Why Cloudflare is a good business
Cloudflare originally evolved as an edge network of distributed servers to protect web apps from cyberattacks. The distributed nature of these proxies ensures fast connection times for consumers as not all traffic has to get backhauled to one or a select few of datacenters in the back. Also static website content such as images, HTML and Javascript files can be cached here to reduce website loading times while relieving the origin servers from the burden of handling these requests. The internet is basically a cobbled together series of networks, and edge servers are usually strategically placed where these various networks meet in smaller type datacenters or in those from the internet service providers (ISPs), giving fast connection times to the users within those networks as their requests won’t have to travel a series of networks. The interesting feat is that Cloudflare has been building out more and more services to run on top of these servers, such as corporate network security and the ability for customers to deploy apps, storage and databasing, i.e. a mini-version of Amazon AWS. This is what the company describes as its ‘revenue flywheel’, adding additional services with low marginal costs on top of its installed global network. Currently the company is also installing GPUs within these servers, as they are seeing a clear potential to run AI inferencing models closer to the consumer (more on this later). As Cloudflare’s market position looks strong, with more than 30% of the Fortune 1,000 happening to be paying customers, the company is clearly well positioned to get this software, and perhaps AI, revenue flywheel going.
Cloudflare’s distributed network above, including both the datacenters and its backbone (fiber optic cables). Cloudflare leases space in available datacenters, such as those from the ISPs for example, to install its servers and networking equipment. According to the company’s developer blog, they have been installing fiber optic cables around the world to give higher bandwidth connections between these smaller type datacenters.
Amazon has started following a similar strategy by installing similar smaller type datacenters, providing only the core AWS functionality, closer to the consumer. For the wider buffet of services you need to go the main large datacenters, i.e. the ‘regions’.
Building software architectures in the cloud is sticky business, as cloud engineers will typically only learn a few platforms — similar to coding languages — and might only be really fluent in one. If you’ve been building apps for the last five years on Microsoft Azure or Google Cloud Platform, you’re very likely to stick with these as moving to a new platform will take a lot of retraining and you’re not even sure whether you can get all the functionality you need on the new platform to begin with. Google has a very attractive, unique portfolio of data management solutions for example, which are also used underneath to power the Google Search engine. Similarly Cloudflare has a very strong position in website defense and is building up a strong position in corporate network security, more particularly SASE (more on this in a bit). The point here is that there won’t be that many companies able to build out a global network like this in combination with attractive and unique software assets running on top. This is why Cloudflare should be interesting for long term investors. An additional barrier is that some of these software assets are enjoying network effects. For example, Cloudflare’s large network is under heavy cybersecurity attacks every day and the data from these is analyzed with AI to update their software for new types of attacks. This should be an advantage for the large cybersecurity players in general such as Palo Alto, Zscaler and Fortinet.
The revenue flywheel
The below graph illustrates well how the company has been adding additional software services on top of their installed server network. The initial yellow-colored services are protecting web apps from cyberattacks. Subsequently, the company moved into corporate network security, a business very similar to Zscaler. Thirdly, Cloudflare has started building out a mini Amazon AWS with its developer services, allowing customers to run apps and store data close to the consumer on the company’s network.
Its bread-and-butter business is still really web app protection, more than 90% of paying customers are subscribed here with only 20% subscribing to networking and/ or developer services. On the Q3 call, Cloudflare’s CEO illustrated the company’s advanced capabilities here: “Another international technology company signed a two year $1.8 million contract for Magic Transit and Advanced Application Security. This customer approached us in the midst of a large-scale DDoS attack. Their incumbent solutions were provided by a mix of point solutions and bundled hyperscale cloud mitigation services, neither was sufficient to stay ahead of the attack. In Q3, we saw a significant increase in massive DDoS attacks. To give you a sense, these new attacks are generating nearly as much traffic as the entire Internet generates globally, but pointing it to a single victim. There are very few networks that can stand up to these attacks. As the world becomes more complicated and these attacks become more common, I think more and more of the Internet will turn to us for protection.”
In a distributed denial of service (DDoS) attack, a cyber attacker attempts to overwhelm a target with traffic from a wide variety of sources, making it unavailable to legitimate users. Attacks can both be volumetric, i.e. attempting to flood a target with a huge amount of traffic, as well as application specific, i.e. exploiting a certain vulnerability within an app. So for example, an attacker might not only send a huge amount of requests, but he might also design the requests so that it places a heavy burden on the target, for example, by designing a complex query which will take considerable time to handle. This is roughly the idea:
A good defense here is making the user do a captcha test on one of Cloudflare’s edge servers before he’s allowed to connect to the real origin server. Additionally, by firstly routing the traffic through edge servers, you can pick up anomalies in request patterns. So if a user starts requesting a lot of resources within a short timeframe, you can make him do a bot test.
In an increasingly geopolitically multipolar world, Cloudflare is exposed to the thematic of increasing cyber attacks. Even small and more regional powers such as North-Korea and Iran are building up cyber capabilities. From CSO online: “State-backed North-Korean hackers have stolen an estimated $2 billion or more in funds from cryptocurrency organizations and banks in 30 cyberattacks over the past five years. In 2023 alone, North Korean hackers have stolen $340 million in cryptocurrency assets, not including the estimated $150 million US government officials believe they stole from blockchain transaction firm Mixin in late September 2023.” As a result, cybercrime has been a high-growth market and this will likely remain to be the case:
Cloudflare’s CEO commenting here: “The world is getting a lot more complicated, and we’re seeing even nation state actors turning to DDoS attacks to disrupt services around the world. A new attack vector, which our team alongside Google and AWS helped discover and announced last quarter, is generating attacks that are almost doubling the total volume of traffic on the entire Internet. And the nature and architecture of how we’re able to stop those attacks is very unique to Cloudflare. We’re seeing even some of the large hyperscalers that have their own limited DDoS mitigation services point customers to us, because we’re the best in the world at this. If you look at some of the other zero trust vendors out there, they’re actually Cloudflare customers using our DDoS mitigation products. That’s a real differentiator for us.”
Cloudflare’s networking security business is reasonably new and as it takes considerable time for enterprise customers to move to new technologies, there should be substantial revenue upside here.
did a large amount of detailed work in SASE (better than Gartner) and rates Cloudflare as number one in terms of product and technology, followed by Netskope. Zscaler and Palo Alto score best in sales execution, probably no surprise given their longer history and wider customer relationships.SASE combines networking security with zero trust, meaning that for every single request the user makes, he will have to get verified by the system. So it’s not like an old-fashioned local network where once an attacker has gained access, he can start exploring all the local machines to steal or manipulate their content. Instead, every request from a user trying to access a given service will have to go through a central ‘switchboard’, which will validate the user and his access rights.
Zscaler is known for talking up their certifications with the US government, however, also Cloudflare is winning deals here. Cloudflare’s CEO disclosed on the Q3 call: “A US government cabinet level agency within the executive branch signed a one year $2 million contract. Cloudflare is replacing three point solutions, including a 20-year old incumbent solution. They were drawn to Cloudflare’s modern architecture, rate of innovation, robust network, and ability to reduce complexity by consolidating multiple point solutions into a single pane of glass.
Another US government agency signed a one year $510,000 contract for Cloudflare’s Zero Trust solutions including Access, Gateway, Browser Isolation and Data Loss Prevention. We were selected over first-generation Zero Trust competitors due to our ability to consolidate numerous products across both application security and Zero Trust onto a single platform.
Our federal business has grown significantly over the last year, and we believe these deals are just at the tip of the iceberg with both of these customers, which we expect can expand significantly. Cloudflare is the only vendor that can deliver a comprehensive network-wide solution from a single vendor.”
Regarding the last comment, Cloudflare presented the below diagram how they’re the only vendor who’s currently able to offer SASE, SD-WAN and multi-cloud networking within a single platform. Competitors such as Palo Alto have moved into SASE and SD-WAN via M&A, buying good point solutions and then stitching them together. SD-WANs are basically software tools allowing you to set-up and manage wide area networks, which are used to connect an organization’s different geographies. Usually, these types of diagrams which put a certain company at the center of everything are to be taken with a huge grain of salt. However, Cloudflare does look to have built a very comprehensive platform on top of their network.
The company’s highly distributed network gives them an advantage on latencies experienced by customers. For example, in zero trust network access, they are around 37% faster than Zscaler (below). Now, I wouldn’t rate this as a permanent competitive advantage as skilled competitors such as Zscaler and Netskope can build out a larger network of edge datacenters as well, similar to what Amazon is doing. However, this will be hard to replicate for smaller players aiming to enter the industry. Therefore, I would rate the barriers to entry as reasonably high and this will probably become an industry with only around a handful of strong players.
To access the internet over a secure gateway, differences are even more stark on Cloudflare’s tests:
Finally Cloudflare’s developer platform is more niche than an AWS for example, you would use this only for services which you can run closer to the consumer. A lot of services will need regular access to a central database, so it makes sense to run these in larger regional datacenter. However, what makes me potentially enthused on the LLM (large language models) inferencing opportunity is that these models don’t make use of a central database, or at worst these models would have to download a user’s context only once at the start of an interaction. Therefore, adoption on the edge makes more sense. This could also drive stronger adoption of Cloudflare’s other developer services e.g. databasing, serverless workers and storage.
Although customer penetration of these developer services is still low, at around 20%, Cloudflare’s CEO discussed where they are seeing adoption already: “I think that there are a couple of different areas where we’re monetizing and that’s starting to show up in the results, and then there are a couple of areas where I think there’s a longer time horizon. The place where we’ve been positively surprised is with our R2 product, our object store. It allows customers to be multi-cloud and to easily move data to where their resources are, without charging them an egress tax like some of the other traditional public clouds do. That’s a place where a lot of growth is coming from AI companies, they love the fact that they can take their data, their training sets, and move it to wherever GPUs are available around the world. And that’s driving revenue for us today. I think that will be something that will go forward into the quarters to come.”
It’s fine that R2 is generating revenues, however, if no egress fees are being charged, it’s likely that this product is currently a loss leader. Transferring large amounts of data takes up considerable compute, and therefore the hyperscalers are naturally charging for it. That said, I suspect the strategy here is to first move customer data onto the Cloudflare platform, and then make money on the compute side when customers start running apps on the servers, utilizing their data.
Overall, we should have an interesting revenue flywheel here, where a suite of software solutions is running on an already installed network. In other words, a large part of the cost base has been sunk already with additional marginal costs only being the costs to power this additional compute. Cloudflare’s CEO detailed this:
“I think more and more people are leaning in on DDoS and using us for that. And what we’re seeing is that we can use that as sort of the milk in the grocery store where we can sell other products across our suite. We can run our zero trust products at extremely high margins, if you take all other zero trust vendors that are out there and add up their traffic, we could add them all to Cloudflare’s network without significantly increasing our underlying COGS.”
Multi-cloud connectivity
We’ve discussed a number of times in the past how multi-cloud architectures are increasingly the preferred choice for enterprises as it reduces vendor lock-in:
Cloudflare’s CEO discussed this trend and their new product in this area: “Everyone today is looking at their cloud bill and saying ‘how can we make this go down’. The best way is to have the ability to move data and workloads from one provider to another. And enabling that multi-cloud universe is fundamental to how we think and more and more customers are seeing the power of that. They’re multi-cloud and our connectivity cloud hooks all their systems together in a fast, secure and reliable way in a single control plane.”
The CEO also gave an example of a new, large contract in this area: “A Fortune 500 technology company expanded their relationship with Cloudflare, signing a one year $2.9 million contract. This customer approached us to use our connectivity cloud to help them collect AI and machine learning data from their customers while maintaining the highest level of privacy. It highlights how Cloudflare’s network can help customers take advantage of AI while complying with an increasingly complex regulatory environment.” So here the data is being stored locally on Cloudflare’s servers so that it doesn’t leave any given region.
Overall, given the preference of corporations to work in multi-cloud environments, orchestration products such as these should become an interesting business over time. Clearly there is also demand from certain applications to make use of Cloudflare’s highly distributed cloud with its many, local datacenters.
AI inferencing
While smaller transformer based AI models will be able to run on your smartphone or PC, the larger models can take up hundreds to thousands of GB in size so obviously these won’t fit in your smartphone’s or PC’s RAM. In my opinion, it’s likely that going forward consumers will both be making use of smaller models installed on their devices to assist them with a variety of more specialized, narrower tasks. While more powerful and generalized AI models will be queried from the cloud to handle more complicated problems. As an example, the smaller model on your PC can help you with your Python coding whereas obviously a powerful model such as GPT4 will be running in the cloud. AGI won’t be created from your pocket.
On Cloudflare’s data, 95% of all internet users are within 50 milliseconds of one of their datacenters. For comparison, the blink of an eye is around 400ms. Typically web app architects want to keep customer latencies within the hundreds of milliseconds, so that the customer doesn’t become aware of page loading times. Naturally, Cloudflare’s widespread network should make it an attractive base to run AI inferencing services from, being in close proximity to users.
The company’s CEO discussed this new opportunity on the Q3 call: “We also announced Workers AI to put powerful AI inference within milliseconds of every internet user. We believe inference is the biggest opportunity in AI and inference tasks will largely be run on end devices and connectivity clouds like Cloudflare. Right now, there are members of the Cloudflare team traveling the world with suitcases full of GPUs, installing them throughout our network. We have inference-optimized GPUs running in 75 cities worldwide as of the end of October and we are well on our way of hitting a goal of 100 by the end of 2023. By the end of 2024, we expect to have inference-optimized GPUs running in nearly every location where Cloudflare operates worldwide, making us easily the most widely distributed cloud-AI inference platform. We’ve been planning for this for the last 6 years, we intentionally left one or more PCI slots in every server we built empty. That means we can use our existing server infrastructure and just add GPU cards, allowing us to add this capability while still staying within our forecast capex envelope. And we will have a mix of GPUs. Today, we’re standardized around Nvidia, but we’re good friends with the folks at AMD, Intel and Qualcomm. What we’re really trying to optimize for, is giving people the tools that can give them the best performance on not just a speed basis, but also on a cost and efficiency basis. In the five weeks since our AI announcement, thousands of developers have leveraged our new capabilities to build full stack AI applications on Cloudflare’s network. The demand has exceeded our expectations and continued to accelerate, increasing 5x since mid-October. We have a pipeline of customers interested in putting hundreds of billions of inference tasks on our infrastructure each month, that’s when this starts to turn into real revenue for us. It’s early days, so we don’t know exactly what the timeframe will be but the conversations we’re having are very exciting.”
Twilio wrote a blog post last month how they deployed a Llama-2 model on Cloudflare’s workers which would function as an AI assistant, pulling in the customer’s data from the cloud and then assisting him with any questions he might have on your products or services. The LLM could also send the customer customized offers to re-visit the store or website. This is a pretty basic example but it illustrates how AI inferencing can be used.
Cloudflare has tens of thousands of servers around the world, so how sizeable could this revenue opportunity become over time? Well, we know that one can rent an A100 40GB Nvidia server for around $3.3 per hour:
Assuming Cloudflare can over time install similar types of GPUs in 30,000 servers, renting them out at $3.34 per hour with an 80% utilization rate, this would give around $700 million in annual revenues. If their GPUs can be purchased for around $10,000 apiece, this would require around $300 million in capex ($100 million per annum over three years). We also know that Amazon AWS is making around 29% EBIT margins in the cloud, but let’s assume 20% for Cloudflare at the moment, this would give $140 million in annual EBIT. Given that Cloudflare is going to make around $1.3 billion and $110 million in EBIT this year, AI inferencing could be a very nice business, basically more than doubling EBIT.
These are not at all stretched assumptions. Nvidia is doing more than $40 billion in datacenter revenues this year, so Cloudflare installing $100 million worth of GPUs annually will be a tiny portion of the market. Additionally, inferencing will be a far larger market than AI training as once LLM models have been trained, they will have to be deployed afterwards nearly continuously.
For generalized LLM models such as GPT4 and 5, Cloudflare’s infrastructure will struggle due to the huge size of these models. GPT4 has 1.7 trillion parameters, which at 2 bytes per parameter, would require 3,400 GB to load onto a GPU cluster. For comparison, the next Nvidia H200 will carry only 141 GB of memory while AMD’s MI300x includes 192 GB. Thus, GPT4 inferencing would require around 18 to 25 GPUs operating within a single cluster via model partitioning. However, for narrower use cases such as e-commerce assistants making use of smaller model sizes — Llama-2 versions range from 14 to 140 GB in size — Cloudflare should be able provide a good solution as noted in the Twilio example. Also, if the demand is there, Cloudflare could install additional dedicated AI inferencing clusters or even open up new datacenters to connect to their high-speed network. Both of these would be suitable to run the GPT4-class models.
No doubt others will aim to copy this business model which would drive down pricing and hence ROIs. An advantage Cloudflare enjoys here is that a large part of the capex has already been sunk, i.e. the company already has datacenters and networking bandwidth installed around the world, giving them an advantage to compete on pricing. Strong competitors here will be the cloud hyperscalers, as we’ve seen above that also Amazon AWS is building out local datacenters.
Vector databasing
As part of Cloudflare’s developer platform, the company is also moving into providing databases. Its recent vector database will be useful in the fine-tuning of AI models. Basically it allows you to upload new data or context into an LLM so that the model can make use of this novel data. Vector databases are also used in semantic searches on your data cloud. So when you search for a particular term, the vector database can automatically link this term to words with a similar meaning, thereby expanding the richness of the results you retrieve. So if you search for ‘Microsoft’ for example, the semantic search could also return results linked to ‘MSFT’, the company’s ticker.
Cloudflare’s CEO discussed this: “The vector database is for being able to fine-tune your models and have a database that’s built on top of the existing R2 infrastructure. And that’s sort of my sneaky feature that I think is going to be pretty disruptive. And the good news is, again, all of these things are built on a lot of the primitives that we had before.”
Overall, this a good illustration how the company is expanding its software ecosystem to increase the attractiveness of its platform.
A visual presentation of how each word can be embedded into a single vector describing its characteristics, so the word ‘ape’ will have data points indicating that it is a noun, an animal, a mammal, that it lives in trees etc. This way it can be used in a sentence and linked to similar animals, e.g. squirrel. These vectors are then stored into a database:
Financials, share price of $63 on the New York Stock Exchange at time of writing
The company has done a really good job at cross-selling more products to its customer base, with more than 48% of customers on 8 or more software modules at the end of ‘22:
This has resulted in the number of large paying clients skyrocketing, there are even customers who are spending more than $5 million per annum on Cloudflare.. A potential contender here could be Shopify, which is using the Cloudflare network to protect all its webstores.
Cloudflare’s key metrics are highlighted below — paying customers are growing at around 15 to 20% per annum, with higher growth rates in the large paying customers cohort:
The business is geographically diversified with almost 50% of revenues coming from outside of the US. This is a high number for a SaaS company, where most companies are highly US-oriented.
There was a hiccup during the Q1 results as the company saw its sales cycle — in terms of number of days required to close a deal — lengthening, causing the company to guide numbers down for the year. As a result, changes have been made in the salesforce with the lowest performers being replaced with new hires. Cloudflare’s CEO commented on this topic during the recent call:
“We’re beginning to see positive early signs from the sales team members we’ve brought on over the 6 months to replace underperformers. During the quarter, the pipeline generated by this new cohort was 1.6x higher than those brought on at the same time a year earlier. These new account executives achieved more than 130% of their activity goals for the quarter.”
It takes some time for software salespeople to get fully up to speed, easily more than six months, so these are very encouraging stats.
As Cloudflare is still in an investment phase with building out their platform, client base and network, this is currently depressing margins. In its most recent results, the company generated 13% margins excluding share based compensation (SBC) and a 10% FCF margin. Over time, as growth matures and the business gains scales, the company sees themselves being able to generate 20%+ operating margins (ex SBC) and 25% FCF margins.
Within the SaaS and public cloud space, Snowflake, Cloudflare and Gitlab are currently the highest growth names:
Wall Street’s estimates below. The business has currently turned FCF positive and enjoys a net cash position, so the financial position is healthy. However, shareholders are still being diluted as the cash generation won’t be sufficient to offset the dilution from SBC (FCF is smaller than SBC).
This is obviously not a cheap name, if in the long term this stock will trade on 5x revenues, the current sales multiple of 16x is already implying revenues to more than triple.. What could be a driver for revenue upgrades however is the coming opportunity in AI inferencing as discussed above. The sell side hasn’t been modelling anything in. In fact, they’ve been lowering their ‘25 revenues numbers:
If Cloudflare would be able to generate $700 million in AI inferencing revenues as discussed above by ‘25, then investors could make a 62% IRR (annualized return) over the coming 14 months. I’m assuming a modest derating to a 13x Sales multiple:
Overall, Cloudflare is a good quality company and if the AI inferencing opportunity plays out, this will be a lucrative investment.
If you enjoy research like this, hit the like button and subscribe. Also, please share a link to this post on social media or with colleagues with a positive comment, it will help the publication to grow. All shares are appreciated.
I’m also regularly discussing tech and investments on my Twitter.
Disclaimer - This article is not a recommendation to buy or sell the mentioned securities, it is purely for informational purposes. While I’ve aimed to use accurate and reliable information in writing this, it can not be guaranteed that all information used is of this nature. The views expressed in this article may change over time without giving notice. The future performance of the mentioned securities remains uncertain, with both upside as well as downside scenarios possible. Before investing, I recommend speaking to a financial advisor who can take into account your personal risk profile.
Excellent writing and post. I am a fan and long Cloudflare. 🔥
Could you discuss why $FSLY has been more of a disappointment? I am aware their view is having fewer POPs but more throughput but other than that, never know why that's less of a value prop.
Perhaps, that architectural approach is just less useful for a DDoS use case?