Frankly Speaking - Cloudflare is the most underrated security company
Let's stop talking about Palo Alto Networks and Crowdstrike
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
RSA is around the corner. I will be around (unfortunately…) If anyone wants to meet to make it more bearable, let me know!
I am actively hiring! If you or anyone you know is excited to securely build a mental healthcare platform that everyone can access at Headway, please consider applying or reach out to me.
I’ve written articles about how various security companies like Crowdstrike, Zscaler, Okta, and Palo Alto Networks will fail. For many who know me, the reason is that I believe they are companies of the “present,” i.e. not legacy companies with legacy products, but they are not companies of the “future.” They are more concerned with keeping their market share rather than taking risks and increasing it (at least from what I see in their products).
It’s only befitting that I talk about a company that I’m personally a huge fan of — Cloudflare. Rather than talking about how Cloudflare will fail, I’m going to discuss why it’s the most underrated security company.
What is Cloudflare?
Some know Cloudflare as a content delivery network (CDN) that competed with Akamai and Fastly because they started as one. However, more recently, much of their messaging has changed to focus on security. Unlike Akamai and Fastly who still market themselves as CDNs with a strong focus on security, it feels that Cloudflare has gone all-in on security.
This is smart because one of the reasons that Akamai chose to expand into the security business is that it’s a large market with higher margins. (Also, it’s an easy adjacency for them to expand into, but more on that later.)
Why do I think they are an underrated security company?
To start, they aren’t brought up in many of the same conversations as other large security companies like Palo Alto Networks, Crowdstrike, etc. Not that Jim Cramer is the best indicator of a successful cybersecurity company, but he has regularly brought up Palo Alto Networks, Crowdstrike, and Okta. However, he doesn’t bring up Cloudflare in the same conversation about quality cybersecurity stocks despite it having a higher market cap than Okta and him being fine with the stock.
Cloudflare primary products are focused on SASE and zero-trust, which are areas that Zscaler and Palo Alto Networks have been heavily focused on recently. They have multiple products, most notably their WAF, Access, and Gateway products, which comprehensively cover most modern zero-trust security needs.
Infrastructure is its moat
In a time when many companies are moving to the cloud and forgoing their own infrastructure, Cloudflare is increasingly valuable and defendable. Cloud providers are still growing, and it’s clear that more companies start on the cloud and will remain there for a while. Even at scale, many companies still use the cloud. The days are gone when companies build large data centers that are globally distributed because they can just use AWS, Azure, Cloudflare, Akamai, etc. Moreover, the sheer size of Cloudflare would require a huge capital commitment to match. Their highly distributed physical infrastructure is necessary to achieve high performance (since network latency is primarily limited by the speed of light).
This is also Zscaler’s (and honestly every cloud provider’s) moat. As a result, it’s hard for new entrants who don’t have substantial capital. When Zscaler started, the CEO/founder funded much of the initial investment himself, but his original thesis is that in order to have an effective and performant secure web gateway, a company would need its own infrastructure capable of handling large amounts of traffic. This way, his software didn’t have to rely on a customer’s infrastructure capabilities. This is similar to the benefit of SaaS applications. Software companies no longer have to worry whether a customer has the computing and storage power to handle running the software.
The tradeoff is some latency because the computation is no longer done on a customer’s infrastructure but externally with the result transferred over the network. However, the size and computing power of Cloudflare have made this latency functionally immaterial. The nice thing is that they already have this built because it’s necessary for their CDN business, so this is just another use case of their globally distributed infrastructure.
Cloudflare is taking a bet on the future
Unlike Palo Alto Networks, which has a legacy business, they have gone all in on the zero-trust and SASE solutions. They have an opinionated stack that assumes everyone wants to do zero-trust and wants to run traffic through their data centers to apply policies. Their hook is that there isn’t a need to tunnel your traffic through another vendor if Cloudflare is already seeing all your traffic. More specifically, if traffic is already going through Cloudflare WAF, why would you want to buy another vendor for other similar use cases like an SWG or CDN? This is a true platform play.
They are also opinionated about sales. They have a free tier, a self-service tier, and an enterprise tier. This model is similar to most developer tools, primarily targeting DevOps engineers, who want to trial the product themselves without talking with a salesperson. It also shows the strength of their product — their product and documentation make it easy to deploy, and people are willing to stick with it.
Their sales and solutions show that they believe the main purchasers of their products will be engineers rather than traditional security people. Although I believe in this future as someone in security engineering and someone who believes security needs more engineers, this market is currently small. There aren’t many security engineers, and most companies still have heavy compliance and IT-focused security functions that prefer to buy products like Zscaler that don’t allow for much control or customization.
However, this is a calculated bet because DevOps engineers are the main purchasers of their products already, and they realize that some DevOps engineers are becoming more tasked with security responsibilities. They are expanding their market from DevOps engineers to DevOps engineers that do some security, and then eventually they will expand to security engineers as that market slowly tries to materialize. They can do this because they have a solid core CDN product with a loyal customer base that is likely to take on more security tasks.
Takeaway
Cloudflare is heavily focused on the security industry, but they are targeting a different persona — namely the security engineer or DevOps engineers tasked with security. They have the defensible technology to do this, and they are taking a bet that the security market is moving toward software being primarily purchased and consumed by a security engineer rather than a traditional security analyst or CISO. That’s why I’m a fan! This market might take some time to materialize, but it can afford to wait and can continue to grow in its current businesses.