are priced based on the number of employees. The Premier package includes a full history of threat data, bundled RFIs and an API quota designed to support integrations with SIEMs. The Core package includes these features, but with reduced history and quotas. Both packages include access to all available security tools, including a threat investigation portal and sinkholes-as-a-service.
The Cloudforce One offering is exciting for investors, as this represents a new service with a separate subscription. This provides cross-sell opportunities to existing customers, potentially providing an incremental revenue source.
Cloudflare One Partner program
During Cloudflare One Week, the team introduced the Cloudflare One Partner Program, built around their Zero Trust, Network-as-a-Service and Cloud Email Security offerings. It helps channel partners deliver on Zero Trust while monetizing in tangible ways – with a comprehensive set of solutions, enablement and incentives. The program is being introduced through a stable of IT service providers, distributors, Value Added Resellers and Managed Service Providers. Customers can find a partner via the Partner Program page. Launch partners included TD Synnex, AVANT, Wipro, RKON, IBM Security and Rackspace.
Cloudflare has typically not relied on channel partners to help sell their products. The thinking was that Cloudflare Application Services were usually straightforward to set up directly with the customer and didn’t benefit from another layer of value-added services to configure. Zero Trust products, however, generally require more complex planning and integration. Because of that, they are also higher margin, providing room for partners to add value.
For these reasons, Cloudflare is aggressively building a partner co-selling program. To seed the partnerships, they looked to channel partners who were already selling competitor services. On the Q2 earnings call, leadership claimed to have “successfully signed up half of Zscaler’s top channel partners as new Cloudflare partners”. In their view, these partners are happy to have multiple Zero Trust solutions to offer to their customers. This is helping with deal flow. Additionally, the Area 1 Security sales team already had a lot of experience working with channel partners and bootstrapped Cloudflare’s partner program.
As part of GA Week, the Cloudflare team provided an update on the partner program, highlighting that they are seeing accelerating engagement since it was announced back in June. Interestingly, the blog post was authored by Steve Pataky, who came over from Area 1 Security, where he led their channel partner efforts. Besides adding the email security product capabilities to Cloudflare’s platform, Area 1 brought deep experience in building a channel partner program, which Cloudflare previously lacked.
It became clear there was a significant opportunity to partner with the channel – to combine Cloudflare’s complete Zero Trust portfolio with a broad set of Cloudflare-enabled, channel-delivered professional services to help customers navigate meaningful ways to adopt a Zero Trust architecture. Underscoring this need to partner was the fact that over the last six months we saw a 50% increase in new Cloudflare Zero Trust customers being won with the channel.
Cloudflare blog post, September 2022
Based on the quote from the blog post, it appears that the investment in the Partner program is paying off. Cloudflare is landing more Zero Trust customers as an outcome. Further, since launch, they have been engaging with “hundreds” of partners through recruiting campaigns and their Zero Trust Roadshow, which visited a number of cities around the world.
To incentivize partners, Cloudflare created a “Reward for Value” financial structure. This rewards partners for developing Zero Trust opportunities (deal sourcing), designing a bundled solution and delivering professional services. Feedback from partners has been very positive on this structure, providing a mutually beneficial relationship between Cloudflare and the channel. By enabling the partner network to source deals for Cloudflare, the team feels they will actually drive more customer activity than when they were trying to originate deals on their own.
R2 to GA with Log storage
During GA Week, Cloudflare announced the transition of R2 Storage to general availability with both a press release and a blog post. The press release hinted at strong customer adoption for R2 as it comes out of beta, claiming over 12,000 developers (and growing) with an active account on R2 Storage. They also cited one customer (Vecteezy) who was spending “six figures” on egress fees with an alternate solution.
In May 2022, we launched R2 into open beta. In just four short months we’ve been overwhelmed with over 12k developers (and rapidly growing) getting started with R2. Those developers came to us with a wide range of use cases from podcast applications to video platforms to e-commerce websites, and users like Vecteezy who was spending six figures in egress fees. We’ve learned quickly, gotten great feedback, and today we’re excited to announce R2 is now generally available.
Cloudflare Blog post, September 2022
Vecteezy is an online marketplace for professional quality creative resources, including images and videos. They claim to have designers at major brands as customers. Traditionally, a site like Vecteezy would cache their content on a CDN (like Cloudflare). However, the object store that serves as the origin for the CDN would usually be an object service from a hyperscaler, often S3. With R2, Cloudflare can now serve as that origin object store as well.
Making this change to utilize R2 as the origin would require some configuration updates to Vecteezy’s content publishing system, but those would be fairly straightforward. The R2 API matches that of S3, so coding changes should be minimal.
R2 has separate pricing from other Cloudflare services like CDN. The move to GA will begin generating revenue, which is incremental from Cloudflare’s other products. While R2 doesn’t charge for egress as part of its value proposition, it does generate fees from storage and read/write operations.
- Storage is priced at $0.015 / GB, per month
- Class A operations cost $4.50 / million (write)
- Class B operations cost $0.36 / million (read)
Before we get too excited, they do provide a free tier with usage limits. I imagine that a large number of the 12, 000 developers are on this tier (but not all).
- 10 GB-months of stored data
- 1,000,000 Class A operations, per month (write)
- 10,000,000 Class B operations, per month (read)
There are a number of implied use cases for R2, beyond serving as origin for a CDN. Most are fairly straightforward to implement, avoiding long system migrations (like with databases) in order for Cloudflare to begin capturing the opportunity. Another example use case that is easy to activate for Cloudflare customers is log storage.
Most of Cloudflare’s network and application products generate detailed log files that customers want to store in the event they need to search them in the future to respond to a security incident. Before R2 GA, Cloudflare only provided customers with the ability to export logs to 3rd-party destinations, primarily the hyperscalers. These object stores were used for long term storage and periodic analysis. With Log Storage on R2, however, Cloudflare is able to offer customers a cost-effective solution to store event logs for any Cloudflare product.
While Cloudflare may only capture a small percentage of the object store business from the hyperscalers, that could represent a meaningful amount of revenue. Some analysts have estimated that the AWS storage business (not including other hyperscalers) generates over $10B a year in revenue.
Another future use case could be associated with secure data sharing between companies. This is where the optionality of Cloudflare’s platform becomes interesting. By combining R2 with Zero Trust, Cloudflare could provide secure authentication and transport of data between companies. Zero Trust would ensure proper governance. Workers could then be leveraged to inject custom logic, handling functions like data cleansing, aggregation and repackaging. As Big Data companies like Snowflake are building networks of customers around data sharing, Cloudflare could help facilitate secure data sharing outside of analytics.
Stream Live to GA
Stream Live was introduced during Birthday Week last year. Now, Cloudflare has brought it to GA. Stream Live is part of the Cloudflare Stream product family and allows developers to build live video features into web sites and native apps. While in beta, content producers have used Stream to broadcast live concerts, build brand-new video creator platforms and operate a global 24/7 live OTT service. While in beta, Stream has ingested millions of minutes of live video and delivered that to viewers all over the world.
Stream Live greatly simplifies the infrastructure requirements for live video streaming, often involving stitching together solutions from multiple vendors. With Stream Live, Cloudflare handles all steps of ingesting video, encoding it, storage and delivery to viewers. While other providers offer services for live video, Cloudflare claims to be the only one with full control over every step in the process through their global network and owned hardware. This allows Cloudflare to optimize for encoding and delivery in ways that competitive solutions can’t.
Besides advantages in performance and control, Cloudflare can also price their service competitively, presumably undercutting popular solutions.
Operating our own network lets us price Stream based on minutes of video delivered — unlike others, we don’t pay someone else for bandwidth and then pass along their costs to you at a markup. The status quo of charging for bandwidth or per-GB storage penalizes you for delivering or storing high resolution content. If you ask why a few times, most of the time you’ll discover that others are pushing their own cost structures on to you.
Encoding video is compute-intensive, delivering video is bandwidth intensive, and location matters when ingesting live video. When you use Stream, you don’t need to worry about optimizing performance, finding a CDN, and/or tweaking configuration endlessly. Stream takes care of this for you.
Cloudflare Blog Post, September 2022
As part of their competitive differentiation, Cloudflare is positioning this product against popular social media platforms that offer live video streaming, but require that it be conducted within their walled garden (Facebook, YouTube Live, Twitch, etc.). With Cloudflare’s solution, content producers can embed live video in their web site or app directly, on any device, at scale.
The pricing model for Stream Live is based on storage and delivery per minute of video. Ingestion, encoding and analytics are provided for free. Other platforms charge for bandwidth consumed, making it more expensive to deliver high quality video. Cloudflare charges the same price regardless of resolution. This is possible because Cloudflare already has significant bandwidth provisioned to accommodate all their other services.
During the beta, the Cloudflare product team mentioned that several customers started building live video businesses on top of Stream. They gave one example of Switcher Studio, which delivers a video platform that generates about 100k streams per month for its users. They provide an iOS app that allows creators to produce their own branded, multi-camera live streams. Now that Stream Live is in GA, this activity can be monetized by Cloudflare.
Workers for Platforms to GA
Cloudflare introduced Workers for Platforms back in May as part of Platform Week. This brought an exciting new capability to the Workers product, allowing end users to safely add their own customizations to a SaaS application. Developers could accomplish this by writing their own functions that are embedded into the execution path for that customer’s user experience. This capability appealed to platform providers, like Shopify, that needed the ability to allow their merchants to customize aspects of their stores without requiring Shopify to make that business logic global.
After a little over four months in beta, the Workers for Platforms product was launched to GA. As part of the GA release, Cloudflare introduced a few new features, like a dispatch worker, a user worker, unlimited scripts and dynamic dispatch namespaces. These provide platform customers with more flexibility to control script execution and support more users.
The Cloudflare product team has more features lined up on their roadmap. These include finer grained controls over user workers, metrics, a platform development kit and tighter integration with custom domains. Any existing Cloudflare enterprise customer can request access to the product. Workers for Platforms will generate incremental revenue for Cloudflare because platform providers would execute more Worker scripts, as their customers created custom Workers to inject their own business logic into their user experience on the platform.
Regional Services Expansion
Regional Services was introduced in 2020. It provides an additional layer of control over where customer data can be decrypted and inspected. Under normal operations, Cloudflare distributes customer traffic to the closest data center or one that is less busy. This may cross a country boundary. New privacy laws (like GDPR) require that user traffic must remain within that government entity’s borders. Regional Services allows a customer to override Cloudflare’s normal traffic distribution and ensures that customer data is only decrypted at Cloudflare’s data centers within that country or boundary.
This is a critical requirement for Cloudflare customers in certain regions, like Europe. Many of those customers would be prohibited from using any Cloudflare service that relies on decryption and inspection in order to function. These services include Workers, CDN, bot management and WAF.
When first introduced, Regional Services was used primarily by customers in the European Union and the Americas. In the past year, Cloudflare has been getting a lot of interest from Asia Pacific for similar capabilities. To meet customer demand in Asia Pacific, Cloudflare extended Regional Services to India, Japan and Australia. With GA Week, this capability was brought live. The potential business impact is that customers in these countries can now utilize Cloudflare services that involve traffic inspection, including those mentioned above.
This could drive incremental revenue for Cloudflare in Asia-Pacific. From the Q2 earnings report, we know that APAC contributed 14% of total revenue. It experienced the greatest improvement in y/y growth, hitting 43% in Q2 versus 31% in Q1. I think we can expect Regional Services to open up more cross-sell opportunities and new customer lands in the area.
Other GA Releases
The products covered above represented those that I found to be the most significant. However, GA Week included a number of other releases that are worth mentioning as well. The scope of releases packed into one week was incredible. This represents a testament to the Cloudflare’s team’s sophistication in their development process and the raw productivity in building so many individual products at once. These significantly increase the reach of Cloudflare’s platform, providing more opportunities to monetize. In some cases, the items released represented significant additions to existing products that were highly requested by customers. Presumably, lacking these features limited adoption. With these new additions, these products should experience higher sell-through.
Here is a list of most of the other announcements from GA Week:
- API Endpoint Management and Metrics to GA. Adds the ability to save, update, and monitor the performance of API endpoints for API Gateway customers. This delivers key performance metrics like latency, error rate, and response size to provide insight into overall performance of APIs. This release improves the usability of the API Gateway product for customers.
- Logpush Improvements. Launched three new key features related to the Logpush product. First, they added the ability filter log transmission based on specific criteria. Second, they added alerts to notify DevOps personnel when there are issues in log transmission or flows. Finally, customers can access data on the status and success/failure rates of Logpush jobs.
- New Advanced DDOS Capabilities. Added Adaptive Protection, which learns a customer’s unique web site traffic patterns and applies those to surgically counter sophisticated DDOS attacks. Additionally, Cloudflare launched Advanced DDOS Alerts to provide DevOps personnel with real-time notifications if a DDOS attack is occurring and whether Cloudflare’s DDOS mitigation has engaged.
- Domain Scoped Roles. Account owners can manage their team’s access to Cloudflare by allowing user access to be scoped to individual domains. This improves security and reduces risk by limiting access to just what is needed. The capability is being rolled out to all Enterprise customers.
- Account WAF. Customers can now manage a single WAF configuration that applies to all enterprise domains in one account. This represents a big time saver for enterprise customers.
- SVG support in Cloudflare Images. Based on customer feedback, the team added support for SVG files to the Cloudflare Images product. This was a major hindrance to some customers, who handle SVG files, but had to utilize a separate image platform from Cloudflare to accommodate those. Adding SVG file support should increase adoption of the Images product.
Investor Take-aways
Cloudflare brought 20 products and enhancements to GA over the last week. This represents a phenomenal accomplishment. Just keeping track of the items would be a challenge. In Cloudflare’s case, their architecture dictates that all Cloudflare servers across all data centers run all services. Most software infrastructure companies start to segment out products into different server tiers at this point in order to separate concerns. Separation simplifies code management, testing, performance and maintenance. For Cloudflare to launch 20 products in a week to the same deployment target is simply amazing.
As GA Week wrapped up, the leadership team was already preparing for Birthday Week. They provided a few hints of what to expect. Most notably was the assertion that the industry would be surprised.
In a week’s time it’ll be Cloudflare’s 12th birthday and, as every year, we’ll have a Birthday Week when we’ll announce radically new and different products that are likely to cause a great deal of surprise. The teams above have been working hard on things that will change how people think about Cloudflare.
Cloudflare blog post
We are already getting a view into what was meant, with a breathtaking 12 announcements on Tuesday alone. What is reassuring is that whatever Cloudflare announces, GA Week demonstrated that those products will reach general availability for all customers within a reasonable amount of time. In turn, they will drive the next leg of Cloudflare’s revenue growth as part of a flywheel of continuous innovation and improvement.
Additional Reading:
- Our partners over at Cestrian Capital Research recently published an update on Cloudflare, including financials and some technical analysis.
- GA Week Portal – A single destination covering all product releases with links to blog posts, Cloudflare TV segments and press releases.
NOTE: This article does not represent investment advice and is solely the author’s opinion for managing his own investment portfolio. Readers are expected to perform their own due diligence before making investment decisions. Please see the Disclaimer for more detail.
“I think it will be interesting to see if Cloudflare starts to iterate through the magic quadrants for Zero Trust solutions and eventually lands in the Leaders quadrant […].”
There is no “if”.
Hi John,
If this really is you… Keep up the good work! The pace of innovation you and others lead at Cloudflare is jaw dropping. Happy investor from the IPO 3 years ago. Also happy to see you keeping an eye on Peter’s work. He is the best in the biz at covering Cloudflare ☺️.
Thank you for the detailed recap!
Thanks for the great coverage of Cloudflare.