Cloudflare (NET) announced Q2 FY2022 earnings on August 4th, demonstrating better than expected resilience to the macro backdrop, in contrast to many software infrastructure peers struggling with more acute softening of demand. Cloudflare beat revenue projections for Q2 and raised estimates for the remainder of the year. More significantly, they demonstrated a renewed commitment to deliver positive free cash flow, reversing the backsliding in Q1’s report. Growth in large customer additions hit a new record, illustrating Cloudflare’s ability to cross-sell their product suite to enterprises across multiple categories. While DBNRR ticked down a point, leadership is committed to crossing the rarefied threshold of 130%. The market favored the results as the stock popped 27% the following day.
I will share a summary of my reactions to the report, structured around financial performance, product activity and Cloudflare’s broader strategy. I won’t rehash all of the metrics, as those are readily available online in the earnings report and Investor Presentation. Additionally, investors new to the Cloudflare story can catch up on the narrative through my prior coverage.
Audio Version
View all Podcast Episodes and Subscribe
Growth Metrics
In my Q1 earnings review, I emphasized that Cloudflare’s revenue growth continues along its expected trajectory of 50% annually. With Q2’s results, we hear the same drumbeat, in spite of macro conditions. While the revenue growth rate of next quarter’s guidance ticked down slightly, the same level of beat would keep Cloudflare in its 50% range. The market appreciates this consistency. While there are software infrastructure companies with higher growth rates, the majority of those experienced deceleration this quarter and expect more looking forward.
Specifically, Q2 revenue was $234.5M, which was up 53.8% annually and 10.5% sequentially. This beat Cloudflare’s prior guidance from Q1 for $226.5M-$227.5M, or 48.9% in annual and 7.0% in sequential growth. Q2’s result represented a slight improvement over Q1’s growth rates of 53.6% and 9.6% respectively. Even going back a year to Q2 2021, Cloudflare delivered 52.8% annual revenue growth and 10.4% sequential. The linearity is impressive.
For Q3, Cloudflare guided for $250M-$251M in revenue, up 45.4% year/year and 6.8% sequentially at the midpoint. This beat analyst consensus for $246.9M, or 43.3% annual growth. To be fair, Cloudflare normally raises guidance by more than this. In Q1, they raised the annual growth rate for Q2 by about 6% over what analysts had projected. This quarter’s raise was just over 2%. Given the macro environment and performance of peers, however, I think the market was more than happy with a non-trivial raise. Additionally, if we apply the same relative beats from Q2 to this guidance, revenue growth should come in just over 50%. For comparison, in Q3 2021, Cloudflare delivered 50.9% of annual revenue growth.
For the full year, they also raised guidance to $968M-$972M (for 47.8% growth), up from their prior guidance range of $955M-$959M (for 45.8% growth) set in Q1. This raise was about $13M at the midpoint, greater than the $7.5M beat from Q2. The size of the raise was likely part of the market’s favorable reaction for NET stock, as peers had either lowered their full year guidance or raised it less than the Q2 beat. Assuming similar beats in Q3 and Q4, Cloudflare could end the year with annual growth over 50%.
Additionally, the implied Q4 revenue at this point is $272.8M, up 8.9% sequentially and 40.9% year/year. If Cloudflare beats estimates in Q3 and Q4 at a similar cadence, Q4 revenue growth would push into the high 40% range. This would represent a little deceleration, but acceptable given the environment and performance of peers. As an example, Datadog’s revenue growth rate is projected to drop from 74% in Q2 to 35% in Q4, based on current guidance. I also own DDOG stock and provided more detail on their opportunity in a recent post.
Other growth metrics were favorable as well. RPO was $760M at the end of Q2, up 10.4% sequentially from Q1 and 57% year/year. In Q1, RPO was $688M, up 10.2% sequentially and 57% annually as well. Current RPO is 76% of total RPO, which was the same as last quarter. RPO growth appears to have stabilized in the 50% range and is on par with revenue growth.
Growth by geography was fairly consistent with the prior quarter and showed a nice acceleration in APAC. A total of 47% of Cloudflare’s Q2 revenue was international, the same as Q1.
- U.S. was 53% of revenue, increasing 55% y/y (Q1 – 56% growth)
- EMEA was 26% of revenue, increasing 54% y/y (Q1 – 57% growth)
- APAC was 14% of revenue, increasing 43% y/y (Q1 – 31% growth)
In Q4, US growth was 52%, EMEA was 60% and APAC was 29%. On the earnings call, the CFO called out headwinds from currency fluctuations. Because Cloudflare prices its products internationally in dollars, they don’t provide a constant currency adjustment like some SaaS peers. However, their products become more expensive to foreign buyers as the dollar appreciates. He attributed this to causing some “elongated sales cycles at the high end of the business.” This impact can be seen in the EMEA growth rates, which dropped from 60% in Q4 to 56% and then 55% this quarter.
Cloudflare’s leadership team offered some generalized perspective on the demand environment. They traced the slowdown in spend back to Q1, where they started seeing the pipeline constrict, sales cycles extend and longer periods for invoice payments. Because most of Cloudflare’s revenue is generated through monthly billing, they had the advantage of observing this behavior earlier than some of their peers.
The CEO discussed this market insight in his opening remarks and how Cloudflare was able to pivot their GTM messaging quickly. Given the visibility into an economic downturn, they shifted the product messaging to focus on ROI. Cloudflare highlighted the ability for customers to save money, by consolidating spend from multiple point solutions onto Cloudflare’s platform. He acknowledged that these messages weren’t as important in 2021, when companies had plenty of cash on hand and were chasing growth.
He also drew a distinction between difficulty in signing new large deals and expanding their spend with existing large customers. The latter has been easier in this environment for Cloudflare, and is reflected in the strength of their large customer growth. While Cloudflare highlighted a number of enterprise wins, they also acknowledged that sales cycles are taking longer. With 29% of the Fortune 1000 as Cloudflare customers already, Cloudflare’s CEO sees a lot of opportunity to continue pursuing a consolidation and spend expansion strategy until the macro situation improves.
In Q2, leadership reported that they are starting to see some stabilization. They aren’t ready to call the “all clear”, but metrics seem to be trending a little better than before.
In that spirit, let me share some more details of what we saw and are seeing. In Q1, our pipeline generation slowed, sales cycles extended, and customers took longer to pay their bills. We watched those metrics closely throughout Q2 and saw them all at least stabilized. They’re not where we throw up hooray yet, but the metrics are trending in the right direction.
Cloudflare CEO, Q2 earnings Call
With that said, the CFO discussed experiencing elongated sales cycles at the high end of their business, with customers spending $500k-$1M seeming to be the most pronounced. He also mentioned deterioration of performance in Europe over Q1 and Q2 (aligns with my prior comments on growth rate in that geo). Given this behavior, the CFO said they are not assuming an improvement in these demand trends through the rest of the year, which is reflected in their “more prudent and cautious guide for the third quarter and the end of the year.”
Given where the actual Q3 and full year guidance landed, I am pretty encouraged by this commentary. It indicates that under normal circumstances, both Q3 and Q4 revenue growth likely would have stayed well above 50%, perhaps even accelerating somewhat.
Sponsored by Cestrian Capital Research
Cestrian Capital Research provides extensive investor education content, including a free stocks board focused on helping people become better investors, webinars covering market direction and deep dives on individual stocks in order to teach financial and technical analysis.
The Cestrian Tech Select newsletter delivers professional investment research on the technology sector, presented in an easy-to-use, down-to-earth style. Sign-up for the basic newsletter is free, with an option to subscribe for deeper coverage.
Software Stack Investing members can subscribe to the premium version of the newsletter with a 33% discount.
Cestrian Capital Research’s services are a great complement to Software Stack Investing, as they offer investor education and financial analysis that go beyond the scope of this blog. The Tech Select newsletter covers a broad range of technology companies with a deep focus on financial and chart analysis.
Profitability Measures
One of the primary investor concerns coming out of Cloudflare’s Q1 report was the large step backwards in free cash flow generation. It appeared that Cloudflare leadership might be lowering the priority of profitability over growth. The company largely put fears of backsliding to rest in the Q2 report, however, with the CEO reiterating his focus on FCF margin.
Non-GAAP gross margin was 78.9% in Q2, up 90 basis points over the prior year. This compares to 78.7% in Q1, representing a 20 bps sequential improvement. Cloudflare is delivering these improvements in spite of significant increases in network utilization. In Q1, management shared that usage of Cloudflare’s network was up 76% year/year. Yet, this outsized increase isn’t negatively impacting gross margin. Leadership points to their high network efficiency as a competitive advantage and intends to use their pricing power to take market share.
Competitors who lease their data centers and network infrastructure from other providers, or maintain legacy, hardware-driven network routing, don’t have this advantage. Their costs would increase proportionally to utilization, particularly where they leverage infrastructure from the hyperscalers. While Cloudflare’s operation of their own infrastructure is a drag on free cash flow through CapEx spend, it provides this elasticity to operating margins.
For Q2, non-GAAP loss from operations was $0.9M, for 0.4% operating margin. This compares to a loss of $4.0M, or 2.6% of total revenue, in Q2 2021. In Q1, Non-GAAP operating income was $4.9M for 2.3% operating margin. The CFO did clarify that operating margin would have been positive in Q2, if not for the Area 1 Security acquisition.
Looking forward for the remainder of the year, Cloudflare leadership projects income from operations of break-even to $1M in Q3. For the full year, they are estimating operating income of $7M-$11M. The latter is encouraging, as that implies at least $4.5M in operating income for Q4, or operating margin of 1-2%. Even with some pressure on revenue generation through the year, Cloudflare appears committed to maintaining operating income just above break-even.
Cash flow from operations in Q2 was $38.3M, compared to $7.5M for Q2 of 2021 and -$35.5M in Q1. While Q1 was impacted by a large withholding tax payment of about $30M, Q2 cash flow from operations increased much more than that. Adjusting for CapEx, FCF in Q2 was -$4.4M for a FCF margin of -1.9%. A year ago, FCF was -$9.8M or -6.0% FCF margin. Q2 FCF is up substantially from -$64.4M and -30% FCF margin in Q1. Additionally, management reiterated their commitment to deliver positive FCF margin in the second half of the year. This includes an allocation of 12%-14% of revenue to CapEx for the remainder of 2022.
Looking at how Cloudflare is allocating their operating expenses is enlightening. As investors will recall, at the end of 2021, Cloudflare reached break-even on operating income. This followed a couple of years of gradual improvements in operation margin from significantly negative to break-even. Any gains in operating leverage were being invested to increase operating margin. After the company hit break-even, though, they decided to remain at break-even and continue investing in business growth. This implies that spending could actually increase on a relative basis, since operating leverage gains would be applied to support higher operating expenses. This effectively means that operating expenses would increase proportionally to revenue growth going forward.
This shift likely explains the increase in staffing rates from Q4 to Q2. In Q2, Cloudflare delivered another strong hiring quarter. They increased headcount by 49% year/year to 3,060 employees. This was up 11.3% from Q1’s total of 2,750 and 42% year/year. They ended Q4 with 2,440 employees, which represented annual growth of 36%. For Q2, the headcount growth was just slightly below annual revenue growth. They do plan to slow the velocity of hiring in the second half of 2022 to account for “macroeconomic uncertainty”.
I like to look at spending allocations in each category relative to revenue on a GAAP basis to include the cost of SBC:
- R&D: 32.0% of revenue in Q2 2022 ($75.1M) , versus 27.1% a year ago
- S&M: 50.2% of revenue in Q2 2022 ($117.6M), versus 49.9% a year ago
- G&A: 21.5% of revenue in Q2 2022 ($50.5M), versus 19.0% a year ago
We see an increased investment in R&D, with S&M allocation roughly staying flat year/year. G&A ticked up as well on a GAAP basis, due to a larger increase in SBC year/year. On a Non-GAAP basis, G&A actually came down by a percentage.
While Cloudflare’s leadership plans to keep operating margins at roughly break-even, they do want to drive free cash flow generation as much as possible. The CFO discussed some “levers” that are available to improve FCF generation on the earnings call. The biggest opportunity that he pointed out is to move to annual billing for large customers. This tactic is applied by many of Cloudflare’s peers in software infrastructure. The advantage is that by billing annually out front, they can collect and recognize the cash flow in advance of rendering service.
Cloudflare traditionally has operated in a pay-as-you-go model, where customers provided a credit card and were charged each month. Most of their revenue is still based on monthly billing, even as they land and expand into larger enterprise customers. They have started taking the first steps towards annual billing engagements. Additionally, the CFO mentioned running a cross-functional team that is identifying other areas of the business that could be optimized for cash conversion.
He said they are making good progress. I point this out, because Cloudflare is at the beginning of this process. This helps explain some of the disparity between Cloudflare and other software infrastructure peers. Granted, Cloudflare will generally have a larger CapEx component, which they are targeting at 12-14% of revenue. But, they have an opportunity to improve the total cash flow amount in advance of subtracting out CapEx to get to FCF. This exercise should help further improve FCF margin over time.
Customer Activity
Cloudflare’s growth in large customers was the highlight of the quarter. This reinforced the CEO’s commentary about finding success in expanding spend with existing large customers by pivoting their messaging towards cost savings through tool consolidation. In Q2, Cloudflare added 212 new large customers (defined as having annualized revenue greater than $100k) to reach 1,749 large customers. This was up from 1,537 at the end of Q1, or 13.8% sequentially and 61% annually.
Q2’s additions represented a record for Cloudflare. In Q1, they added a paltry 121 large customers. Going back further, they added 156 in Q4 and the prior record count of 172 in Q3. Q2’s count beat the prior record by 23%.
Another important metric is that these large customers now account for 60% of Cloudflare’s revenue, up from 58% last quarter and 50% a year ago. These customers provide more consistent revenue generation, as opposed to SMB pay-as-you-go customers. As discussed earlier, larger customers also provide the opportunity to introduce annual billing up front, which will help drive an increase in cash flow generation.
In Q1, Cloudflare pointed to strength in customers spending over $1M a year, which was up 72% y/y. At an even higher spend level, leadership highlighted the fact that 12 customers and partners now spend over $5M a year. We hadn’t heard a reference to this level of spend previously, underscoring leadership’s messaging that Cloudflare can attract large enterprise spend for customers interested in consolidating a number of network and security use cases onto a single platform. To further underscore the large spend upside potential, leadership highlighted an expansion deal with an existing Fortune 500 software customer bringing their spend to $15M a year.
Cloudflare’s dollar-based net retention (DBNRR) was 126% in Q2, which was down 1% over Q1, but up 2% over the prior year. This is an impressive DBNRR, relative to other software companies. However, the CEO stated on the earnings call that they “won’t be satisfied until it’s above 130% and best of breed among the companies we consider peers.” I agree that a DBNRR over 130% at this scale would place them in the upper echelon of performance.
In Q1, Cloudflare reported a record number of new paying customer additions at 14k, bringing the total customers to 154,109. This number turned out to be inaccurate, due to a bug in their reporting software. The actual count for Q1 was 148,184 and then they reached 151,803 in Q2. This represented just 2.4% sequential growth and about 20% annually.
If we didn’t see such strong growth in large customer activity, I would be concerned about these headline customer metrics. However, leadership clarified that these “pay-as-you-go” customers only make up 11% of their revenue. These lower tier customers also exhibited higher churn as many of them shifted down to the free tier to save money.
In his opening remarks, Cloudflare’s CEO called out a few major customer wins. There were a few common themes among these that are worth highlighting as part of the investment thesis:
- Large customers are subscribing to multiple Cloudflare products in order to consolidate vendors and save money. An example was a Fortune 500 retailer in Europe with a $1M deal over 3 years. They subscribed to WAF, CDN, bot management and a few other application protection services. Cloudflare’s sales team is now discussing further expansion into Zero Trust products.
- Some competitive wins in Zero Trust. The CEO highlighted one win with a Fortune 500 energy company that had been using Zscaler. Later he called out another deal with a large advertising conglomerate for $1.7M as a competitive win. In both cases, the customers found Cloudflare easier to use and more performant. The CEO reiterated their favorable win rates against Zscaler and Palo Alto Networks. Granted, we may not have the full story (perhaps some loses too), but it appears that Cloudflare is gaining traction in Zero Trust.
- Cloudflare is reproducing the success of competitors in leaning on channel partners for Zero Trust. They claim to have engaged with half of Zscaler’s top channel partners. This resulted in a Fortune 500 industrial company win for a $1.3M upsell.
- They are achieving some government traction with individual agencies, in spite of not having FedRamp certification yet. They referenced a $770k expansion deal with the State of Arizona.
- Highlighted the strength of the new Workers for Platforms offering. This allows other technology providers to embed Workers into their platforms to provide their end users with extensibility. In Q2, Cloudflare signed deals with one of the largest e-commerce platforms (Shopify), one of the fastest-growing web development platforms and a next generation database platform. These deals represent several hundred thousand dollars in revenue each. More importantly, developers using those company’s offerings will be exposed to Workers.
- Finally, the CEO referenced several security companies that are using Cloudflare services like DDOS to protect their own applications and networks. He listed a public security compliance vendor, a leading endpoint security provider and one of the largest data security vendors. These all signed multiyear contracts each worth more than $700k. And, of course, he had to point out again that Zscaler uses Cloudflare for DDOS (you think they would have switched this to Akamai by now).
Product Updates and Strategy
Cloudflare operates a globally distributed network of 275 data centers (sometimes referred to as PoPs) in proximity to population centers that span more than 100 countries. These are connected by a private network with dynamic, software defined routing. Each data center delivers the same set of services and includes significant compute power with which they can perform full packet inspection. This high level of network traffic and granular data packet processing is a consequence of Cloudflare’s best-in-class DDOS, WAF and bot mitigation services.
Cloudflare continues to grow its network reach, regularly adding new data center locations with more compute power, data storage and network interconnects. In the time since Investor Day in May 2022 (reflected in the slide above), Cloudflare’s latest network stats show an increase in data centers from 270+ to 275, 10,500+ interconnects to 11,000 and 142 Tbps of network capacity to 155 Tbps. That was in the span of 3 months.
Enterprises can easily connect their corporate network, offices and employees to the same Cloudflare network, providing a more reliable and secure experience than traversing over the public Internet. All Cloudflare data centers host all services – application services (DNS, CDN, WAF, DDOS), the developer platform (Workers, data storage, email, video streaming, JAMstack), network services (FWaaS, smart routing, IDS, network interconnect) and their new security services (ZTNA, DLP, CASB, SWG, email, browser isolation). Because every data center mirrors the other, traffic isn’t routed to centralized data center hubs for handling individual functions like inspection or filtering. User traffic is processed at the closest data center onramp and then traverses the Cloudflare network until it arrives at its destination.
From this global platform of fully distributed services, Cloudflare has been launching multiple product offerings. Each product segment has an adoption curve, or “S curve“, which tracks the progression of disruptive changes in the implementation of a particular technology. In Cloudflare’s case, they are leveraging their unique network and system architecture to deliver Internet infrastructure services in ways that are more performant, convenient and cost-effective than the incumbent approaches.
As was the case when Christensen published his seminal book, the Innovator’s Dilemma in 1997, this disruption often builds slowly and then rapidly accelerates in adoption as it hits the growth phase of the S curve. As the theory goes, large incumbents don’t notice or care for the disruptive approach, until it is in the rapid growth phase. By that point, however, it is often too late to react, as a pivot to a completely new architecture, sales process and customer base is bogged down by organizational inertia.
Cloudflare’s product strategy is to leverage their inherent architectural advantages to launch new offerings across adjacent categories of infrastructure services, effectively “stacking multiple adoption S curves one behind another.” To be fair, not all S curves will progress at the same rate and some smaller offerings may fail, but this approach is behind every new offering that Cloudflare announces.
While this product strategy sounds interesting on the surface, investors are reasonably expected to ask what makes Cloudflare’s approach unique, versus incumbents and related software infrastructure companies, whether those be the hyperscalers (AWS, Azure, GCP), other CDN providers (Akamai, Fastly) or security companies (Palo Alto, Zscaler). I think Cloudflare’s competitive advantages can be distilled down to several factors. It is the combination of these factors that make Cloudflare unique, as some competitors exhibit one or two of these, but not all.
- Owned Data Centers and Network Infrastructure. Cloudflare owns and operates all of its 275 data centers. It also controls the network traffic between these data centers, intelligently routing traffic across its 11,000 network interconnects. Because Cloudflare runs their own data centers, they have direct access to all equipment down to the hardware level. This allows them to fully optimize network performance and their compute/storage layers. Only a few other companies operate this large network of globally distributed data centers. Most other software service providers (runtimes, distributed data, security services) layer their offerings over hyperscaler infrastructure. This limits their control, customization, reach and pricing elasticity.
- Distributed and Uniform Topology. As mentioned previously, Cloudflare has gone to great lengths to design their system architecture such that every service runs on every server in every data center. Competitive offerings (both hyperscalers and independents) often segment services by data center, network or clusters of servers. That segmentation makes new offerings faster for them to roll out, but limits the service footprint and performance by requiring user traffic to be directed over specific networks or backhauled to central locations.
- Fully Programmable. With their Workers product, Cloudflare layers a fully programmable runtime over their core network and security services. This allows engineering teams at enterprise customers to customize any aspect of their service or add new capabilities that are unique to their needs. Competitive Zero Trust offerings don’t support a development environment. Any customization would either not be possible or have to be addressed by one-off consulting engagements. This option for customization is appealing to enterprise customers who may want to future proof their implementation.
- Re-use of Platform Primitives. In addition to the benefits to customers from programmability, the Cloudflare internal engineering team leverages Workers to build many of their product offerings. This has the benefit of “dogfooding” the development environment. More importantly, it accelerates product delivery. As the Cloudflare engineering team builds out the platform, they design in terms of re-usable platform primitives and composability. Each new service becomes a building block for a more sophisticated product offering in the future. This reduces development time for each new innovation, as Cloudflare software engineers can pull production-ready components off the internal shelf to assemble into the next product offering. Workers is the cornerstone of most new application offerings. As an example, Durable Objects provides the mapping layer for R2. RTC uses Cloudflare for Teams to manage user access permissions.
- Accelerating Product Delivery. Cloudflare’s culture embraces rapid innovation. This manifests as a constant stream of product releases, often bundled into “Innovation Weeks”. For 2022, Cloudflare has committed to 7 of these Innovation Weeks, where each usually includes as many product launches and improvements as slower competitors might include in a full year. In their Founder’s Letter from September 2021, leadership even pointed out that “the pace at which we are able to launch innovative new products is accelerating.” A simple comparison of deliverables from Birthday Week 2021 to 2020 makes this statement obvious.
- Free User Base. Unlike competitors, Cloudflare offers most of their services on a free user tier. Geared for personal or low usage, Cloudflare has millions of customers at this level. While this sounds like it would create terrible unit economics, Cloudflare actually leverages these free users for significant value. First, these users generate low relative traffic levels. Since many of Cloudflare’s costs are fixed, servicing the free users doesn’t create much incremental cost to Cloudflare.
- In exchange for free usage, the Cloudflare product team uses the free tier for testing of new product offerings. These users can tolerate some bugs or service issues. Also, they provide valuable feedback to help improve the new product offering. This harnessing of the free user tier saves Cloudflare material costs in QA resources, which normally would be needed to stress test new products.
- Free users are often individuals managing their own personal hosting or network connectivity on Cloudflare. These individuals usually have a professional job at a company where they can make a technology purchase recommendation. Familiarity with Cloudflare products brings Cloudflare into the vendor consideration without requiring sales and marketing spend.
- Free users provide the network traffic to justify new network peering relationships. It can be difficult for a new market entrant to access an ISP’s customers through a peering relationship. However, with millions of free users, it is easy for Cloudflare to demonstrate to a small country that many of its citizens are already Cloudflare users.
- Free user traffic provides valuable data to optimize traffic routing, security response and new product ideas. Cloudflare’s security products are made more effective as traffic flows increase. They can detect threats faster than peers as a consequence of their vast reach beyond the standard corral of enterprise employees.
While that exercise was a little exhaustive, I think it is important as we consider what makes Cloudflare unique and provides competitive advantage. Some simple examples help make this distinction clear.
- Zero Trust (Palo Alto, Zscaler). Palo Alto leverages hyperscaler infrastructure for their network, removing full control over routing and hardware optimization. Zscaler operates their data centers, but offers a less extensive network footprint (mostly U.S. and EU) and segments services by network. Neither provider supports a development environment for programmability and customization. They also don’t benefit from the enhanced security signals provided by a free user tier.
- CDN Providers (Fastly, Akamai). Neither offers a free user tier, beyond a restricted trial. Their pace of innovation is slow. Fastly is still trying to add more than one data storage option to their compute tier. Akamai’s edge compute offering was languishing, until they bolted on capabilities through the Linode acquisition.
Cloudflare is leveraging these competitive advantages to enter adjacent markets where they have an opportunity to disrupt incumbent offerings. For Zero Trust and application security, the baseline surprisingly represents on-premise, physical devices, like VPN servers, firewalls and traffic shaping. For development services, they are providing an alternative to large, centralized data centers for application use cases that would benefit from geographic proximity and responsiveness. For network services, this represents MPLS circuits and eventually last-mile connectivity from telcos.
Cloudflare leadership groups these offerings into “Acts”, with the following rough associations. Each product offering is on its own S curve in this context:
- Act 1: Application services and protection. Cloudflare’s original offerings in DDOS, DNS, CDN, WAF and bot management.
- Act 2: Zero Trust. Current adoption curve, focusing on SSE, SASE and network services all bundled under the Cloudflare One umbrella. A lot of development activity is happening in this category.
- Act 3: Distributed development environment and data storage. Active development with heavy adoption expected over the next few years. Includes Workers and Data Storage solutions (KV, Durable Objects, R2, D1, Pub/Sub)
- Act 4: Localized network connectivity. Provide a secure network connection to consumers and businesses, circumventing dependence on local ISPs and telco’s. Cloudflare for Offices provides the entry point.
These opportunities align with multiple addressable markets that Cloudflare intends to disrupt. The total is sizable, estimated to be $115B this year. Like the S curve analogy, these addressable markets are layered one over the other, with the quantified components including Application Services, Zero Trust, Network Services and Object Storage.
While Cloudflare isn’t quantifying the addressable market for Workers (Serverless) and Database offerings at this point, I find it interesting that they have estimated R2. That product is in open beta now. During the Q2 earnings call, Cloudflare’s CEO committed to bringing it to GA at the end of Q3 (perhaps Birthday Week 2022). I think it is interesting that R2 already has a TAM associated with it. This likely reflects an expectation of revenue contribution starting in late 2022 and ramping in 2023. Based on initial data about customer usage and pricing, I had previously estimated that R2 could be a $30M business line.
Bundling
As we consider Cloudflare leadership’s commitment to reach the goal of DBNRR > 130%, I think the key tactic will be product bundling. During the Q2 earnings call prepared remarks, the CEO made several references to the opportunity to cross-sell multiple products to enterprise customers. He shared that 29% of the Fortune 1,000 are Cloudflare customers (up from 26% at end of 2021). Many of those are using one or two products, usually in the Act 1 Application Services. Cloudflare’s revenue growth and large customer expansion is being driven by these large enterprises adopting additional products.
And so, what we really want to focus on is how do we get them to use more of our platform. And what I think is unique about Cloudflare is we’ve already got the products in place where we can have those customers adopt our — more and more our platform. There is not a single customer that uses every single feature of Cloudflare’s platform today in terms of a contracted customer. And so, I think that’s where we really see that growing.
Cloudflare CEO, Q1 Earnings Call
We are already seeing evidence of this cross-sell motion. During their Investor Day presentation in May 2022, the CFO shared the percentages of paying customers using each product segment. The attach rates displayed were as of the end of 2021. As expected, the Act 1 products in Application Services were adopted by 75% of paying customers, with other products reaching 10-15% percent.
For Zero Trust, the adoption level was already pretty encouraging. Considering that Cloudflare had about 140k paying customers at the end of 2021, the May 2022 data represented at least 14,000 Zero Trust customers. In a Protocol article published in July, the company updated that metric to more than 15% or over 23,000 customers as subscribers of Zero Trust products. That represents a 64% increase in customers over a 7 month period.
With that growth, I think we get a sense for why Cloudflare leadership continues to emphasize their traction in Zero Trust deals, even to the detriment of competitors. Granted, I think Zero Trust in general is in the rapid adoption cycle of the S curve for enterprises, so it’s likely that competitive offerings from Zscaler and Palo Alto are growing rapidly as well. Nonetheless, I think Cloudflare’s inherent advantages in network coverage, performance and bundled services will keep its win rates high for contested customer deals.
FedRamp
With government agencies under a federal mandate to improve their security posture, this year and next represent prime time to sell Zero Trust into federal, state and local government organizations. While FedRamp formally applies to federal agencies, other government entities often use the labeling as a filter for vendor consideration. To Zscaler’s credit, they have achieved the highest levels of FedRamp certification and are well positioned to sell into all government agencies.
Cloudflare provided an update on their FedRamp status during the Q2 earnings call. The CEO drew the analogy of being at the DMV and waiting for one’s number to be called. He expects to receive FedRamp approval in Q3, but of course, has no control over when that will actually occur.
FedRamp approval isn’t required to work with government agencies – it just streamlines the review process. Cloudflare already has several individual agencies as customers, but each had to perform their own security review. FedRamp certification allows government agency customers to skip an individual verification for a new vendor. FedRamp would also provide a further tailwind for state and local government deals, like the example given previously with the State of Arizona. In Q1, Cloudflare also highlighted a customer win with a midwest U.S. state government for a 3 year $5.1M deal.
Area 1 Acquisition
Cloudflare’s acquisition of Area 1 Security appears to be paying off on multiple levels. Area 1 Security provides organizations with a platform to block email security threats, including phishing attacks, malware, business email compromise and ransomware. Area 1 Security’s capabilities have been integrated into Cloudflare’s Zero Trust strategy and is now the center of their email security offering.
Security breaches initiated through email phishing attacks are becoming one of the most common threats to enterprises today. Deloitte research has found that 91% of all cyber attacks begin with a phishing email. The FBI received 19,954 Business Email Compromise (BEC) and email account takeover complaints in 2021 with adjusted losses of $2.4 billion. Email security needs to be part of any enterprise’s Zero Trust strategy.
Yet, many competitive Zero Trust platforms don’t include a targeted solution for email security. This provides Cloudflare with a go-to-market advantage, as every enterprise has an issue with phishing. Activating Area 1 with new customers is seamless. On the Q2 earnings call, Cloudflare’s CEO referenced wins from very large customers. They are cross-selling email security into their existing customers , resulting in “$1 million-plus wins that close in — oftentimes in a matter of days or a short number of weeks.”
Additionally, the Area 1 Security team is accustomed to selling through channel partners, which is a new motion for the Cloudflare sales team. In this case, the Area 1 sales team is taking the lead on establishing Cloudflare’s new channel partner program.
Finally, as I mentioned in a past blog post, Cloudflare’s new Cloudforce One threat operations and research team is being led by Area 1 Security’s co-founder and head of their threat intelligence function. He was a founding member of CrowdStrike’s services organization, and before that a Computer Network Exploitation Analyst at the National Security Agency (NSA). Other team members possess similar expertise in security analysis and operations. The team’s primary objective is to track threat actors and disrupt them by publishing tactics, techniques and procedures (TTPs) for Cloudflare One products to harness.
Partner Co-Selling
Cloudflare has typically not relied on channel partners to help sell their products. The thinking was that Cloudflare Application Services were usually straightforward to set up directly with the customer and didn’t benefit from another layer of value-added services to configure. Zero Trust products, however, generally require more complex planning and integration. Because of that, they are also higher margin, providing some room for partners to add value.
For these reasons, Cloudflare is agressively building a partner co-selling program. To seed the partnerships, they claim to have “successfully signed up half of Zscaler’s top channel partners as new Cloudflare partners” in Q2. In their view, these partners were happy to have multiple Zero Trust solutions to offer to their customers. This is helping with deal flow. Additionally, as I mentioned above, the Area 1 Security sales team already had a lot of experience working with channel partners and bootstrapped Cloudflare’s partner program.
Take-aways and Investment Plan
Overall, I thought Cloudflare’s Q2 results were impressive, given the macro backdrop and associated pressure on software infrastructure peers. Not only did they beat Q2 expectations, but they projected reasonable continuity of growth. Their forward guidance incorporates a little softness, but not to the extent that other software companies have experienced. For me, this outperformance on the top line in this environment implies that performance would have been even stronger without macro headwinds.
In addition to revenue growth, improvement in profitability measures was a welcome surprise. Again, given macro circumstances, many companies are getting a pass for minimal improvement on the bottom line. Yet, Cloudflare renewed their commitment to break-even on operating income and positive free cash flow. I think investors were rightfully worried that the company would pull back on its second half of 2022 target for positive FCF. Instead, the company delivered marked improvement and the CEO voiced his commitment. Additionally, the CFO highlighted some low hanging fruit that would boost cash flow generation (like longer billing cycles).
Of all the performance, I think the real strength goes to large customer activity. Cloudflare is pursuing a tangible opportunity to expand spend with their larger enterprise customers. With a foothold in Application Services, they are rapidly cross-selling other products to expand spend. This is particularly evident in Zero Trust, where they increased product attach rates by over 60% in half a year. This drove a record number of incremental large customers in Q2 spending over $100k in annual revenue. Further, the CEO articulated a goal to pass 130% in DBNRR, which I consider best-of-breed among software companies.
Finally, this strong execution is applied to the backdrop of an enormous addressable market with multiple product categories to pursue. As the CEO says, Cloudflare is “stacking S curves”. While that could be construed as hyperbole, Cloudflare has a real competitive advantage in their platform architecture, culture and go-to-market strategy. As I discussed, I think the combination of these factors make them unique among peers. No other competitor has matched Cloudflare’s blend of network reach, architectural simplicity, programmability, customer composition and pace of product development.
For these reasons, I find Cloudflare’s long term growth thesis intact and recognize the potential to become a much larger provider of software, network and security services in the future. While its valuation will always be considered high, and is certainly higher than the June lows, Cloudflare’s product strategy and execution will keep delivering strong revenue growth for many more years. Combined with favorable free cash flow generation, Cloudflare will justify a premium valuation.
For my portfolio, Cloudflare now has the largest allocation, primarily as a result of the surge in stock price following the Q2 earnings announcement. After the earnings results for NET and DDOG, I decided to shift a few percentage points of relative allocation from DDOG to NET. While I think both companies will be successful long term, NET stock had been depressed further YTD, likely offering a little more upside over the next year.
NOTE: This article does not represent investment advice and is solely the author’s opinion for managing his own investment portfolio. Readers are expected to perform their own due diligence before making investment decisions. Please see the Disclaimer for more detail.
Additional Reading
- Muji at Hhhypergrowth provided his take on Cloudflare’s results as well. Our interpretation of the results were similar and he always provides additional valuable perspective for investors considering a position.
- Referenced Protocol article on Cloudflare’s Zero Trust strategy
- The Theory of Disruptive Innovation from the Christensen Institute for more on S curves.
Act 3 products are maturing quite fast. I won’t be surprised if they overtake act 2
Thank you for nice write up.
Fantastic overview Peter. Very much appreciated.
… and the same from me.
I have to say Peter, I didn’t think Cloudflare could keep growing even after lapping Covid numbers. I usually stay away from companies trading at 26x revenues, but if this 45%+ YoY growth is durable and stays until 2030, NET can reach $18b revenue run rate and command a 10-15x revenue multiple still giving investors a potential upside of 7x-10x. Even if multiples contract to 3x, that’s still a not too shabby 2x from here. The risk-reward looks really good.
Am I missing anything in the way i’m thinking about this as an investment?
Hi Yuva – While it does sound like a stretch on the surface, I don’t see any reasons that Cloudflare couldn’t accomplish what you are projecting in terms of revenue growth. As I pointed out in the article, I think that their architecture and organizational execution make them unique and position them to pursue a number of different TAMs. They appear very adept at finding product/market fit and leveraging their existing position with customers to expand spend. I would be really excited to see DBNRR hit the 130% target and stay there. When that happens, your revenue projections seem even more realistic.
I agree. At 126%, it’s a stretch to be honest. I haven’t bought it because of the valuation mainly which puts a lot of execution risk into it. I’m attracted to Twilio now which is at a 14b valuation and makes 3.4b, growing organically north of 30%. I am getting what looks like a lower quality company (lower gross margins, no control over telco costs), but the valuation justifies it and offers a floor of some sort. Smell check = better risk reward.
Any plans to cover Twilio’s earnings? Is that part of your coverage at the moment or is it a smaller position for you that is lower priority?
PS : I didn’t get an update by email when you replied to my comment.
Hi – I actually am planning to publish an update on Twilio, including their Q2 results. I had held the stock back in 2020-2021. I have also written a number of articles on the company during that period: https://softwarestackinvesting.com/tag/twlo/.
Thank you Peter
I have a much larger NET position relative to TWLO. NET also is barely scratching Cloudflare Workers edge computing, still in early innings as use cases expand in the coming years (e.g. autonomous driving, telehealth, IoT).
“Lloyd’s of London has announced that its insurance policies will no longer cover losses resulting from certain nation-state cyber attacks or acts of war.” (google that for more details)
I don’t know if insurance against nation-state cyber attacks will be available from other insurers, but they took the story seriously on Gestalt IT (a short spot in a youtube video with Qualcomm in the title). I also don’t know how it will affect Cloudflare or other cyber security businesses, because I don’t know what it takes to get execs to take cyber security seriously enough. For example, Nvidia had a massive hack in February, though not by a nation. The CEO described the experience as a “wake-up call” and said Nvidia needed to move to a zero trust security posture. That’s after a blog piece on Nvidia’s site titled “NVIDIA Creates Zero-Trust Cybersecurity Platform”, dated November 9, 2021. I’m guessing Nvidia isn’t the only organization that will lock the stable door after the horse has bolted, though I hope the Lloyd’s move generates some action.
I think this is a great point. In the past, enterprises relied on insurance to offset the costs of cyberattacks and breaches. If insurance companies will no longer cover this expense or raise premiums, then enterprises will need to invest more in security. At minimum, they could shift premiums into better security coverage.
Amazing thesis!Thank you for sharing!
I think the biggest competitve advantage of NET is their pruduct offering path and speed, their strategy, innovation not only in tech but in business. Also, their architecture. I believe their uniform topology is unique, but it’s more like some kind of balance or choice. ZS choose a more cost-effective topology while NET choose another one. But if ZS want to change their topology to NET’s type, is it easy? What I am not sure is like if NET’s architecture is its moat, other competitors can copy that easily?
Thanks for the feedback. NET’s architecture and current topology would be very difficult for another company to copy and would take a fair amount of time. Things that they would need are 350+ data centers, 11,000 individually negotiating network peering relationships (many with countries/ISPs that aren’t openly receptive to this) and a system architecture that runs all services on all boxes in parallel. Competitors (like ZS) rely on the hyperscalers for a good portion of their architecture, so changing that around would require a lot of new investment that they probably couldn’t justify at this point. On top of their network architecture, Cloudflare has compute and data storage capabilities that are more advanced than other Zero Trust providers (that don’t have any) and other CDNs (Akamai, Fastly). Finally, they have millions of “free” users which they leverage for testing new features, generating security insights and getting ideas for new products. All of these factors make Cloudflare fairly unique, with a large competitive moat in my opinion.
Thank you for your reply! I agree that it’s somehow difficult for the peers copy NET’s architecture, but I still have some questions on that.
1. I think ZS own and operate their data centers? It’s PANW who relies on hyperscalers? So if ZS own their data centers, is it easier to change that?
2. For the part of compute and data storage capabilities, I think Fastly also has the edge compute and data storage capabilities?
3. The system architecture that runs all services on all boxes in parallel, I think it’s something like hardware virtualization. Akamai don’t have it, but how about more morden peers like ZS and Fastly? I think they also have relatively advanced architecture.