How Cloudflare fails
It's hard to stay patient in an irrational market
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’ve been talking with many people in my networks as well as my peers about the growth of security engineering. It’s a trend that has become more visible as companies choose to experiment with an engineering-focused security function. The recession is driving most of this as companies look to reduce costs and become efficient. As a result, it’s not uncommon to see operational functions report to engineering. Given security’s typically close collaboration in engineering, it makes sense to gradually make it more engineering-focused to drive efficiency.
This brings Cloudflare front and center into the conversation. For those who have subscribed recently, I believe that Cloudflare is the most underrated security company in the past. I have un-paywalled the article so that people can gain some context why.
However, I’ve written in the past about why I believe certain security companies like Crowdstrike and Zscaler would fail. It’s only befitting that I do this for Cloudflare also.
Recap on Cloudflare
I’ll keep this short since I wrote about Cloudflare in the Substack article linked above, so feel free to read that for more details. Cloudflare started as a CDN company but now has focused its offerings on security, such as WAF, SWG, email security, etc. They have a strong following in engineering.
Cloudflare started and continues to be a brand name in the developer community. It was and still is tailored toward DevOps teams that need to better manage and scale their infrastructure. They started with CDNs that allowed DevOps teams to help their companies scale. Their strong DevOps culture internally drove much of this branding.
In retrospect, the pivot to security seemed obvious. As companies shifted infrastructure from IT to DevOps, security chose not to make this shift. To this date, most security teams are still heavily IT-focused and don’t have the expertise to directly manage cloud-native infrastructure. Consequently, much of the security-related DevOps work, such as infrastructure security, falls onto the DevOps teams.
Although most DevOps teams have some security expertise, they don’t want to spend most of their time doing security (nor do their managers/leaders want this). Having security tools is vital so that they can spend time on their core job. Therefore, it’s logical that Cloudflare started offering these tools. They already captured DevOps mindshare through their core CDN product and other network-related products. As a result, their pivot into security isn’t surprising. They were able to add security to their current platform. This ends up being a win for everyone. DevOps teams have something familiar and can add security easily into their workflow, and Cloudflare has new product lines with minimal effort. No change in GTM is needed!
The downfall
This formula of offering security to DevOps and engineering-focused security organizations has worked well for them. Unfortunately, this market is currently small. Other security companies like Zscaler have fewer security products but a larger market capitalization. This is because Zscaler sells to traditional security operations, which is still a larger market.
All companies go through hard times, especially in tech. Innovation cycles are short, and it’s easy to lose market share due to changing trends. A good example of this was Google taking search market share from Yahoo and taking browser market share from both Firefox and Internet Explorer. In security, Crowdstrike and Zscaler chipped away at various businesses in Symantec. There are numerous examples of leaders in categories losing market share. The theme for those that lost market share more permanently is that they didn’t/couldn’t innovate. Others that lost market share temporarily were distracted by building a product that customers didn’t want and/or that didn’t match their DNA, which sucked resources.
In the recent earnings call for Cloudflare, their top-line revenue is slowing a bit. It’s not surprising given that engineers and projects are being cut throughout the industry. Cloudflare has three options:
let the macroeconomic conditions ride out and stay with their conviction that the security engineering market is at an inflection point (keep going down the current path)
build and acquire more products for their current platform, using their vast infrastructure platform and network telemetry visibility
build and acquire more products that tailor to traditional security operations
The mistake here would be to do all 3, and that’s the most obvious failure mode. The last two require substantial resources and focus that Cloudflare likely can’t afford. However, each one has a potential for failure.
Scenario 1: continue down the current path
It takes a while for the engineering/tech market to recover and for companies to have projects for security engineering or DevOps. Companies decide it was too hard to optimize this part of operations because traditional security professionals are easier to hire and traditional security programs are easier to run. The economy also improves, companies have more budget, and efficiency is no longer needed. Essentially, the market for security engineers doesn’t materialize as quickly as they had hoped. Cloudflare revenue stagnates, and shareholders lose hope. This lack of funding further constrains their ability to experiment and build new products. The company stagnates and doesn’t make it to the next recession for people to consider using tech to make operations more efficient. The growth that’s needed in a bull market doesn’t happen, so Cloudflare ends up being acquired by a company that wants more assets in the infrastructure space, e.g. Cisco, Microsoft, or Google.
Scenario 2: aggressively build out their current platform with more products
In order to improve their top line, they build and acquire more developer-focused products, such as infrastructure monitoring or application security monitoring. These seem like good bets at first, only to realize that GTM is much more difficult because they might need to sell to more traditional security personas. Moreover, it takes them substantial resources to convert these products into ones that work well with their platform. In turn, they end up competing with the major cloud providers, e.g. AWS, Azure, and GCP. This results in high marketing and sales costs with longer sales cycles and more capital costs. Although this is fine in a bull market focused on growth, their expenses continue to go out of control. The next recession comes, and they are unable to reign in their costs and focus on profits/earnings. As investors flee, they make substantial cuts. Their popular products deteriorate and lose their following as competitors develop better products that chip away at their core offerings. Cloudflare sells various products and acquisitions to generate cash, but it’s too late. They eventually become profitable but have products that are low growth. Private equity becomes interested, takes them private, and rolls them into their current security portfolio.
Scenario 3: pivot into IT security-focused products
The bull market is starting again, and there’s a greater focus on growth. However, the security engineering market isn’t materializing as quickly. The company decides to target traditional security personas. As a result, they have to develop new products, which result in new GTM motions. They are able to grow their top line but at an extreme cost — they have to operate similarly to Palo Alto Networks (but in reverse order). Their “DevOps division” and “SecurityOps division” operate separately because they require different GTM motions and have different product goals. This results in high capital costs. However, growth looks good, so shareholders don’t complain. Eventually, the company loses focus and its identity. Their DevOps-focused business line starts to lose its following. The “SecurityOps division” is hard to run and difficult to tie into the DevOp-focused business line. It becomes clear that the company needs to break up because there’s a lack of synergies and the cost of maintaining two companies no longer delivers value to shareholders. The company gets broken like many big companies do and have done in the past, such as Dell and HP. The damage is already done. One stock becomes a value stock that provides dividends, and the other part is sold off. The public portion continues to struggle and is eventually sold to private equity or another company.
Takeaway
It’s clear that I’m bullish on Cloudflare as I described in my previous article, but they are in a confusing market where timing is unclear. However, I do think they have good products. The question is whether they are ok with the market being temporarily unhappy with them, or will they take a risk and push to try to deliver more shareholder value in the short-term.