SAASPOCALYPSEverdict #CLOUDFLARE-4CD1

scanned 2026.05.04 · 14:05

subject of investigation

cloudflare.com

Item: cloudflare.com
Rating: 9
Author: saaspocalypse

▸ connectivity cloud: CDN, security, networking, edge compute

verdictFORTRESS

wedge score

/100

wedge thesis

there is no door — the moat is a 300+ PoP global anycast network, a decade of DDoS traffic absorption data, and enterprise certifications that take years and nine figures to replicate.

thick walls — wedge plays only·ship in ∞·run for usage-based

the door→switching

wedge

where the walls are.

methodology →

the door

switching cost is paper-thin — users could leave with one CSV.

watch out

their capital wall is real — ongoing capex puts a floor under any clone.

capital

10.0/10

investment the incumbent had to make

why this scorehigh confidenceCloudflare's moat is almost entirely capital-intensive physical infrastructure. 300+ Points of Presence globally...

Cloudflare's moat is almost entirely capital-intensive physical infrastructure. 300+ Points of Presence globally require owned or leased hardware in 100+ cities, BGP peering agreements with every major ISP and IXP (non-purchasable, negotiated over years), multi-Tbps scrubbing capacity, and a proprietary anycast network. This is not software spend — it is hundreds of millions in capex and ongoing opex. No indie builder or small team can replicate this. FedRAMP, FIPS 140-2, PCI DSS, ISO 27001, and SOC 2 certifications layer on years of compliance work and millions in audit/legal cost on top of the hardware.

300+ PoP global anycast network estimated at hundreds of millions in capex
Peering agreements with every major ISP/IXP are negotiated, not purchasable
Multi-Tbps DDoS scrubbing hardware deployed at network layer across all PoPs

technical

10.0/10

depth of the underlying engineering

why this scorehigh confidenceCloudflare's technical stack is a decade-deep distributed systems project. V8 isolate scheduling with sub-millisecond...

Cloudflare's technical stack is a decade-deep distributed systems project. V8 isolate scheduling with sub-millisecond cold starts, anycast BGP routing, a globally consistent DNS resolver at scale, a WAF with low false-positive ML tuning, and a zero-trust network overlay are each individually hard engineering problems. Combined and operated at Cloudflare's scale, they represent one of the most technically complex stacks in commercial software. The report correctly identifies even a 5-PoP Workers-compatible runtime as a 'serious distributed systems project.'

V8 isolate scheduling and cold-start optimization across 300+ PoPs is a hard distributed systems problem
Anycast BGP routing requires own ASN, IP blocks, and peering at 100+ IXPs
WAF false-positive tuning at scale requires ML pipelines trained on massive real-world traffic

network

8.0/10

users compound users

why this scorehigh confidenceCloudflare has a strong multi-sided network effect: more traffic through the network means better DDoS signal, better...

Cloudflare has a strong multi-sided network effect: more traffic through the network means better DDoS signal, better threat intelligence, and better peering economics. The developer ecosystem (Workers, Pages, R2) creates a growing app/integration layer. The free tier onboards millions of domains, creating a massive base of traffic data and a viral distribution loop. The partner/ISP peering network is itself a network effect — more PoPs attract more ISPs, which attract more customers. This is not a social graph, but it is a genuine infrastructure network effect.

Millions of domains on the free tier generate traffic data that improves DDoS and threat models for all customers
Workers/Pages developer ecosystem creates platform lock-in and an app ecosystem built on Cloudflare primitives
More PoPs attract more ISP peering, which improves latency for more customers — a compounding infrastructure network effect

switchingdoor

8.0/10

stickiness of customer data + workflow

why this scorehigh confidenceSwitching away from Cloudflare requires migrating DNS (often the authoritative nameserver), reconfiguring WAF rules,...

Switching away from Cloudflare requires migrating DNS (often the authoritative nameserver), reconfiguring WAF rules, re-routing traffic, replacing Workers scripts with another edge runtime, migrating R2 buckets, and unwinding zero-trust network policies. Each of these is a separate migration project. Enterprises using Cloudflare for DDoS protection, zero-trust, and edge compute simultaneously face an extremely high switching cost. The free tier creates habitual dependency that converts to sticky paid usage.

Cloudflare is often the authoritative DNS provider — migrating nameservers is a high-friction, high-risk operation
Workers scripts are tied to Cloudflare's V8 isolate runtime and KV/R2/D1 APIs — no portable standard exists
WAF rules, rate limiting, and firewall policies are Cloudflare-specific configurations requiring full rebuild on migration

data

10.0/10

proprietary data accumulates over time

why this scorehigh confidenceCloudflare's data moat is the most literal possible: they absorb the largest DDoS attacks ever recorded, and that...

Cloudflare's data moat is the most literal possible: they absorb the largest DDoS attacks ever recorded, and that traffic IS the training data. No competitor can acquire this dataset without being attacked at scale. The threat intelligence corpus — billions of requests per day across millions of domains — trains WAF rules, bot detection, and anomaly models. This data flywheel is non-exportable, non-purchasable, and compounds with every new customer and every new attack. The report explicitly states: 'you need to be attacked to learn how to defend.'

Cloudflare absorbs the largest DDoS attacks ever recorded — attack traffic is proprietary training data
Billions of HTTP requests per day across millions of domains feed WAF, bot, and anomaly detection models
Threat intelligence corpus is non-exportable and non-purchasable — it can only be accumulated by operating at scale

regulatory

8.0/10

real licenses, not SOC 2 theater

why this scorehigh confidenceCloudflare holds FedRAMP authorization (required for US federal government contracts), FIPS 140-2 (cryptographic...

Cloudflare holds FedRAMP authorization (required for US federal government contracts), FIPS 140-2 (cryptographic module validation), PCI DSS (payment card data in transit), ISO 27001, and SOC 2. FedRAMP alone takes 12-24 months and millions of dollars and requires a federal agency sponsor. FIPS 140-2 requires NIST-validated cryptographic implementations. These certifications are not just paperwork — they are prerequisites for entire market segments (federal, defense, financial services, healthcare). An indie builder cannot access these markets without them.

FedRAMP authorization required for US federal government contracts — 12-24 month process requiring agency sponsor
FIPS 140-2 cryptographic module validation required for defense and intelligence community workloads
PCI DSS compliance required for customers processing payment card data through Cloudflare's network

distribution

9.5/10

brand SERP grip, knowledge graph, news flow

take

the blunt take.

color around the thesis

“Cloudflare is not a SaaS product you wedge into — it is the infrastructure layer that other SaaS products run on. The "competition" here means building a global CDN, a zero-trust network, a WAF, a serverless compute platform, and a DNS resolver simultaneously.”

The real wedge plays are narrow vertical slices: a cheaper R2-compatible object store for a specific geography, a simpler WAF rule UI for SMBs, or a Workers-compatible edge runtime for a niche framework. You are not competing with Cloudflare — you are building on top of it or carving off one feature for one audience.

cost

cost of competing.

their price ←→ your run-rate

what they charge●

Free plan (individual)

/ forever

※ CDN, DDoS, DNS, R2, Workers free tier — all free. Enterprise plans are custom six-figure contracts.

annual:$0

what running yours costs✦

01 · Global anycast network (300+ PoPs)??? — hundreds of millions in capex

02 · Peering agreements with every major ISP/IXP??? — negotiated, not purchasable

03 · DDoS scrubbing capacity (multi-Tbps)??? — hardware + bandwidth at scale

04 · SOC 2, ISO 27001, FedRAMP, PCI DSS, FIPS 140-2??? — years and millions

05 · Your remaining ambitionpriceless

TOTAL / mousage-based

▸ break-even:approximately never — their free tier alone undercuts any realistic build cost

build

what you're up against.

est. total: ∞

Matthew started in 2009. Still adding PoPs.

easy

medium

hard

nightmare

easy

Build a DNS resolver UI

Wrapping a resolver in a pretty dashboard is a weekend. The resolver itself is not.

medium

WAF rule editor for SMBs

A simplified WAF UI on top of ModSecurity or Coraza is achievable. The hard part is keeping false positives low.

hard

Edge compute runtime (Workers-compatible)

V8 isolate scheduling, cold-start optimization, and request routing across even 5 PoPs is a serious distributed systems project.

hard

S3/R2-compatible object storage

Riak, MinIO, or Ceph clusters with zero-egress pricing require owned hardware or favorable colo deals to undercut Cloudflare.

nightmare

Global anycast BGP network

You need your own ASN, IP blocks, and peering at 100+ IXPs. This is measured in years and tens of millions, minimum.

nightmare

Multi-Tbps DDoS absorption at the network layer

Cloudflare absorbs the largest DDoS attacks ever recorded. The data moat is literally traffic — you need to be attacked to learn how to defend.

stack

their position.

inferred + measured stack

detected signals· measured

cdnCloudflare

recommended stack · inferred

inferregulatory attorneys + compliance auditorsinferyour own ASN + BGP peeringinferAnycast DNS + V8 isolate runtimeinferowned PoP hardware in 100+ citiesinferyour remaining tears

rivals