Cloudflare Leads in Security but Lags for Developers

Cloudflare Leads in Security but Lags for Developers

ETR Insights presents a panel discussion between senior IT executives, all broadly positive on Cloudflare’s offerings, including security, DNS management, and content delivery, but not uniformly so. Cloudflare helps administrators coordinate the decentralized and edge computing environments that were accelerated by the Pandemic, including for multi-cloud strategies and load balancing. Panelists criticize Cloudflare’s limited DevOps integration, developer platform capabilities, and lack of documentation, and find its advanced analytics and API security lacking. To that end, panelists see opportunity for Cloudflare within SSO and expanding capabilities in API security, potentially through strategic acquisitions, along with improving analytics and observability features for generative AI deployments. Read on to learn more about building a unified security perimeter across cloud providers, traffic management across hybrid environments, Cloudflare’s Workers AI GPU integration, managing tokenomics within generative AI, and how these executives leverage Cloudflare to navigate international privacy regulations and compliance needs.

 

Vendors Mentioned: Cloudflare, Akamai, Amazon, Anthropic, Azure, Cato Networks, Checkpoint, Cisco, CrowdStrike, Datadog, DeepSeek, Fastly, Google, IBM, Meta, Microsoft, Mistral, Netskope, NVIDIA, Okta, OpenAI, Oracle, Palo Alto Networks, Zscaler

 

Decentralization Trends Present Clear Use Cases

Executives from large global firms have had broadly positive experiences with Cloudflare, particularly its security, DNS management, and content delivery solutions. One, from a company that employes over 120,000 people, describes a global infrastructure that is blended together in a “mesh” through Cloudflare. “We use some of the cloud firewall, and some of the rules that are set in place for security measures for our network [that] several different countries together.” A Head of Cloud leads with Cloudflare's video hosting capabilities. “I basically use the Cloudflare stream for their video hosting and delivery services across the Kubernetes and load balancing, to distribute that load across multiple Kubernetes servers. It works really well.” Another executive appreciates the security and latency improvements of Cloudflare’s Argo Tunneling and WAF. “95% of the world’s population is next to a Cloudflare POP. So coming in and getting their best sort of path routing on their backend, we've seen very nice latency gains just by turning on the cloud load balancing aspect.” Panelists also reference Cloudflare’s load balancing, and enhanced security against DDoS attacks.

 

A surge in decentralization and edge computing spurred by the COVID-19 pandemic continues to reshape IT strategy. “Cloudflare had a lot to do with our analysis of those threats from an intelligence standpoint,” says one IT lead, who uses Cloudflare as a “roadmap” to mitigate risks. “Do we want to try to eliminate them? Do we want to just try to mitigate them? Or do we accept them as the risk that they are?” Others use Cloudflare to support complex multi-cloud strategies, or for load balancing to support hybrid cloud transitions, on its cloud-agnostic traffic management. “Their traffic management, the unified security layer that included WAF, and the bot management and DDoS protection, which really gave us a consistent security perimeter across all the clouds.” One panelist initially focused on WAF, though more recently zero trust, email security, and edge computing. “Not necessarily something that we've gone with right now, but maybe something road-mapped in the near future for us.”

 

The group is less enthusiastic about Cloudflare’s developer platforms, where executives seek better documentation, development tools, and DevSecOps integration. One panelist, managing data center operations globally, notes that while enterprises use Cloudflare for critical functions like single sign-on, the company's developer platform is simply less prominent compared to Oracle and Amazon. “Cloudflare is just not known for being super developer-friendly. I don't know if Cloudflare hasn't focused on going after that, if there are security risks there that haven't been identified in order to mitigate to customers like us in the idea of using them as a developer platform, or if it's just not something that they lead with.” Within single sign-on, however, they see opportunity to capitalize on CrowdStrike’s 2024 outage. “I think if Cloudflare can present something that is going to be solutions-based that speaks to that, I think they could wind up becoming at the level of an Apple or Microsoft.” 

 

cloudflare-company plan

ETR Research: Product category usage and evaluation plans. ETR’s Cloudflare Drill Down asked 100 IT decision makers about plans for Application Services, the Developer Platform, Network Services, and Zero Trust & SASE.

 

Panelists also point to limitations in Cloudflare's built-in capabilities for critical data metrics. “We pipe a lot of our stuff into Datadog, and then turn around and use things like blocking IPs or obvious sort of security concerns for people being naughty, that Cloudflare is happy to pass. There are enhancements that we've had to build from an application logic standpoint using effectively a third party, because it's not specifically baked into the platform.”

 

Competitive Puts and Takes Across CDN, Security, and Developer Services 

Within industry, Cloudflare is typically evaluated against Akamai, Amazon CloudFront, Fastly, Palo Alto, and Cisco. “Their security effectiveness, i.e., protection against the current threat landscape and speed of threat intelligence updates. Integration complexity is another criterion, absolutely. Pricing, it's king. And then overall operational overhead is another criterion for evaluation.” Of competitive benefit is Cloudflare’s multi-cloud unified platform that avoids vendor lock-in. “Then their innovation velocity is another thing that I find quite good. And then, of course, their technology architecture—their single-pass architecture and anycast network design—really help for global customers.”

 

cloudflare-spend allocation

ETR Research: Product spending share breakout. ETR’s Cloudflare Drill Down asked about the relative percentage of annual Cloudflare spending across four broad product categories (N = 93).

 

Operational challenges and complex licensing structures prompt IT leaders to consider alternative solutions in security; some executives are rethinking their reliance on Zscaler and Palo Alto Networks, with Cloudflare as promising for quicker and more seamless policy updates across international locations. “Some of the difficulties that we’ve found in using Zscaler is the turnaround time for adding exceptions or various sites, ports, IPs, for the percolation to happen across our entire enterprise. Some of those users—especially some of the larger locations that are providing customer service to our clients—if they can't get to a site, or if we have to run something, God forbid, a custom macro or something bizarre to get around something, it feels like it's defeating the purpose of what the security was designed to do to begin with, for us to be able to add and remove easily.” Another finds Palo Alto’s licensing problematic: “We went through a shift away from Palo Alto Prisma service. We purchased that in 2019, and then Palo did what Palo does and tried to resell it to you in different licenses and different formats, as they overly productize it as the years drag on.” Here, again, enterprises with extensive global and multi-cloud footprints represent another opportunity for Cloudflare. “I think Zscaler is definitely considered a leader in the SASE market, and Palo Alto has a strong enterprise offering. But the reason I went with [Cloudflare] was for the multi-cloud and the global nature of their deployments.

 

 

cloudflare-pool of funds

ETR Research: Possible pricing model shift. While only 19% of ITDMs currently use a Pool of Funds arrangement to pay for Cloudflare, a combined 34% indicated they are Likely or Very Likely to adopt a PoF agreement upon next renewal (N = 100).

 

As one executive migrated backend systems from AWS to Azure, continuity provided by Cloudflare’s front-end service minimized complexity. “[Cloudflare’s] maturity was there six or seven years ago, and I just haven't had a huge reason to look elsewhere since then. It's still an Azure back end with the Cloudflare front end, because it works and we don't have to change hardly anything to support it.”

 

More than a year after Cloudflare introduced its Workers AI platform, our panelists complain of limited documentation and dubious practical benefit. At best, they are in evaluation mode. “The idea that the Workers AI module would allow for the full breadth of the GPUs with NVIDIA—Azure I mean, in theory it sounds fantastic, but I just don't know if the practicality of the actual measurements are going to deliver on what they promise.” Another executive is similarly skeptical. “Cloudflare has a little bit of a problem with documentation or getting stuff to actually launch. The prototyping, we've run into problems in the past, and our developers sort of remember those pain points.” An opportunity lies in management of token economies for generative AI; despite DeepSeek’s technical advances, no matter the model, tokens must be meticulously tracked. Then, observability and analytics advanced monitoring for gen AI deployments. “Tracking model performances, drifts, and usage patterns, providing insights into how users interact with the AI system, and then securing all of it.”

 

 

cloudflare-product plans

ETR Research: Developer Platform product level plans. ETR’s Cloudflare Drill Down asked about usage and evaluations plans for six Cloudflare Developer Platform products (N = 23).

 

Within cybersecurity and compliance, practitioners should keep an eye on market trends such as edge AI, API security, and privacy regulations. In particular, APIs have become prime targets for cyberattacks. “They definitely should look at API protection [acquisitions], companies like Noname [which was acquired by Akamai] and a couple of others. [Cloudflare] is not in the API protection business. They don't know how to discover these APIs or secure these APIs. It could be part of some of their capabilities, but there are very specialized companies that are focusing on the entire lifecycle of API management or security of the APIs.” Satisfying GDPR is key; here, all panelists agree that Cloudflare should consider acquisitions for compliance management, rather than relying solely on platform expansion. American policies, which default to data sharing, may push companies like Cloudflare into a precarious position. “I think that for the companies that are US-based, like Cloudflare, they're kind of trying to ride that fine line of, can we share some of the data across? If we do, are we still going to be in compliance or perceived as being in compliance? But they’re also creating either security loopholes, or just directly allowing data to go to places that it shouldn't be going to.”

 

Straight from Technology Leaders

We eliminate bias and increase speed-to-market by cutting out the middleman and going straight to the voice of the customer