Cloudflare
Rating
Strong Buy
High Conviction — Core Position
Combined average of Moat (AI Resilience), Growth, and Valuation scores.
Moat Score
Cloudflare's global edge network processes 215 billion threats daily, creating a threat-intelligence flywheel that compounds with scale and is unreplicable by any single competitor.
Cloudflare's moat rests on three interlocking pillars: Proprietary Data Flywheel, Network Effects, and Platform Bundling:
- Threat Intelligence Flywheel (Proprietary Data): With 215 billion cyber threats blocked daily across 332,000+ customers — including 38% of the Fortune 500 — Cloudflare operates the world's largest internet threat sensor network. This telemetry feeds security products in real-time, creating a data moat that grows more valuable with every new customer added to the network.
- Edge Network Effects & Architecture: Cloudflare's 300+ city network delivers sub-100ms latency to 95% of the world's connected population. Every server in every city can perform every function simultaneously — DDoS mitigation, SASE, DNS, compute, and AI inference. This architecture is 10+ years in the making and cannot be replicated quickly; the performance it delivers improves for all customers as the network scales.
- Platform Bundling Depth (SASE + Zero Trust + Workers): Cloudflare sells CDN, DDoS protection, Zero Trust access, SASE (Magic WAN, Gateway, DLP), R2 storage, Workers serverless compute, and AI inference from a single unified dashboard. Once enterprises deploy multiple modules — such as the 7-year, $12.7M/year SASE deal closed in Q1 2025 — the configuration, integrations, and workflow dependencies create multi-year switching costs exceeding those of most pure-play cybersecurity vendors.
Ten Moats Verdict
Cloudflare is a net beneficiary of AI — the shift from human users to AI agents as the primary internet traffic source creates massive demand for Cloudflare's edge network, security layer, and Workers compute runtime. The proprietary threat-intelligence data flywheel and network effects are the two most AI-resilient moats, both of which strengthen as AI-driven attack vectors increase the value of real-time threat data. The primary AI risk is that hyperscalers bundle security capabilities into their managed AI platforms, reducing the independent security and CDN market. Overall, Cloudflare's architecture — where AI inference, security, and networking converge at the same edge node — positions it as critical infrastructure for the agentic internet.
Security engineers trained on Cloudflare's unified dashboard, Workers CLI, and Zero Trust policy engine invest significant institutional knowledge — Teams migrating would need to retrain and rebuild configurations. AI slightly weakens this moat by abstracting infrastructure management.
Full SASE deployments (Magic WAN + Gateway + DLP + Access + Magic Firewall) are deeply configured per enterprise network topology. The 7-year, $12.7M/yr SASE deal demonstrates that Cloudflare's logic is embedded for a decade, not a quarter.
Cloudflare's 1.1.1.1 resolver processes a significant fraction of global DNS queries, giving it unique internet-wide visibility. AI is slightly weakening this by enabling threat-intel synthesis from other data sources, but the volume advantage remains.
Global BGP peering engineers, DDoS research team, and cryptography experts (TLS 1.3 adoption) represent genuine talent scarcity. AI augments but does not replace this specialisation.
CDN + DDoS + SASE + Zero Trust + DNS + R2 + Workers + AI Gateway from a single platform. Enterprises expanding from CDN to Zero Trust to Workers create deep multi-product lock-in that AI point-solutions cannot easily replicate — the integration value is emergent.
215 billion threats blocked daily across 332,000+ customers and 38% of the Fortune 500. This threat intelligence dataset is continuously updated, contractually exclusive, and central to every security product Cloudflare ships — no competitor can acquire equivalent coverage without first building Cloudflare's network scale.
FedRAMP authorised, compliant with GDPR/CCPA/NIS-2; R2's zero-egress-fee model positions Cloudflare as the natural winner from EU Data Act compliance requirements. Multi-year government and critical infrastructure contracts create durable switching barriers.
Classic network effects: each new customer adds threat telemetry that improves security for all others. The developer ecosystem on Workers creates a second flywheel — more apps on Workers → more edge compute demand → better performance for all. Both effects compound with scale.
Every HTTP request from a Cloudflare customer transits Cloudflare's network — embedded in the critical path of web traffic. Claude managed agents and agentic AI workloads deepen this embedding significantly: Cloudflare AI Gateway is the canonical rate-limiting, caching, and observability layer for managed agent API calls, meaning enterprises configure their entire agent infrastructure pipeline through Cloudflare. The shift from human HTTP traffic to AI agent HTTP traffic structurally upgrades Cloudflare's transaction embedding from infrastructure-level to agent-orchestration-level — every agent tool call is a Cloudflare-embedded transaction.
Cloudflare manages DNS zones and SSL certificates as systems of record for domain identity. With AI Gateway, Cloudflare is emerging as the canonical configuration and observability layer for managed agent deployments — enterprises store rate limits, LLM provider routing, caching rules, and agent call logs in Cloudflare's platform. While not a system of record for financial or HR data, the growing role as the authoritative configuration layer for enterprise AI agent infrastructure upgrades this from weakened to intact.
Combined average of Moat (AI Resilience), Growth, and Valuation scores.
Moat Score
Cloudflare's global edge network processes 215 billion threats daily, creating a threat-intelligence flywheel that compounds with scale and is unreplicable by any single competitor.
Growth Score
Q1 2026 delivered $639.8M revenue (+34% YoY), beating consensus of $622M and matching Q4's accelerated pace. FY2026 guidance was raised to $2.805–2.813B and non-GAAP EPS to $1.19–1.20 (from $1.11–1.12), and Q2 was guided to $664–665M. RPO grew to $2.54B (+36% YoY, decelerating from +48% in Q4) and DBNRR slipped 2pp sequentially to 118% — a yellow flag worth watching. Alongside earnings, Cloudflare announced a 20% workforce reduction (~1,100 roles, $140–150M charges) to pivot to an agentic-AI-first operating model, simultaneously a long-term margin catalyst and a near-term execution risk that drove the stock down ~18% on the print.
Valuation Score
At ~$150, NET has re-rated ~18% lower post Q1 2026 earnings on the agentic-AI-first restructuring shock — now sitting ~40% below the base ($250) scenario and only ~15% above the bear ($130) target. The drop is sentiment-driven, not fundamental: Q1 revenue beat at +34% YoY, FY2026 revenue guide was raised to $2.81B and EPS to $1.19–1.20, and RPO grew 36%. NTM P/S compresses to ~20× (from ~25× a month ago) and forward non-GAAP P/E to ~125× (from ~163×) — the cheapest entry since 2024 on a multiple basis, with the trade-off that the 1,100-person reduction creates 2–3 quarters of execution risk before the AI-first operating leverage shows up.
The Connectivity Cloud Moat
Cloudflare's moat rests on three interlocking pillars: Proprietary Data Flywheel, Network Effects, and Platform Bundling:
- Threat Intelligence Flywheel (Proprietary Data): With 215 billion cyber threats blocked daily across 332,000+ customers — including 38% of the Fortune 500 — Cloudflare operates the world's largest internet threat sensor network. This telemetry feeds security products in real-time, creating a data moat that grows more valuable with every new customer added to the network.
- Edge Network Effects & Architecture: Cloudflare's 300+ city network delivers sub-100ms latency to 95% of the world's connected population. Every server in every city can perform every function simultaneously — DDoS mitigation, SASE, DNS, compute, and AI inference. This architecture is 10+ years in the making and cannot be replicated quickly; the performance it delivers improves for all customers as the network scales.
- Platform Bundling Depth (SASE + Zero Trust + Workers): Cloudflare sells CDN, DDoS protection, Zero Trust access, SASE (Magic WAN, Gateway, DLP), R2 storage, Workers serverless compute, and AI inference from a single unified dashboard. Once enterprises deploy multiple modules — such as the 7-year, $12.7M/year SASE deal closed in Q1 2025 — the configuration, integrations, and workflow dependencies create multi-year switching costs exceeding those of most pure-play cybersecurity vendors.
Ten Moats Verdict
Cloudflare is a net beneficiary of AI — the shift from human users to AI agents as the primary internet traffic source creates massive demand for Cloudflare's edge network, security layer, and Workers compute runtime. The proprietary threat-intelligence data flywheel and network effects are the two most AI-resilient moats, both of which strengthen as AI-driven attack vectors increase the value of real-time threat data. The primary AI risk is that hyperscalers bundle security capabilities into their managed AI platforms, reducing the independent security and CDN market. Overall, Cloudflare's architecture — where AI inference, security, and networking converge at the same edge node — positions it as critical infrastructure for the agentic internet.
Security engineers trained on Cloudflare's unified dashboard, Workers CLI, and Zero Trust policy engine invest significant institutional knowledge — Teams migrating would need to retrain and rebuild configurations. AI slightly weakens this moat by abstracting infrastructure management.
Full SASE deployments (Magic WAN + Gateway + DLP + Access + Magic Firewall) are deeply configured per enterprise network topology. The 7-year, $12.7M/yr SASE deal demonstrates that Cloudflare's logic is embedded for a decade, not a quarter.
Cloudflare's 1.1.1.1 resolver processes a significant fraction of global DNS queries, giving it unique internet-wide visibility. AI is slightly weakening this by enabling threat-intel synthesis from other data sources, but the volume advantage remains.
Global BGP peering engineers, DDoS research team, and cryptography experts (TLS 1.3 adoption) represent genuine talent scarcity. AI augments but does not replace this specialisation.
CDN + DDoS + SASE + Zero Trust + DNS + R2 + Workers + AI Gateway from a single platform. Enterprises expanding from CDN to Zero Trust to Workers create deep multi-product lock-in that AI point-solutions cannot easily replicate — the integration value is emergent.
215 billion threats blocked daily across 332,000+ customers and 38% of the Fortune 500. This threat intelligence dataset is continuously updated, contractually exclusive, and central to every security product Cloudflare ships — no competitor can acquire equivalent coverage without first building Cloudflare's network scale.
FedRAMP authorised, compliant with GDPR/CCPA/NIS-2; R2's zero-egress-fee model positions Cloudflare as the natural winner from EU Data Act compliance requirements. Multi-year government and critical infrastructure contracts create durable switching barriers.
Classic network effects: each new customer adds threat telemetry that improves security for all others. The developer ecosystem on Workers creates a second flywheel — more apps on Workers → more edge compute demand → better performance for all. Both effects compound with scale.
Every HTTP request from a Cloudflare customer transits Cloudflare's network — embedded in the critical path of web traffic. Claude managed agents and agentic AI workloads deepen this embedding significantly: Cloudflare AI Gateway is the canonical rate-limiting, caching, and observability layer for managed agent API calls, meaning enterprises configure their entire agent infrastructure pipeline through Cloudflare. The shift from human HTTP traffic to AI agent HTTP traffic structurally upgrades Cloudflare's transaction embedding from infrastructure-level to agent-orchestration-level — every agent tool call is a Cloudflare-embedded transaction.
Cloudflare manages DNS zones and SSL certificates as systems of record for domain identity. With AI Gateway, Cloudflare is emerging as the canonical configuration and observability layer for managed agent deployments — enterprises store rate limits, LLM provider routing, caching rules, and agent call logs in Cloudflare's platform. While not a system of record for financial or HR data, the growing role as the authoritative configuration layer for enterprise AI agent infrastructure upgrades this from weakened to intact.
Growth Analysis
Growth Drivers
Key Risk
Two converging risks: (1) the 20% workforce reduction announced May 2026 disrupts go-to-market and product velocity for 2–3 quarters, dragging DBNRR below 116% by Q4 2026; (2) hyperscaler-managed AI agent platforms (AWS Bedrock Agents, Anthropic Managed Agents on AWS/Azure) capture >20% of enterprise agent infrastructure by end of 2026, leaving Cloudflare dependent on the more contested CDN/SASE market where Palo Alto and Zscaler are accelerating bundled offers and RPO growth decelerates below 25%
Score Derivation
Base 80 (15–30% CAGR, blended 26–30%) + 5 recurring (subscription model, NRR 118%) + 5 TAM expansion (AI agents as new internet users, TAM grows $181B→$231B by 2028) − 2 DBNRR deceleration (120 → 118 QoQ) − 1 restructuring execution risk = 87
Price Scenarios (12–24 Months)
Valuation Multiples
| Trailing P/E (GAAP) | N/A |
| Forward P/E (NTM, non-GAAP) | ~125× |
| PEG Ratio | N/A |
| Price / Sales (NTM) | ~20× |
| Price / FCF | ~165× |
NET trades at ~20× NTM P/S, down from ~25× pre-print and ~27× in March — the multiple has compressed materially while fundamentals strengthened (Q1 beat, FY26 guide raised twice). Still a premium to cybersecurity peers (CrowdStrike ~16×, Palo Alto ~11×) but the gap has narrowed and Cloudflare's faster revenue growth (33–34% Q1 vs 22–23% peers) and agentic-AI-first cost pivot justify the residual premium. The forward P/E compression toward ~125× is meaningful: if the workforce reduction delivers the targeted operating leverage, FCF margin reaches 18–20% by Q4 2026 and P/FCF compresses below 100×, making the valuation reasonable for a 30%+ grower.
Approximate figures as of May 2026.
Where We Are vs Targets
Loading live price…
The 20% workforce reduction disrupts go-to-market velocity and product execution for 2–3 quarters while hyperscaler bundling erodes CDN/SASE share, compressing P/S to ~14× on $2.81B 2026 revenue.
- Agentic-AI-first restructuring removes too much sales capacity too fast — large-customer ACV growth stalls below 18% YoY through Q4 2026 as deal cycles slow and the 7-year SASE momentum cools
- DBNRR slips further from 118% to 114–116% for two consecutive quarters as enterprises pause SASE expansion amid macro uncertainty and AWS CloudFront + Security Hub bundling displaces Cloudflare's CDN layer at 5%+ of Fortune 500 accounts
- Gross margin compresses below 73% as edge infrastructure CapEx to support AI inference workloads exceeds revenue contribution from Workers AI through 2026
- Multiple re-rates to ~14× NTM P/S as growth decelerates toward 24% and FCF margin expansion stalls at 14–15% despite the cost actions
Cloudflare delivers raised FY2026 guidance ($2.81B, +29–30% YoY; EPS $1.19–1.20) with DBNRR stabilising at 118% and FCF margin expanding toward 18–20% as the agentic-AI-first restructuring delivers the targeted operating leverage by H2 2026.
- FY2026 revenue lands at $2.81B with large customers growing 22%+ YoY and RPO sustaining 30%+ growth through contracted multi-year SASE and AI Gateway deals
- FCF margin expands to 18–20% by Q4 2026 as the 1,100-person reduction (~$140M annualised cost base) compounds with operating leverage on a 30% revenue base
- Workers AI and AI Gateway establish Cloudflare as default edge inference infrastructure for AI agent traffic, contributing $150M+ incremental ARR by year-end 2026
- DBNRR re-anchors at 118–120% by Q4 2026 as the AI-first sales motion displaces seat-based CRM/security workflows with agent-driven upsell
AI agent traffic creates a new internet infrastructure cycle — Cloudflare's agentic-AI-first pivot lands the company as the default runtime for autonomous agents, re-accelerating revenue toward 35%+ and pushing FCF margin to 25%+ ahead of schedule.
- AI agent traffic on Workers exceeds 20% of Cloudflare's total request volume by end of 2026, driving a new consumption-based revenue layer on top of the subscription base and pushing ARR growth toward 40%
- Cloudflare wins 3+ sovereign government cloud contracts in Europe under EU Data Act/NIS-2 compliance, establishing a government revenue stream and locking in decade-long regulatory relationships
- SASE displacement of Zscaler at 3–4 Fortune 100 accounts adds >$100M ACV, validating Cloudflare's ability to compete in the largest enterprise security deals
- FCF margin reaches 25%+ by Q4 2026 as the AI-first cost base compounds with revenue scale, triggering a re-rating toward 30× NTM P/S on $3.3B+ 2026–27 blended revenue