Cloudflare is best understood not as a content delivery network that added security features, but as a deliberate attempt to turn edge distribution into a universal control plane for three different layers of enterprise infrastructure: public Internet traffic, private user-to-application access, and developer execution. The company’s own language now reflects that ambition. It describes itself as a “connectivity cloud,” says it runs “sixty-plus services” on the same global network, and emphasizes a design in which every service runs in every data center rather than on separate specialist stacks. That matters economically. A vendor that can inspect, route, secure, and execute code on the same packet path can sell multiple higher-value controls off one already-deployed footprint. In Cloudflare’s case, that footprint spans roughly 335 cities in more than 125 countries on current corporate pages, while the company’s April 2026 network-capacity update described a 500 Tbps network in 330+ cities across 125+ countries. Even the slight variation in counts across pages is revealing: the network is large, still expanding, and marketed as a living operating surface rather than a static map.
That thesis is also visible in the financial statements. In fiscal 2025, Cloudflare generated $2.168 billion of revenue, up from $1.670 billion in 2024 and $1.297 billion in 2023. In the first quarter of 2026, revenue reached $639.8 million, up 34% year over year, while current remaining performance obligations also grew 34%. Paying customers rose to more than 332,000 by year-end 2025, and large customers generating more than $100,000 of annualized revenue reached 4,298 at the end of 2025; the investor relations overview subsequently showed “4,400+” large customers and 42% of the Fortune 500 as paying customers as of March 31, 2026. These are not the signs of a narrow cache utility. They are the signs of a platform selling deeper into larger organizations while preserving a very broad self-serve and SMB funnel.
The important non-obvious lesson is that Cloudflare’s infrastructure role has become more strategic as the Internet itself has fragmented. Enterprises increasingly need one fabric that can front-end websites and APIs, broker employee access, connect branches and data centers, terminate bot and DDoS traffic, host application logic close to users, and increasingly support AI inference and agent traffic. Cloudflare is trying to be that fabric. Its advantage is not that any single one of those products is impossible to copy. Its advantage is that the company can distribute them on a single edge, a single control plane, and a single sold account. That lowers product-delivery friction for Cloudflare and lowers integration friction for the customer. That mechanism is the centre of the company story.
The central investment question, then, is not whether Cloudflare is a “leader” in one Gartner-style box. It is whether the company can keep converting network presence into software attach faster than the market commoditizes underlying delivery. The evidence so far says yes, but with important caveats. Revenue growth remains strong, enterprise penetration is rising, international mix is broad, and the platform scope has widened materially. But gross margins have come under pressure as the company invests in servers, network capacity, third-party technology, and newer AI-heavy workloads. Meanwhile, because the platform is shared by design, infrastructure failures and control-plane mistakes can propagate across many services at once. Cloudflare’s greatest strength and its deepest risk come from the same architectural choice: one network, one stack, everywhere.
Business model and revenue logic
Cloudflare’s reported revenue still looks like a classic subscription software business on the surface. The company states that substantially all revenue comes from subscription and support revenue recognized over time. Customers are granted ongoing access to Cloudflare’s network and products over the contract period, and the associated fixed consideration is generally recognized on a straight-line basis. Yet the 2025 filing also makes clear that usage-based fees are part of the model, and KPMG’s critical audit matter explicitly described revenue as generated from “pay-as-you-go and contracted customers” and as comprising subscription fees, support services, and usage-based fees. This is a crucial distinction. Cloudflare is neither a pure seat-based SaaS company nor a pure usage network utility. It is increasingly a hybrid recurring-plus-usage model, which is exactly what one would expect from a platform spanning security controls, network transport, and developer workloads.
The revenue mix disclosed in the 2025 Form 10-K shows how the business is broadening. Regionally, the United States contributed 49% of revenue in 2025, EMEA 28%, Asia Pacific 15%, and other geographies 8%. Management separately noted that 51% of 2025 revenue came from international customers, up from 49% in 2024 and 48% in 2023. This is not a U.S.-bound software story with incidental overseas sales. It is a globally distributed business whose network proposition and regulatory posture matter in multiple jurisdictions. The geographic breadth also helps explain why Cloudflare invests so much in local presence and data-localization features: those are not side products, but enabling conditions for enterprise adoption outside the United States.
The customer-type split is equally revealing. In 2025, 74% of revenue came from direct customers and 26% from channel partners, versus 80% direct and 20% channel in 2024, and 84% direct and 16% channel in 2023. That rising partner share suggests an intentional scaling of route-to-market rather than a temporary anomaly. For Cloudflare, channel expansion can widen enterprise coverage, improve international reach, and allow the company to penetrate accounts where systems integrators, service providers, or managed security partners control architecture decisions. The evidence proves that channel is becoming structurally more important. What it only suggests, not proves, is the margin effect. A larger channel mix can accelerate sales efficiency and deal volume, but it can also compress economics if partner discounts rise faster than support leverage. Cloudflare does not publicly break out channel gross margin, so the exact trade-off remains unknown.
The customer base itself is unusually broad for a company with meaningful enterprise ambition. Cloudflare had approximately 332,000 paying customers across more than 190 countries as of December 31, 2025, up from about 238,000 a year earlier, while large customers over $100,000 of annualized revenue rose from 2,756 in 2023 to 3,497 in 2024 and 4,298 in 2025. That combination matters. Many infrastructure companies have to choose between long-tail self-serve acquisition and concentrated enterprise go-to-market. Cloudflare is trying to keep both: a low-friction entry funnel from free and inexpensive plans, and an upmarket motion that converts a subset of accounts into multi-product enterprise relationships. The fact that 42% of the Fortune 500 were paying customers by March 31, 2026 does not mean those enterprises necessarily spend heavily, but it does indicate unusually broad logo penetration.
Just as important is what Cloudflare does not disclose. The company does not publicly provide product-line revenue for CDN versus application security versus Zero Trust versus Workers versus AI. Investors therefore cannot directly prove how much of the top line still depends on legacy traffic acceleration economics versus newer higher-value software layers. That unknown is one of the most important interpretive gaps in the story. The filings do prove that Cloudflare’s overall revenue is increasingly enterprise-oriented: large-customer counts keep rising, international enterprise reach is substantial, remaining performance obligations stood at $2.496 billion at year-end 2025, and 63% of that amount was expected to convert to revenue within 12 months. But the company’s future multiple and strategic leverage will depend heavily on the hidden internal mix between commoditizing delivery and higher-switching-cost control products.
The growth pattern itself has remained strong by infrastructure-company standards. Revenue grew 29% in 2024, 30% in 2025, and the first quarter of 2026 showed 34% year-over-year growth. That acceleration matters because it came after a period when many enterprise software companies were decelerating under macro pressure. Still, the mechanism of that growth matters more than the headline. Cloudflare’s own discussion of risk factors and business strategy repeatedly references its ability to retain and upgrade paying customers, convert free customers to paid, expand the number of products sold per customer, and increase sales to large customers. That is a bundle-expansion play, not a pure traffic-growth play. Cloudflare is trying to compound account value by widening control of the customer’s request path and infrastructure surface.
The economics of one network everywhere
Cloudflare’s network architecture is the company’s economic engine, and the key architectural claim is straightforward: every service runs in every data center, and all customer traffic is processed at the location closest to its source rather than being backhauled to specialized inspection sites. Cloudflare calls this “one network — everywhere,” says that single-pass inspection streamlines security, and emphasizes that its global network is interconnected with more than 13,000 service providers, cloud providers, and enterprise networks. On the public Internet side, AS13335’s PeeringDB entry describes the network as a global anycast platform with open peering and automatic IX peering available through Cloudflare’s portal, while a June 2026 Hurricane Electric BGP snapshot showed AS13335 originating 5,543 prefixes and connected at 358 Internet exchanges. Those third-party routing statistics are snapshots rather than accounting figures, but they reinforce the official picture: Cloudflare has unusually dense edge interconnection.
That interconnection has real economic consequences. In August 2024, Cloudflare said backbone capacity had increased by more than 500% since 2021, that it had completed a global backbone ring reaching six continents through terrestrial fiber and subsea cables, and that for intra-city and long-distance connectivity it manages dark fiber or leases wavelengths using DWDM. The company explicitly argued that using its own backbone to move cached or origin-bound traffic is often the most cost-effective method at its scale, and that carrying origin responses from AWS, Oracle, Alibaba, Google Cloud, or Azure over its own backbone gives it greater control, better reliability, and less dependence on the public Internet. This is a strong clue to Cloudflare’s internal cost logic. The more traffic the company can pull onto its own controlled paths and local peerings, the less it has to buy expensive transit in the most performance-sensitive portions of delivery.
The most important subtlety is that Cloudflare’s network is no longer optimized just for caching. A traditional CDN can build a very strong business around storing and serving static assets near users. Cloudflare’s architecture is more ambitious. The company says every server runs its developer platform and security services, “not just cache.” Workers run in 330+ cities by default, use a CPU-time billing model rather than charging for idle time, and promise no cold starts. Durable Objects combine compute with storage for coordination-heavy applications. R2 offers object storage with no egress fees. Workers AI provides serverless inference on GPUs across Cloudflare’s network, and current product marketing says 50+ models run close to users in 200+ cities. In other words, the network is being repurposed from distribution infrastructure into an execution infrastructure.
This shift explains both Cloudflare’s strategic upside and its margin tension. On the upside, once a company owns the edge request path, the incremental cost of attaching more software logic to that path can be much lower than selling a standalone point product with its own appliance footprint or separate inspection network. That is especially true for adjacent services such as WAF, bot management, API protection, DNS, smart routing, Access, Gateway, and Browser Isolation. The packet is already there. The identity decision, security policy, and performance optimization can happen in the same place. On the downside, not all edge workloads have CDN-like economics. AI inference, durable compute, and storage coordination can be more hardware-intensive and less cache-friendly than classic reverse proxy traffic. The network becomes strategically richer, but not necessarily gross-margin richer in the short run.
The financial statements confirm that Cloudflare is leaning harder into physical infrastructure. Purchases of property and equipment reached $315.6 million in 2025, up from $185.0 million in 2024 and $114.4 million in 2023. Management itself presented that as 15% of revenue in 2025, versus 11% in 2024 and 9% in 2023. Gross property and equipment reached $998.1 million at year-end 2025, including $726.8 million of servers and network infrastructure, up sharply from $488.8 million a year earlier. Depreciation and amortization on property and equipment rose to $167.5 million in 2025 from $109.9 million in 2024. These numbers are large enough to matter. Cloudflare is still a software-like company in business model, but increasingly capital-intensive in network expansion.
Management’s accounting decisions add a useful clue. In 2024, Cloudflare completed an assessment of server-network useful lives and extended them from four years to five years, reducing 2024 depreciation expense by $21.1 million, primarily in cost of revenue. That tells two stories at once. First, the company believes its infrastructure can remain economically useful longer than previously assumed, which helps support free cash flow and margins. Second, the margin optics are somewhat flattered by revised depreciation assumptions rather than purely by operational efficiency. Investors should therefore be careful not to treat recent gross-margin performance as a clean read on underlying network economics without considering accounting-life revisions.
Gross-margin pressure is already visible. Cloudflare’s GAAP gross margin fell from 77% in 2024 to 75% in 2025, and management attributed the decline primarily to higher third-party technology services costs, higher co-location, network, and bandwidth costs, and higher depreciation due to server acquisitions and deployments. In the first quarter of 2026, GAAP gross margin fell further to 71.2% from 75.9% in the prior-year quarter. The company did not attribute that quarterly move line-by-line in the press release, so it would be speculative to pin it entirely on AI or GPU rollout. But the evidence does prove that Cloudflare’s next growth phase is consuming more infrastructure cost than the last one. The old assumption that edge software scales with near-frictionless software margins is too simplistic here.
That said, the company is still showing meaningful operating leverage beneath stock-based compensation. In 2025, GAAP operating margin was negative 10%, but non-GAAP operating margin was positive 14%, flat with 2024 and up from 9% in 2023. Free cash flow rose to $260.6 million in 2025, a 12% margin, from $166.9 million in 2024 and $119.5 million in 2023. So the more precise conclusion is this: Cloudflare’s network expansion is dragging on GAAP profitability at the margin, but the broader platform still appears capable of producing attractive cash conversion if growth stays strong and infrastructure spending does not outrun software attach.
Product strategy from CDN to SASE to developer platform
Cloudflare’s product portfolio is no longer organized around a single buyer persona. The company now sells to web teams, security teams, network teams, and developers, often through the same account. Official product pages group the portfolio into application security, application performance, networking, SASE/Zero Trust, and developer services. On the security and networking side, Cloudflare offers L7 DDoS protection, WAF, API security, bot management, L3/4 DDoS protection, firewall-as-a-service, Network Interconnect, and smart routing. On the SASE side, Cloudflare One packages ZTNA, secure web gateway, CASB, network-as-a-service, FWaaS, RBI, DLP, email security, and digital experience monitoring. On the developer side, the company offers Workers, KV, Durable Objects, D1, R2, Vectorize, observability, containers, Workers AI, and AI Gateway. The relevant insight is not simply breadth. It is adjacency. Most of these services sit on the same traffic plane, authenticate the same users, or use the same account and network boundary.
The original Cloudflare business was built on easy-to-adopt web infrastructure: DNS, CDN, SSL, and DDoS protection. That distribution engine still matters. The public pricing page continues to offer a free plan, a Pro plan at $20 per month billed annually, a Business plan at $200 per month billed annually, and a custom contract tier for mission-critical applications. Even free and low-cost tiers include core features such as DNS, unmetered DDoS protection, CDN, universal SSL, and WAF access at varying levels. This pricing architecture is not just a marketing choice. It is a customer-acquisition system that lowers the cost of initial adoption and creates a pathway into upsell. Few enterprise infrastructure vendors can claim both meaningful Fortune 500 penetration and a global self-serve funnel. Cloudflare does because it operationalized distribution at the low end first.
The more strategic move has been the build-out of Cloudflare One. The company’s SASE page describes a platform that connects and protects workforce, branch, data center, applications, and even AI agents on one connectivity cloud. It emphasizes replacement of VPN and MPLS, identity-first zero trust access, deep visibility into GenAI usage, and a single control plane, data plane, and infrastructure layer. Cloudflare Access pricing illustrates how the company is trying to land and expand in this segment: a free tier for small teams or proofs of concept, a $7 per user per month pay-as-you-go option, and custom contract pricing for full-featured SSE/SASE deployments. This is a classic Cloudflare maneuver: use aggressively accessible packaging to get the control plane installed, then widen the account into larger architecture changes.
The developer platform is the other major strategic pillar. Workers pricing begins with a free plan and a paid plan with a $5 minimum monthly charge, and the docs explicitly state that there are no additional charges for data transfer or bandwidth. The standard paid Workers model includes 10 million requests per month and bills incremental usage based on requests and CPU milliseconds, with no charge for wall-clock duration waiting on I/O. R2 reinforces the same philosophy. Standard storage is priced at $0.015 per GB-month, with request pricing for Class A and B operations, and both the product page and developer docs emphasize that there are no egress bandwidth charges. These are not incidental pricing details. They are direct attacks on three of the most hated economics in cloud infrastructure: per-seat remote access bloat, egress tolls, and idle-concurrency/server-provisioning overhead.
Cloudflare is also trying to make the edge developer experience feel less proprietary than it really is. Workers supports mainstream languages and frameworks, the runtime is designed for web interoperability, and Durable Objects, KV, and R2 are explainable in familiar software terms. R2 is compatible with S3-style paradigms. Yet there is still hidden lock-in. Durable Objects place stateful coordination inside Cloudflare’s runtime model. Access can become the policy gate for internal applications. AI Gateway can become the central policy and spend-control layer for model providers. When multiple functions of identity, network policy, storage, observability, and compute are anchored on the same provider, switching becomes much harder even if each component has a standards-compliant story individually.
That is why customer dependency at Cloudflare is best thought of as cumulative, not binary. A customer using only DNS and CDN has moderate switching costs. A customer using authoritative DNS, CDN, WAF, bot management, API protection, Access, Gateway, Magic WAN, Workers, KV, Durable Objects, and R2 has much higher switching costs, because it would need to recreate policies, peering and routing behavior, runtime logic, egress economics, storage patterns, and operational workflows across multiple replacement vendors. Cloudflare itself markets the connectivity cloud precisely on this anti-sprawl premise: one control plane, one network, reduced vendor count, less dashboard overload, and faster rollout. The company’s economic ambition is therefore not just to sell more SKUs. It is to increase the cost of architectural reversal.
AI extends that logic. Workers AI, AI Gateway, the Replicate acquisition, Human Native, and the company’s “agentic cloud” positioning all point toward the same destination: making Cloudflare the place where inference, policy, spend controls, content access, and application execution converge. The Replicate acquisition was explicitly framed as a way to make 50,000+ production-ready models available to Workers AI users and to add custom models and pipelines. Human Native was framed as tooling to help AI developers find, access, and purchase high-quality data through transparent channels. Whether any of this becomes material revenue soon is not yet proven. What is proven is that Cloudflare does not want AI merely to drive more traffic through existing pipes. It wants AI to make the pipes themselves more strategic.
Market position, competition, and pricing power
Cloudflare competes in several adjacent markets, and that is one reason simplistic peer comparisons are misleading. In traditional delivery and web performance, the clearest public comparables remain Akamai and Fastly. Akamai’s 2025 revenue by solution category was $2.243 billion in security, $1.257 billion in delivery, and additional cloud computing revenue, while the company disclosed that delivery revenue continued to face pricing pressure and renewals pressure. Fastly’s 2024 revenue was $543.7 million, of which $427.7 million came from network services and $103.0 million from security. Those figures show two important things. First, the CDN and edge-delivery market remains large, real, and competitive. Second, pure or legacy delivery revenue is under structural pricing pressure even for scaled incumbents. Cloudflare’s strategic answer has been to reduce the share of its narrative that depends on delivery alone and increase the share that depends on security, control, and execution.
In Zero Trust and SASE, Cloudflare faces a different class of competitor. Zscaler’s fiscal 2025 revenue reached $2.673 billion, approximately 98% of which related to subscription and support revenue, underscoring the scale that a focused cloud-security platform can achieve. Cloudflare’s differentiator here is not that it is larger than Zscaler in security-specific revenue; public disclosures do not prove that. Its differentiator is architectural. Cloudflare argues that first-generation SASE vendors often assembled patchworks of proxies and acquisitions, whereas Cloudflare One is unified by design on a single connectivity cloud. Whether that claim is fully true in every feature set is debatable, but the architectural pitch is coherent: Cloudflare thinks SASE is more valuable when it is bound to the same edge that already fronts the customer’s public applications and developer traffic.
Cloudflare also competes indirectly with public cloud platforms. Its own backbone discussion names AWS, Oracle, Alibaba, Google Cloud Platform, and Azure as common origins for customer traffic that Cloudflare transports. That origin dependency means hyperscalers are still partners in many deployments. But R2’s no-egress design, CPU-based Workers pricing, Smart Placement, and edge execution model are also competitive responses to hyperscaler economics. When Cloudflare says “say goodbye to egress fees” or offers “no additional charges for data transfer,” it is attacking an industry standard pricing convention that helped make centralized cloud highly sticky and expensive. Cloudflare is not trying to replace all of hyperscale. It is selectively attacking the cost and latency penalties of centralized cloud architectures.
This is where pricing power becomes more nuanced than headline plan prices suggest. At the low end, Cloudflare does not really exhibit classical pricing power; it exhibits distribution power. The free plan, cheap Pro tier, and inexpensive paid developer entry points are designed to make Cloudflare easy to adopt, not maximally monetized per seat or per domain. But at the enterprise level, pricing power can emerge from bundle replacement. If Cloudflare can credibly replace parts of CDN, DDoS, WAF, API security, bot management, VPN, SWG, CASB, branch networking, and some categories of edge compute or storage with one contract and one operations model, then the relevant economic benchmark is not the price of one Cloudflare SKU. It is the all-in cost, complexity, and downtime risk of multiple incumbent stacks. That is why Cloudflare repeatedly markets against “tech sprawl,” “vendor count,” and “dashboard overload.” Those messages are basically arguments for enterprise bundle pricing power.
Still, it would be a mistake to assume Cloudflare has unconstrained pricing leverage. Akamai’s filing is explicit that delivery faces pricing pressure and customer DIY efforts. Fastly’s smaller scale makes the same arena visibly price competitive. Cloudflare’s own public pricing is unusually transparent for self-serve products, which disciplines upward repricing. And the company’s rapid expansion into adjacent categories means it often chooses penetration over margin maximization. Even the 2025 to 2026 gross-margin trend suggests Cloudflare is funding strategic breadth with real infrastructure expense. The evidence therefore suggests that Cloudflare’s best pricing power lies in enterprise bundles and architectural replacement, not in squeezing unit prices on commoditizing edge primitives.
The most useful competitive conclusion is this: Cloudflare is better positioned when the buying decision is “which platform can simplify more of my Internet edge?” and less advantaged when the buying decision is “which vendor gives me the cheapest standalone CDN gigabyte or the single deepest feature set in one isolated security category?” That is why the company keeps pushing the narrative from products to platform, and from edge speed to control. It knows that point-product competition is harder to defend than platform-adjacency competition.
Governance, international footprint, and risk exposure
Cloudflare’s international footprint is a strength, but not a frictionless one. The company says it serves customers in more than 190 countries, derives a majority of revenue internationally, and operates network locations in more than 330 cities and over 125 countries. Its public office footprint spans North America, Europe, the Middle East, and Asia-Pacific hubs including Singapore, Beijing, Tokyo, Seoul, Sydney, and Bengaluru. Its network and legal pages also emphasize Data Localization Suite tools and granular controls on where data is inspected, reflecting the reality that multinational enterprises increasingly need location-aware infrastructure rather than a purely borderless cloud. In other words, Cloudflare’s international scale is not just about selling abroad; it is about making the edge itself legible to sovereign and sectoral compliance requirements.
China is the clearest example of how that international footprint is partly partner-mediated. Cloudflare’s China Network documentation says selected Cloudflare performance and security products run on data centers in Mainland China operated by JD Cloud. The FAQ explicitly says Cloudflare itself does not have an MIIT license to provide CDN services in China, but JD Cloud does. This arrangement is commercially useful because it extends Cloudflare’s reach and performance inside China without requiring Cloudflare to be the licensed operator there. It is also strategically revealing. In the most politically sensitive jurisdictions, Cloudflare’s “global network” is sometimes a commercial and regulatory partnership model rather than a wholly owned control model. That creates opportunity, but also dependence on local partners and rules.
Governance is likewise more founder-controlled than a casual reading of the ticker symbol might imply. Cloudflare has a dual-class structure in which each Class A share carries one vote and each Class B share carries ten votes. As of April 30, 2026, Matthew Prince held 25.69 million Class B shares and approximately 39.0% of total voting power, while Michelle Zatlyn held 9.02 million Class B shares and approximately 13.4% of total voting power. Executive officers and directors as a group controlled 52.4% of the total voting power. The proxy statement further noted that, as of the 2026 record date, the co-founders controlled the stockholder vote on key matters. This means Cloudflare is publicly listed, but strategic control remains founder-led in a very real sense. That can be positive for long-horizon infrastructure investment. It also materially limits the influence of outside shareholders.
The 2026 proxy also matters because it included amendments related to reconstituting share classes and, in effect, preserving founder influence through a more complex structure. As of June 28, 2026, that proposal was still pending the June 30 annual meeting, so any claim about final governance changes would be premature. But the fact that such proposals are on the table is itself a signal. Cloudflare’s founders appear intent on retaining strategic room to run a long-duration infrastructure build-out without exposing themselves to the normal cadence of public-market control discipline. Investors can reasonably like or dislike that; what they cannot do is ignore it.
Operational risk is unusually important for Cloudflare because the platform is shared. The company’s own postmortems show why. In June 2025, Cloudflare disclosed a significant service outage caused by failure of the underlying storage infrastructure used by Workers KV; the company said Workers KV served as critical infrastructure for many other Cloudflare products, affecting Workers KV itself, WARP, Access, Gateway, Images, Stream, Workers AI, Turnstile, AutoRAG, Zaraz, and parts of the dashboard. In November 2025, Cloudflare suffered another broad outage tied to a bug in Bot Management configuration generation. Earlier incidents include the June 2022 outage caused by a network configuration change and the July 2025 1.1.1.1 incident caused by topology changes. These incidents are not random footnotes. They reveal the structural downside of Cloudflare’s “one network, one stack” model: common foundations can generate common-mode failure.
The 2025 Form 10-K makes that concentration risk even more concrete. It states that much of the network’s infrastructure is maintained through a core co-location facility in the greater Portland, Oregon area, a second core co-location facility in Amsterdam that provides certain redundancy, and a limited number of other U.S. co-location facilities. Management explicitly warns that it does not control the operation of these third-party facilities and cites prior power failures in the Portland-area core site in November 2023 and March 2024. It even notes that the failure of any core co-location facility for a significant period, particularly the U.S. core facility, could place significant strain on operations because redundant functionality is limited. This is a major watchpoint. Cloudflare’s distributed edge is broad, but some of its control and support architecture is more concentrated than the front-end network map implies.
Third-party dependency risk goes beyond facilities. The 2025 filing also notes that a breach of a third-party chat agent integrated with Cloudflare’s CRM in August 2025 exposed some customer contact and support information, and separately points to the June 2025 Workers KV outage as a consequence of underlying third-party storage infrastructure failure. This is important because Cloudflare sells itself partly as a simplifier of others’ dependencies. Yet its own platform still contains hidden vendor dependencies, and when those dependencies sit under shared services, the blast radius can be substantial. The evidence proves that some of Cloudflare’s most consequential outages and exposures have had third-party roots.
Regulatory and platform-liability risks are also central to Cloudflare’s infrastructure role. The company is unusually exposed to disputes over what responsibilities an intermediary bears when it accelerates, secures, proxies, or hosts problematic content. Its 2025 filing says it faces lawsuits over content available through customer websites, notes that courts in some countries have found it may be liable in certain circumstances, and cites an October 2025 court decision in Japan holding it liable for damages in a copyright case that the company has appealed. The filing also notes that some governments, service providers, and other parties may blacklist or block Cloudflare IPs because identifying the precise source of traffic behind a reverse-proxy model can be difficult. Cloudflare’s Trust Hub and transparency materials emphasize that the company generally cannot remove content it does not host and that it publishes twice-yearly transparency reports. That posture supports customer trust. It also keeps Cloudflare at the center of policy fights over intermediary responsibility.
One final risk point cuts the other way: concentration in customers is low. Cloudflare states that no single customer accounted for more than 10% of revenue in 2023, 2024, or 2025. That does not mean revenue is immune to slower enterprise spending, but it does mean the company is not hostage to one giant media or hyperscale account in the way some traffic-based infrastructure vendors historically have been. Diversification is a real advantage here, particularly given Cloudflare’s mix of long-tail and enterprise customers.
Evidence ledger and watchpoints
The highest-confidence evidence supports a clear conclusion: Cloudflare now occupies a strategically important layer of Internet infrastructure that is broader than a CDN and more horizontally distributed than a pure security point-product vendor. The evidence proves that the company has built a very large and densely peered edge network; that its business has grown rapidly to more than $2.1 billion of annual revenue with more than 332,000 paying customers; that international revenue is more than half of the total; that channel partners are becoming more important; that the company’s product catalog spans public application traffic, private enterprise access, and developer execution; and that founders still control the company’s voting structure. It also proves that Cloudflare’s shared architecture can create cross-product outage blast radius, that physical and third-party dependencies remain meaningful despite the company’s distributed marketing, and that margins are being pressured by heavier infrastructure investment.
The evidence strongly suggests, but does not fully prove, that Cloudflare’s strongest moat is bundling plus distribution rather than stand-alone product dominance. The company’s one-network architecture, self-serve funnel, transparent pricing, anti-egress message, and integrated SASE and developer layers all point in that direction. The rise in large customers, the broad Fortune 500 penetration, and the company’s explicit emphasis on reducing vendor sprawl suggest that account expansion and architectural consolidation are doing real work. Public routing data and Cloudflare’s backbone disclosures also suggest a meaningful transport-cost and performance advantage from dense peering and owned or leased backbone capacity. But because Cloudflare does not break out product revenue or product-specific gross margins, the market still cannot see exactly how much value comes from mature delivery categories versus higher-leverage newer categories.
What remains unknown is almost as important. Public investors do not know the revenue contribution of Workers, R2, Workers AI, Zero Trust, or SASE as distinct product lines. They do not know the gross-margin profile of AI inference or GPU rollout at scale. They do not know whether rising channel mix is margin-accretive or not. They do not know the true depth of enterprise product penetration behind Fortune 500 logo counts. And they do not yet know, as of June 28, 2026, the final outcome of the 2026 governance proposals. Those unknowns do not invalidate the thesis; they shape its risk premium.
The most important watchpoints for the next 12 to 36 months are these:
Whether Cloudflare can keep revenue growth above the high-20s while mix shifts toward larger enterprise and developer workloads. Fiscal 2025 revenue grew 30%, and Q1 2026 grew 34%, which is strong enough to preserve the platform narrative if sustained. A sharp slowdown would force investors to ask how much of the story is aspiration versus monetized attach. Whether gross margin stabilizes after the current infrastructure cycle. GAAP gross margin fell from 77% in 2024 to 75% in 2025 and to 71.2% in Q1 2026. If newer workloads such as AI inference and stateful compute permanently lower margin without proportionate pricing power, the valuation framework for Cloudflare changes. Whether SASE and developer-platform products become more visibly material to revenue. The architecture and product catalog are compelling, but the company still does not provide product revenue splits. Investors should watch for any future disclosure, or indirect indicators such as enterprise case studies, large-customer growth, and continued product-led acquisitions. Whether the May 2026 AI-first operating-model restructuring improves efficiency without damaging execution. Cloudflare said it expected to reduce its workforce by about 1,100 people and incur $140 million to $150 million in related charges. That is a meaningful operating change, not a cosmetic adjustment. Whether common-mode outage risk is actually reduced after the 2025 incidents. The Workers KV redesign and repeated postmortems show Cloudflare is working the problem, but the company’s architecture remains highly shared. Customers that run public traffic, private access, and application logic on one provider will care a great deal about this. Whether regulatory and liability exposure around hosted content, reverse-proxy use, and jurisdiction-specific enforcement widens. The Japan litigation example and the company’s own risk-factor language suggest this is not theoretical. If courts or regulators push intermediaries to act more like publishers or hosts, Cloudflare’s trust-and-neutrality posture could face real pressure. Whether founder control remains stable or is extended through revised share-class mechanics. Cloudflare’s governance gives management unusual freedom to keep investing through cycles, but it also reduces external accountability. That trade-off is not going away. Whether China and other partner-mediated geographies remain commercially attractive under shifting geopolitical constraints. Cloudflare’s JD Cloud arrangement is an effective route to presence, but it also demonstrates that some strategic geographies cannot be served on Cloudflare’s ordinary ownership model. The bottom line is that Cloudflare’s market position is strongest when customers want to collapse edge, security, access, and execution into one programmable fabric. Its role in digital infrastructure is increasingly that of a strategic intermediary layer through which websites, APIs, employees, branches, and now AI agents can all be controlled. That is a more durable and more valuable role than “CDN company” suggests. But it is also a role that demands relentless network reliability, disciplined capital deployment, and careful policy navigation. Cloudflare has already proved it can build the footprint. The next phase is proving that the footprint can sustain a broader software empire without losing the economics and trust that made the footprint valuable in the first place.