Although Cloudflare claims that over 10% of all HTTP traffic passes through its servers, it’s a company that relatively few people have heard about and even fewer truly understand.
In this post, we’ll look at how Cloudflare has grown from a self-serve, low-cost developer product into a pre-IPO business that's become an integral part of the Internet in just 7 years.
Key Growth Lessons
1. Cloudflare laddered up from developer-focused self-serve to enterprise sales by taking on different growth strategies designed to fit each stage.
Early days, the company used community- and content-driven growth efforts focused on developers to get users onto their freemium service.
As it gained bottoms-up traction, Cloudflare used the size of its growing base to move upmarket to capture bigger enterprise customers using B2B sales.
Later, when it grew to cover 10% of all HTTP(S) traffic by aggregating many smaller customers, it became the “safe” choice for enterprise -- more credibility meant the company could close larger customers, which over time gave it more credibility.
2. Cloudflare built defensibility via a data network effect by focusing first on small scale customers who were more open to contributing data back to the network.
Smaller companies without dedicated security teams were more willing to allow Cloudflare deeper access into their traffic, meaning that Cloudflare could detect threats sooner and use this knowledge to mitigate similar attacks affecting its other customers.
The company identified and leveraged the one type of UGC that offered the highest value to all of its customers, with the inclusion of each additional customer (and their data) adding value back to the network of other customers.
The details behind these takeaways are outlined in the rest of this piece.
What is Cloudflare?
Cloudflare is a service that transparently sits in front of web pages and does a host of silent transformations to make the web browsing experience better for visitors.
These actions include:
- Decreasing load time by intelligently downsizing images, caching content and moving data closer to the end user via its internal CDN.
- Protecting against Distributed Denial of Service (DDoS) attacks by recognizing threats and turning away malicious traffic.
Founded in 2009 out of a Harvard Business School competition, Cloudflare was based on the insight that while legacy providers like Cisco and Akamai were primarily focused on enterprise-scale customers with dedicated hardware offerings and long sales cycles, there was nobody providing similar services as an off-the-self SaaS subscription for small businesses.
Initially, Cloudflare operated on a simple freemium model with just a single $20 per month paid tier for the first two years. Since then, Cloudflare has slowly moved upmarket with an additional $200 per month paid tier and an enterprise tier.
Most notably, unlike its competitors who typically tend to meter based on usage, Cloudflare’s non-enterprise plans offer simple, fixed costs regardless of usage. (More usage benefits Cloudflare in other ways, which we talk about further down.)
Cloudflare's early developer-focused growth
Over the years, Cloudflare has gradually laddered up from small, self-serve users to large enterprise contracts. The company has had to identify and build successive growth loops in order to reach these adjacent audiences.
In its initial days, Cloudflare adopted a Stripe-like model of developer-focused growth. Early resources were spent on improving the product and then writing high-quality technical blog posts based on these improvements.
The focus on easy integration and low-cost, fixed pricing meant that there was very low risk for developers to try out Cloudflare after a blog post piqued their curiosity.
How Cloudflare takes unique advantage of industry scale effects
During this time, Cloudflare was also lucky and/or prescient enough to be a part of 3 separate trends that drove strong organic demand to their product:
- The rise of IoT placed millions of poorly secured devices onto networks, making botnets larger and DDoS attacks much more powerful.
- The development of cryptocurrencies enabled a new form of ransomware, making DDoS ransomware attacks much more prevalent.
- Google released its Panda update, taking page loading times into account for search rankings. This created a strong business case for improving latency.
As Cloudflare matured and gained market share, the scale effects of the CDN/DDoS protection business started to work for them rather than against them.
While various strategies can reduce the load of a DDoS attack, the primary way to deal with them is still to massively overprovision bandwidth so that the brunt of the attack is absorbed by the network rather than by the end customer’s servers.
Similarly, the latency reduction of a CDN is primarily based on how much closer Cloudflare’s Point of Presence (PoP) is to the end consumer than to the originating server, meaning that the more PoPs you build, the more valuable your CDN services become.
Data network effect amplifies scale
While this scale effect benefitted everyone in the space, including Cloudflare's competitors, the company's earlier focus on smaller scale customers helped it to grow a data network effect, like this:
- Large enterprise customers all had internal security teams and didn't want to share information with each other in case it revealed proprietary secrets.
- Thus, if an attack affected Google, this information would remain private and would not help Yahoo when that it suffered from the same attack.
- Small businesses without dedicated security teams on the other hand, were much more willing to allow Cloudflare deeper access into their traffic, meaning that Cloudflare could detect threats sooner and use this knowledge to mitigate similar attacks affecting its other customers.
Cloudflare's ability to gather information that was (a) user-generated and (b) highly valuable to its customer base gave the company a cost advantage: it could protect those websites with less effort as more customers joined and contributed their data. This cost advantage allowed it to continue offering fixed price plans versus the metered plans its competitors were forced to use.
As Cloudflare expanded into the enterprise, that expansion itself fed further linear growth. Because security products can’t be tested until an actual attack occurs, and because the downside risk of a security breach is many times more costly than the upfront cost of the product, enterprise security tends to be bought mainly on reputation rather than objective evaluation.
In the same way that “nobody ever got fired for buying IBM” Cloudflare’s mitigation of the largest DDoS attack in the world and its responsibility for carrying 10% of all HTTP(S) traffic make it increasingly the “safe” choice for enterprise: more credibility meant the company could close larger customers, which over time gave it more credibility.
Laddering up to enterprise
Many SaaS startups are built on the hope of starting with a simple, self serve product and gradually laddering up into larger and larger deals until they become a market dominant player.
Cloudflare serves as a model for how to execute on such a vision in the face of established, well capitalized competitors. At each stage of its business, Cloudflare has had to discover new engines to propel their growth and to leverage their unique advantages, providing increasing value to customers through strategic product and business investments.
The company's recent limited launch of Cloudflare Stream, an end-to-end video streaming offering that covers encoding, delivery, and player in one package, is a sign of Cloudflare moving up the stack and onto the next stage of its growth by using existing scale to compete on business model in a way competitors can't copy.