Cloudflare provides speed and security for any website on the internet. It works for small hobby projects and the largest global corporations. Because any website with a public URL is vulnerable to attack, Cloudflare acts as a shield. It prevents distributed denial of service attacks, or DDoS, which try to overload servers with traffic. It also keeps bots from scraping data from sites.

Cloudflare would be a sorting factory that intercepts all of your mail. They will block junk mail for you. They will block organized spam mail attacks that might try to clog up your mailbox. They will scan all incoming boxes to make sure there is nothing malicious coming in.

Sam explains that this protection is vital for companies like Shopify. During high-traffic events like Black Friday, botnets might target specific stores. Cloudflare absorbs that malicious traffic at the edge of the network. This keeps the storefront online and prevents revenue loss. For these businesses, downtime translates directly into lost money, making security a top priority.

Cloudflare operates as a massive global private network. It processes more than 20% of all internet traffic. This scale allows them to see a huge portion of what happens online every day.

Over 20% of the world's web runs through Cloudflare servers. So that's the scale that we're talking about.

The network also acts as a primary shield for the internet. It blocks two and a half million cyber attacks every second. This staggering number shows how many threats exist online at all times.

An average of over two and a half million cyber attacks every single second is absorbed and blocked by the Cloudflare network.

Understanding the history of Cloudflare reveals how they gained a foothold in the market and why their current products succeed. Before the company was founded in 2009 by Matthew Prince, Michelle Zatlin, and Lee Holloway, the internet relied heavily on physical hardware like cables running across oceans and through mountains to connect server boxes. This physical reality created significant latency and cost issues. For example, a user in New York visiting an Australian website had to send a request all the way across the Pacific Ocean and wait for it to return. This process was slow for the user and expensive for internet service providers who had to pay transfer fees to other networks.

Everything still runs on physical hardware. So there's cables that actually run across the oceans, they run through mountains, and they physically connect server boxes that intercept and process all this internet traffic.

Legacy companies like Akamai addressed this by offering content delivery networks. A website could pay to store images and assets on a local server, like one in New York, to speed up access for nearby users. However, these systems were complex. Customers had to decide exactly what data to put on the network and what to handle themselves. This required sales engineers for implementation and constant maintenance. If a website wanted security, they often had to buy a physical firewall to intercept traffic. These services acted as reverse proxies, but they were mostly only accessible to large enterprises because they were so difficult to manage. This left a long tail of smaller websites without any viable solution for performance or security.

Matthew Prince had an unusual path to tech leadership. He studied literature and law before heading to business school. Before founding Cloudflare, he worked on Project Honeypot with technical co-founder Lee Holloway. This project tracked spammers by letting them scrape fake email addresses to build a global list of bad actors. It was essentially a do not call list for the internet. The more people who used the service, the better the list became.

The real technical innovation happened when they realized that checking this list at every individual customer server would be too slow. Sam explains that Cloudflare solved this by intercepting all traffic through a single reverse proxy. This allowed them to act as a filter before any requests reached the actual website.

Instead of splitting the network and all that, all you have to do now is just say, my new mailing address is Cloudflare. No matter what the recipient is, no matter what the package type, Cloudflare will intercept it and decide what to do with it.

By being in front of all traffic, Cloudflare made it simple for users to turn on additional services like DDOS protection without needing a sales engineer. This allowed them to serve the long tail of the internet, including hobbyists and small websites. They focused on a product-led growth model with a generous free tier. This strategy helped them build a massive database of threats. It created a powerful network effect where more users led to a more defensible and better service for everyone.

Cloudflare found its early success by serving non-profits and the hacker community. These groups had high traffic but limited budgets. Protecting hackers was a critical proof of concept. If the service could secure a hacker's own website, it could protect any basic site. This early adoption helped build a foundation for a service that now processes over 20 percent of all internet traffic.

Competitors struggled to replicate this model due to the innovators dilemma. Established companies focused on high-paying enterprise clients and ignored the long tail of smaller websites. Cloudflare also took a different technical path by using commodity hardware and software defined networking. This approach allowed them to scale their network cheaply and efficiently.

Today Cloudflare is still that single global network of commodity hardware with layers of very sophisticated software on top of that.

A major part of the business involves peering relationships with internet service providers. Usually, ISPs pay high fees to transfer data across the world. When the internet is slow, users blame the ISP rather than the server location. Cloudflare places its servers directly next to ISP servers. This arrangement creates a win-win situation where ISPs avoid transfer fees and users enjoy faster speeds. Cloudflare now connects directly to over 13,000 networks.

Sam describes a reinforcing loop that powers the company's growth. Lower costs and an easy product attract more traffic. More traffic provides more data to improve security and speed. This attracts more paying enterprise customers, which increases negotiating power with ISPs. This cycle reduces costs further and allows for constant reinvestment. This loop has been running for 15 years and creates a moat that is incredibly difficult for others to replicate.

Cloudflare evolved from serving a long tail of free customers to protecting the largest websites in the world. As they collected more data, they built a network with unmatched capacity. Sam notes that in a recent earnings call, the company won over a major customer because its protection capacity against cyber attacks was four times larger than its two main legacy competitors combined. They can now absorb over 30 terabytes per second of traffic due to the scale of their global network.

The capacity to absorb, say cyber attacks or those DDoS attacks is just unmatched. A recent example they gave in one of their earnings call is they won over a large customer because their DDoS protection capacity was over four times the two legacy competitors combined.

The company also expanded from protecting websites to protecting employees. This shift moved them into the internal cybersecurity market. While a traditional proxy protects a website from the public internet, Cloudflare now uses its hardware to protect an employee from the outside world. This is the basis of their zero trust product suite. In a zero trust model, there is no automatic trust between a user and an application. Even if you access one internal tool, you must be validated again for the next one.

Zero trust just means just because you could access app number one doesn't mean you can access app number two. You have zero trust between the app. You have to get validated each time to do that. That means you have to get inspected each time. All of your web requests have to get expected each time.

This security covers three main areas of employee activity. It protects workers when they visit public websites, when they use internal apps like Salesforce, and when they deal with adjacent threats like phishing emails. Because the modern corporate perimeter is now the entire internet rather than just an office network, Cloudflare can provide these services from anywhere in the world.

The newest evolution involves opening their internal tools to outside developers. Because Cloudflare could not rely on providers like AWS for their specific needs, they built a proprietary software stack. They now offer this to the public as Cloudflare Workers. These are serverless functions used for small, fast tasks. For example, a developer might use a worker script to instantly change a website's language or pricing based on the location of the person loading the page. To attract users, they offer a very generous free tier that allows for 100,000 queries per day.

Cloudflare functions operate differently than traditional central databases. These workers handle tasks in small portions, spinning up quickly and turning off immediately after the work is done. This model is built on a single global network rather than specific geographic regions. In a typical cloud setup, a function might live on a specific server in the eastern United States. With Cloudflare, a function deployed anywhere is available everywhere instantly. This means a user in London can access a tool built in New Zealand with minimal delay because the service is served from a local server at the edge.

At the edge, everything gets propagated around really quickly, which is just another benefit of this single global network that they've built.

The company occupies a central role in the AI industry by serving the majority of top AI native firms. Sam notes that their strategy for AI inference at the edge highlights their long term planning. When designing their hardware years ago, they left an empty slot on every motherboard without knowing exactly how it would be used. This foresight allowed them to quickly install GPUs across hundreds of cities to support AI tasks. This infrastructure allows customers to run large language models for text or image generation without pre-booking capacity. Users only pay for the specific inference they use, which is a significant shift from traditional hyperscale providers.

When they're actually designing their motherboards for all of their chips, they left an empty slot open because they didn't know what it would be for. But they needed it just in case something came up. And it turns out AI inference was that something. So they could go to all of their boxes and simply just plug in a GPU and then AI inference is available across the world.

The transition from product led sales to enterprise sales is a major evolution that requires building a new professional muscle. This shift is never easy because it involves reaching a completely different type of buyer. Instead of working with an IT administrator who manages a website, the sales team must now engage with the entire security office. This changes the sales cycle into a complex process that can last several months.

It is a new buyer for them. Instead of just an IT administrator that is looking over the website, you are now selling to the whole security office. It could be a multiple month process.

To support this growth, the company brought in Mark Anderson to lead revenue. He brings deep experience from companies like Palo Alto Networks and Alteryx. Under his leadership, the strategy has shifted toward hiring more enterprise sales representatives while still maintaining the important product led growth model. This transformation is already showing clear results. Revenue growth from large customers recently climbed from 30% to 40% year over year, proving that the enterprise motion is gaining significant momentum.

The revenue structure of the business shows a heavy concentration at the top. Customers who pay more than 100,000 dollars make up less than one and a half percent of the total customer base. Despite their small numbers, this group provides about 75 percent of the total revenue. This makes the large enterprise segment a critical focus for future growth.

If you look at customers over $100,000 in revenue, they're less than one and a half percent of the actual customer base. But they contribute to about 75% of the revenue. It's very important to get this segment right.

The company currently has over 2 billion dollars in annualized revenue. However, it only has about 200 customers paying more than 1 million dollars. Sam notes that when Zscaler reached a similar revenue level, it had nearly 500 customers in that million dollar category. This comparison suggests there is a significant opportunity to expand within the large enterprise market. Changing the go to market strategy is a major part of capturing this remaining potential.

Security products are inherently sticky because replacing established infrastructure is a major challenge. Once a network is set up, migrating away from it requires significant effort. This friction makes it difficult for competitors to win share from the existing provider.

It is definitely a sticky product because if you have all your weapon security set up, it would take a lot to migrate from that and a lot of convincing to do to migrate away from such a powerful network.

Net revenue retention metrics highlight this loyalty. This figure consistently stayed above 110% before dipping slightly to 112%. A recent initiative known as the pool of funds helped push that number back up to 119% in the latest quarter. This growth from existing customers shows the impact of both the product quality and new contracting strategies.

Large companies often struggle to use multiple products from the same provider. This happens because different departments make the buying decisions. This friction prevents a smooth experience on a single platform. Sam explains that a pool of funds strategy solves this problem. This bundling method allows large enterprise customers to draw from a single pot of money. They can use it for any product, including web security or developer tools.

What's really important with this is that you can draw it down from any product. This really encourages experimentation and adoption of some of their newer products. These are multiple year commitments as well. If you plan to use 80% of these pool of funds on one area, you still have capacity and flexibility to experiment and try out a few of these workers products.

These contracts are significant. Some deals are as large as 130 million dollars over five years. Even though the initiative is new, it already accounts for a notable portion of the total annual contract value. This approach helps keep customers and encourages them to spend more over time. It fuels high growth in remaining performance obligations. By removing barriers between separate product divisions, the strategy makes complementary tools work together as a cohesive system.

The channel partner strategy is vital for security products because buyers frequently purchase through consultants and system integrators. These partners maintain preferred vendor lists. If a company is not on those lists, the sales process becomes much harder. Organizations like CDW or Tata help with both the initial sale and the technical implementation. They essentially act as an external salesforce that does work on behalf of the company.

Sam explains that Mark hired Tom Evans to lead this effort. Tom previously led worldwide channel sales at Palo Alto Networks and brought a deep network of relationships. This move has produced impressive results. Channel led growth has reached approximately 65 percent year over year. The portion of incremental total revenue coming from these channels has doubled from 20 percent to over 40 percent in just two years.

The channel partner led growth in the last few quarters has been growing around 65 percent year over year. For the past two years, the percentage of incremental total revenue from partner channels has gone from about 20 percent to over 40 percent of incremental sales. So it is a really important driver of their growth.

There is still a long runway for this strategy. Currently, partner revenue accounts for about 30 percent of total revenue. In contrast, competitors like Zscaler and Netscope see nearly 90 percent of their revenue through these channels. Regarding margins, security products offer the highest incremental gross margins in the business. While resellers take a cut, many larger partners focus on professional services and implementation rather than just product fees. This focus helps protect the overall margins during the negotiation process.

Cloudflare currently sees over 2 billion dollars in annualized revenue. This is split across three main product segments. Their core security and delivery services, known as Act 1, represent about two-thirds of that revenue. Their Zero Trust products in Act 2 make up roughly 30 percent. While Act 3 is currently the smallest bucket, it is growing very quickly.

A small group of large accounts drives the majority of the business. Only 1.5 percent of customers generate 75 percent of the total revenue. The most significant growth is happening with customers who use multiple products. Those using more than 10 different services are the fastest-growing revenue category.

A generous freemium model is built into the company DNA. Unlike many competitors, they do not charge for volume in their core business. Free users receive unmetered protection and bandwidth. Sam explains that the monetization strategy focuses on sophistication rather than scale.

The free users can actually get unmetered DDoS protection, free bandwidth for CDN. This is really generous. What they actually charge for is complexity if you want specialized rules and special bot management setups. But that means if you're a website that constantly gets attacked with high volume, they're not going to charge you extra.

This approach extends to their developer platform. It is possible to build sophisticated AI tools and dashboards without incurring high costs. Sam notes that Squarefig built internal research tools on Cloudflare and found the bills to be remarkably low despite the high value generated.

Pricing structures vary across product groups depending on the target audience and the nature of the service. Act 1 follows a standard subscription model where customers select from tiered plans such as pro, business, or enterprise. These tiers involve flat monthly rates. Upgrading to a higher tier is usually triggered by a need for advanced enterprise features, such as complex rules or specialized traffic splitting, rather than increased usage volume.

For Act 1 it is a contract, it is a subscription tier. You pick a plan like a pro tier, business tier, or enterprise tier. You would upgrade a tier when you need more enterprise features, whether it is those complexity rules, special splitting of traffic, and things like that.

Developer-focused products in Act 3 use a different approach. These products rely on usage-based pricing rather than fixed contracts. This model removes egress fees and instead charges users based on how much of the services they actually consume. This allows the pricing to scale directly with the developer's activity.

Cloudflare reports non-GAAP gross margins between 75% and 78%. While this might seem lower than other top software companies, it reflects a unique business model. Cloudflare owns and operates its own physical infrastructure. The depreciation of this physical equipment is factored into the reported cost of goods sold, which naturally lowers the gross margin figure.

If you did want to try to look at a cash based gross margin to compare apples to apples, about 6% of their revenue is depreciation directly tied to equipment. So if you want you could add that back in and compare gross margins on an 83, 85% range.

When adjusting for this depreciation to look at a cash-based margin, the numbers climb to the 83% to 85% range. This puts their performance in a much different light when compared to software peers who do not own their hardware.

The financial profile of the business differs from traditional software companies due to its higher capital expenditures. Capex consistently stays between 11% and 14% of revenue, which naturally pulls down free cash flow margins to about 10% in recent years. Despite this, management expects significant margin expansion as the company scales.

The capex has consistently been around 11 to 14% of revenue. That's going to bring your free cash flow margins down. The long term guidance is to expand those to over 25% as operating leverage continues to expand.

Future growth in profitability will come from better operating leverage. Specifically, Sam notes that the company sees opportunities to reduce operational costs like labor. Sales and marketing currently account for 35% of revenue. This high spend represents a major area where the company can find additional margin points as it matures and gains efficiency.

The company approaches capital allocation with a focus on high returns. One key strategy is using commodity hardware to reduce costs. They also follow a policy of investing behind the demand curve. This means they monitor traffic and demand closely before committing to new builds. They do not build infrastructure without a clear reason.

What's really important to understand with their capex is that all of their servers can run all of their products and provide all of their services. So that means the capex and the ROI is split across all of their product lines. The incremental ROI is more diversified and it's higher.

By using a single network for all services, the company avoids the need to build separate infrastructure for every product. This unified approach makes each incremental spend more efficient. It diversifies the risk and boosts the overall return across different business segments.

Cloudflare holds a strong lead in its initial phase of growth because of its massive network. This infrastructure is very hard for others to catch up to. While legacy companies still compete in specialized areas like media networks, Cloudflare has established itself as the leader in broad network scale. The landscape changes in later growth phases as the focus shifts toward cybersecurity and zero trust services.

Act two is probably the most competitive because cybersecurity always has new players and new trends. Importantly, Cloudflare isn't leading the innovation there like they did in act one. They are a second mover.

Competition is much tighter in these subsequent areas. Sam notes that Zscaler is the most significant pure play competitor in the zero trust market. Like Cloudflare, they run and manage their own global network. This makes them a formidable rival as the industry evolves.

A major outage recently affected the entire internet, highlighting how many websites depend on Cloudflare. This event was not a security breach or an attack. Instead, it was a process error involving their bot management software. A machine learning model received an update where its features doubled in size, but the servers did not have enough memory to handle the load. This is similar to the 2024 CrowdStrike outage where a technical error rather than a hack led to widespread disruption.

The outage affected everyone, and one of the downsides of having a single global network is that it can all go down. I think what is important to understand with that outage is that it was not an attack, it was not a security breach. It was a process error.

Sam notes that Cloudflare responded with significant transparency by publishing a detailed engineering report on the day of the incident. This approach resonated well with their technical customer base. Historically, major incidents can actually demonstrate a company strength if the business survives the crisis. Sam points out that a previous outage even accelerated an internal project to move away from third party tools like Google Cloud databases. By building more proprietary systems, Cloudflare increased the robustness of their network. Recent growth numbers suggest these technical hurdles have not negatively impacted long term business performance.

While Zscaler holds a strong position with large enterprises, Cloudflare is effectively moving up from the smaller end of the market. Sam points out that Cloudflare's global network gives them a unique advantage because they already process a massive amount of web traffic. When a request goes through a security provider like Zscaler to reach a website, that website is often already using Cloudflare. This puts Cloudflare in a position to handle the traffic on both ends, which significantly improves speed and reduces latency.

Cloudflare is in a really strong position. It is like we are processing all of this traffic anyway. Why do we not process it on the way out as well as the way back in? That will improve your latency.

The two companies also differ in how they handle peering. Zscaler peers directly with specific applications, which works well in dense cities but less effectively in other markets. Cloudflare instead focuses on partnerships with internet service providers around the world. This global reach is a major selling point for companies like Canva, which employs many contractors in Southeast Asia. Because Cloudflare uses an inline service, these contractors can access corporate applications securely without needing to install any software agents on their devices. This makes it easier to manage a global workforce in regions where competitors might lack direct connections.

You can give these contractors access to all of the corporate apps that they need without having to have them install anything. Cloudflare can say, look, we have been improving the speed of this area for years. These contractors can sign on, be secure, and interact with your product with low latency.

Cloudflare faces two primary risks from a business perspective. The first is their position as a second mover in their expansion phase known as Act 2. While their product positioning and partner growth show a positive trajectory, they are still playing catch-up in this area. The second risk involves their AI inference strategy, which represents a shift from their historical approach to hardware and product development.

With the ROI of the other products, it was split across all of their services by the ROI of the GPU component. That's just from the AI inference. So it's a more concentrated ROI risk.

In the past, Cloudflare services could run on any hardware. AI inference is different because it relies on specialized GPUs. This creates a more concentrated risk regarding the return on investment. There is also a change in how products are conceived. Previous successes often grew organically from internal needs or underutilized resources. For instance, Sam notes that corporate security products were launched because servers were idle during the day when website traffic was lower. In contrast, the AI inference product was a deliberate response to the importance of the market rather than an internal discovery.

Cloudflare carries a high valuation, often trading at 25 times its projected revenue. This is a capital intensive business. Free cash flow margins will become more important over the next several years. While these margins might be lower than some software companies, the business sustains a high growth rate near 30 percent. This growth is driven by a constant stream of new products and features.

To get comfortable with the valuation, you have to model out two things. You have to model out the Act 2, how quickly they can catch up and perhaps surpass the incumbents in that space. But also you need to model out what the Act 3 scenarios could look like. How important will they be for AI inference? How big will the inference market be?

The long term value depends on future phases. The first is catching up to and surpassing incumbents in current markets. The second involves the massive potential for AI inference. If the inference market grows as expected, it could become a very large part of the business. Sam points out that there is room for operating leverage in sales and marketing. However, the current price assumes perfect execution.

It is important to call out that there is effectively no margin for execution error. It is priced for pretty flawless execution, which they have done, but you just have to build confidence that it will continue.

Sam highlights four primary lessons from Cloudflare. First, founder-led companies benefit from a powerful vision. This leadership is essential for setting long-term strategies and sticking to a mission. Matthew Prince represents this kind of founder DNA. Second, successful companies prioritize product simplicity even in complex industries. They hide sophisticated technical infrastructure behind a simple interface that is easy for anyone to adopt. Snowflake and Datadog follow a similar pattern by being powerful yet flexible.

Looking for product simplicity, particularly for complicated industries to the extent they can serve the whole long tail of the internet despite having a very sophisticated technical infrastructure that sets them up really well.

The third lesson involves finding multiple levers of growth. Great companies solve more problems for more customers over time. They expand into markets with tailwinds like AI. Finally, high capital expenditure in software is acceptable if it provides a high return on investment. This spending builds a moat that is hard for competitors to replicate.

CapEx in software can be okay, provided that it has a very high ROI that is used to build defensibility. With that reinforcing cycle, it creates a moat that is very hard to replicate.

These insights fit into a framework focusing on theme, team, model, and moat. Cloudflare succeeds because it manages networks for speed and trust. It also attracts top talent. Its business model allows it to stack multiple revenue lines. Most importantly, the company gets better as it gets bigger. It uses scale to enhance differentiation and create barriers to entry.