Cloudflare Vendor Matrix

Vendors that show up in your deals. For each, know what they do well, where we do better, and whether the play is to compete or coexist. Toggle each row to reveal the right talk track.

Compete (displace) Coexist (add value) Undecided (default) Cloudflare product No direct competitor

Dev Platform Vendors

Compute + hosting + framework-friendly deploys. Where Workers, Pages, and Containers compete.

Vercel Workers + Pages
What they do well
  • Best-in-class Next.js DX — one-click framework deploys
  • Preview URLs per PR, generous free tier for hobby projects
  • Front-end engineer mindshare, huge OSS ecosystem
  • Edge Functions (v8 isolates, similar to Workers under the hood)
Where they hurt
  • Pricing gets punishing at scale (bandwidth + function invocations)
  • Egress-heavy sites see surprise bills
  • Locked into their edge network, no first-party CDN control
  • Limited backend story (no first-party DB, storage, or queues)
  • Serverless functions timeout limits, cold starts on Hobby tier
Where Cloudflare wins
  • Free egress on Pages and R2, predictable pricing at scale
  • Full stack: compute + KV + D1 + R2 + Queues + Vectorize in one platform
  • Workers can host any framework, not just React/Next optimized
  • Containers for anything Workers can't run
  • Your CDN, WAF, DDoS, DNS, and Zero Trust are already here
Reality check
Vercel is architecturally similar (both use v8 isolates for edge functions), but Vercel is a front-end-first PaaS while Cloudflare is a full-stack cloud. The question is never "who has better JS execution" — it's "who's your infra provider for the whole app."
⚔ Compete play

When to compete: customer is choosing where to host their new app, or their Vercel bill is spiking, or they're moving from Vercel due to pricing.

Displacement angles:

  • "Cloudflare Pages is Vercel without the bandwidth bill." Emphasize free egress.
  • Show them their Next.js app runs on Pages with the same DX (git-connected, PR previews).
  • Pull their Vercel invoice, model it against Workers + Pages pricing. Usually 3-5x cheaper at scale.
"Your Vercel bill is going up because you're paying for compute + bandwidth on someone else's edge. On Cloudflare, egress is free and the compute runs on the same network as your CDN, WAF, and DNS. Same DX, one bill, no surprises."
🤝 Coexist play

When to coexist: customer's front end is deeply on Vercel and they're not willing to migrate, but they need better security, DDoS, or backend services.

Adjacent value:

  • Cloudflare in front of Vercel as CDN/WAF (Vercel proxies through us)
  • Workers for API endpoints Vercel functions can't handle (long-running, WebSockets)
  • R2 for image/file storage that Vercel doesn't offer
  • D1 or Hyperdrive for their database story
"You keep Vercel for the front-end DX. We give you the security layer, the backend services, and the storage — all through the same edge network."
Netlify Workers + Pages
What they do well
  • Jamstack pioneer, still strong static-site DX
  • Netlify Forms and Identity built in
  • Split testing and branch deploys polished
  • Good non-React framework support (Astro, Hugo, Jekyll)
Where they hurt
  • Losing mindshare to Vercel and Cloudflare Pages
  • Egress costs at scale, similar to Vercel
  • Netlify Functions have short timeout, low memory limits
  • No first-party database or object storage
Where Cloudflare wins
  • Pages has similar DX with free egress
  • Workers is more capable than Netlify Functions (no timeout on paid, more memory)
  • Full backend stack available in the same platform
Reality check
Netlify is smaller and slower-moving than Vercel now. Customers usually leave Netlify because they want either Vercel's Next optimization or Cloudflare's cost structure.
⚔ Compete play

Same as Vercel play. Egress cost + platform completeness.

"Netlify was great for the jamstack era. Now you probably want a full stack, not just static hosting with functions bolted on."
🤝 Coexist play

Rare — usually customers migrate off Netlify rather than coexist. If they stay, put Cloudflare in front for CDN/WAF/DDoS.

Fly.io Containers + Workers
What they do well
  • Region-aware container deployment ("Fly the app close to users")
  • Great DX for Rails, Elixir, Phoenix, and long-running processes
  • Managed Postgres with regional replication
  • Firecracker microVMs boot fast, container-native
  • Strong developer following in the Ruby / Elixir communities
Where they hurt
  • Reliability issues in past 18 months hurt reputation
  • Smaller network footprint than Cloudflare
  • No native CDN, WAF, or DDoS layer
  • Pricing gets expensive for multi-region setups
Where Cloudflare wins
  • Cloudflare Containers auto-runs globally, no region math
  • Workers as smart routing layer in front of Containers
  • Larger network (330+ cities vs Fly's ~35 regions)
  • Full security stack included, not bolted on
Reality check
Fly customers picked Fly because they wanted region-locality. Cloudflare's answer is "you don't need to think about regions." That's either a compelling pitch or a threatening one depending on how much they enjoy their region setup. Read the room.
⚔ Compete play

When to compete: Fly has had a reliability event, or customer is tired of managing regional deployments manually, or their bill scales linearly with regions.

"Fly makes you pick regions. Cloudflare makes region a solved problem. Your container spins up close to whoever asks for it. No config."
🤝 Coexist play

Rare. If a customer's core app is Fly-hosted, put Cloudflare in front for CDN/WAF/DDoS, and use Workers AI or R2 as additive services.

Render Containers + Workers
What they do well
  • Heroku-style DX for the post-Heroku era, easy git deploys
  • Managed Postgres, Redis, cron jobs, all in one place
  • Predictable pricing (no invocation-count surprises)
  • Auto-deploy from Git, preview environments
Where they hurt
  • Regional deployment, not global (US-East, Frankfurt, Singapore)
  • Smaller network, higher latency for global users
  • No CDN, no WAF, no DDoS layer of their own
  • Free tier services sleep after inactivity (bad for demos)
Where Cloudflare wins
  • Global by default vs single-region deploy
  • Full security stack included
  • Containers gives the same "deploy any image" story with global reach
Reality check
Render is where "we just want it to work, not think about infra" customers go. Cloudflare's Containers story is competitive but requires the customer to accept that we don't do managed Postgres or Redis. Hyperdrive + Neon is our answer.
⚔ Compete play

When customer's app needs global reach or when they're hitting Render's regional limits.

"Render is Heroku 2.0. Cloudflare is Heroku 2.0 that runs everywhere at once."
🤝 Coexist play

Cloudflare in front of Render as CDN/WAF/DDoS. Common pattern.

Railway Containers + Workers
What they do well
  • Slick DX, one of the prettier PaaS UIs on the market
  • Template-driven onboarding, ship apps in minutes
  • Managed Postgres, Redis, MongoDB, private networking
  • Strong indie hacker / hobbyist mindshare
Where they hurt
  • Regional only (US-West primarily)
  • No enterprise sales motion, mostly self-serve
  • No CDN, WAF, DDoS
  • Pricing based on resource-second, harder to predict
Where Cloudflare wins
  • Global by default
  • Enterprise-ready security and support
  • Broader product surface (AI, storage, edge networking)
⚔ Compete play

When Railway customers hit scale and need global or enterprise features.

🤝 Coexist play

Cloudflare in front of Railway as edge. Common for indie hackers who graduate to real traffic.

Database Vendors

Cloudflare does NOT have a first-party Postgres. D1 is SQLite-based. These vendors show up in almost every dev-platform deal. Hyperdrive is our accelerator, not a competitor.

⚡ Cloudflare Hyperdrive
The accelerator, not a competitor

Hyperdrive is a connection pooler + query cache that sits between your Cloudflare Workers or Containers and any external Postgres. Every database vendor below pairs with Hyperdrive. This is the story to lead with when a customer asks "how do I use my Postgres from Cloudflare compute."

What Hyperdrive does
  • Keeps warm connections open at the edge (no per-request TCP handshake)
  • Caches SELECT queries with configurable TTL
  • Speaks native Postgres wire protocol (works with pg, Prisma, Drizzle, any Postgres driver)
  • Provider-agnostic: Neon, Supabase, PlanetScale, RDS, Aiven, self-hosted
  • Free egress from Cloudflare to your database via Bandwidth Alliance where applicable
What Hyperdrive is NOT
  • Not a database. Your data still lives at your provider.
  • Not a write accelerator. Write queries pass through, no caching.
  • Not a replication layer. Doesn't manage read replicas.
  • Not a Postgres product we sell. It's the piece that makes YOUR Postgres feel local.
Universal talk track: "You keep your database wherever it is. Hyperdrive sits in front of it, keeps warm connections at the edge, caches your reads. Same Postgres, dramatically faster from Workers or Containers. Zero code change on your side other than pointing your connection string at Hyperdrive."
🏁 Direct vs Hyperdrive race ▶ Live query demo 📊 Cache benchmark 📖 Cheatsheet section 📄 Docs
PlanetScale No direct — Hyperdrive accelerates
What they do well
  • Vitess-based MySQL that scales horizontally (their original strength)
  • Recently added Postgres offering
  • Branching databases (schema changes as branches), a real innovation
  • Strong reliability record, good support tier
  • Metal tier for dedicated hardware performance
Where they hurt
  • Killed the free tier in 2024, some indie churn
  • Pricing steep for small-medium apps
  • No native edge integration — you still pay for cross-region latency to reach them
Where Cloudflare adds value
  • Hyperdrive pools + caches PlanetScale reads from Workers/Containers
  • Cuts effective query latency dramatically for edge apps
  • Free egress from Workers means no data-transfer cost
Reality check
We do NOT compete with PlanetScale. Do not try. Our story is "your PlanetScale, faster from Cloudflare compute." That's it.
⚔ Compete play

Only if the customer's data volume is small enough for D1 (SQLite, single-region primary today). D1 competes for greenfield small apps, NOT for teams already on PlanetScale.

"For a new app under a few GB, D1 will get you there. But if you're already on PlanetScale and it's working, we don't have a reason to move you."
🤝 Coexist play (default)

Position Hyperdrive as the accelerator between their Cloudflare Workers/Containers and PlanetScale.

"You keep PlanetScale. We put Hyperdrive between your Workers and PlanetScale. Warm connections at the edge, cached reads. Same DB, faster app."
Neon No direct — recommended pairing
What they do well
  • Serverless Postgres — scales to zero, pay for what you use
  • Branching (like PlanetScale but for Postgres)
  • Generous free tier, indie hacker friendly
  • Fast cold starts, purpose-built for serverless compute
Where they hurt
  • Newer company, smaller than PlanetScale/Supabase
  • Regional (US-East, EU-Central, etc.), not global
  • Compute suspend on free tier hurts cold-start apps
Where Cloudflare adds value
  • Neon is the most common Postgres recommendation for Cloudflare Workers
  • Hyperdrive + Neon is the reference architecture for a Postgres-backed Worker app
  • Neon has native Cloudflare Workers integration guides
⚔ Compete play

Rare. Only if the customer's needs fit D1 (small, SQLite-friendly workload). Otherwise, don't try.

🤝 Coexist play (recommend this pairing)

Neon is our friend. Suggest it when a customer asks "what Postgres should I use with Workers?"

"Neon plus Hyperdrive is the canonical Postgres story for Workers. Both are serverless, both scale to zero, they play well together."
Supabase No direct — recommended pairing
What they do well
  • Postgres + Auth + Storage + Realtime + Edge Functions bundled
  • Firebase alternative narrative wins developer hearts
  • Open source, self-host option available
  • Strong community, growing enterprise motion
Where they hurt
  • You're all-in on Supabase for auth + storage + DB (vendor concentration)
  • Their storage and edge functions are less mature than dedicated products
  • Regional deployment
Where Cloudflare adds value
  • Hyperdrive accelerates Supabase Postgres from Cloudflare Workers/Containers
  • Workers can host front-end in front of Supabase backend
  • Access can be used for team SSO if their Supabase Auth doesn't fit
⚔ Compete play

Rare. Cloudflare Access + R2 + D1 + Workers can approximate the Supabase bundle for small apps, but Supabase is stickier because of the all-in-one DX.

🤝 Coexist play (default)

Similar to Neon. Recommend the pairing.

"Supabase for the app backend, Cloudflare for the edge and security layer. Hyperdrive makes their Postgres feel local."
Turso D1 (SQLite)
What they do well
  • libSQL (SQLite fork) with edge replicas — reads served from the closest replica
  • Massive number of databases per account (multi-tenant friendly)
  • Strong pitch for edge apps with global read patterns
Where they hurt
  • Small company, roadmap uncertainty
  • SQLite constraints (single writer per DB)
  • Ecosystem still growing
Where Cloudflare wins
  • D1 is SQLite too, but embedded natively in the Workers runtime
  • No separate service to manage — one platform for compute + DB
  • Free tier and pricing at scale is competitive
Reality check
Turso and D1 are the two big SQLite-at-the-edge stories. If a customer picked Turso and is happy, coexist. If they're evaluating, D1 has the advantage of being in the same account as their compute.
⚔ Compete play

Greenfield evaluations where the customer wants SQLite at the edge.

"D1 is the same SQLite-at-the-edge story, but it's already inside your Workers runtime. No separate service, no separate bill, no separate SDK."
🤝 Coexist play

If they're already on Turso, don't force a migration. Suggest D1 for new services.

Xata No direct — Hyperdrive accelerates
What they do well
  • Postgres with built-in full-text search and file attachments
  • Schema-first, SDK-driven DX
  • Branching, similar to Neon/PlanetScale
Where they hurt
  • Smaller than Neon/Supabase, less enterprise traction
  • Unclear roadmap on some features
Where Cloudflare adds value
  • Hyperdrive works with Xata's Postgres
  • Workers can front Xata's REST API
⚔ Compete play

Rare. Similar to Neon compete play — only if D1 fits.

🤝 Coexist play

Hyperdrive accelerates their Postgres from Workers. Same story as Neon and Supabase.

Object Storage Vendors

R2 is our strongest cost-based competitive weapon. Zero egress is not a discount, it's a pricing model shift.

AWS S3 R2
What they do well
  • Deepest ecosystem — every tool integrates with S3
  • Battle-tested reliability, 11 9's durability
  • Broad tier options (Standard, IA, Glacier, Deep Archive)
  • Enterprise features (Object Lock, cross-region replication, event notifications)
Where they hurt
  • Egress. Egress. Egress. $0.09/GB out to internet is the killer
  • Cross-region replication doubles storage cost
  • Complex pricing (requests, egress, storage tiers, retrieval, all separate)
  • Vendor lock-in via egress cost, not features
Where Cloudflare wins
  • Zero egress fees. This is the whole pitch.
  • S3-compatible API — most tools work without code changes
  • Simpler pricing (storage + requests, no egress)
  • Native integration with Workers, no cross-cloud latency
The math that closes deals
Customer with 100 TB of monthly egress from S3: ~$9,000/month in egress alone. On R2: $0 egress. Storage cost is similar ($0.015/GB on R2 vs $0.023 on S3 Standard). This is the easiest ROI conversation in the Cloudflare portfolio.
⚔ Compete play

When to compete: customer has any meaningful S3 egress. Even 1 TB/mo is $90 saved. At 10 TB/mo, it's $900. At 100 TB/mo, it's $9K.

The move: pull their AWS bill, isolate S3 line items, model the R2 equivalent. Show them the number.

"You're paying AWS to let your own data leave AWS. That's the definition of a hostage pricing model. R2 is S3-compatible, zero egress, and your existing S3 SDK works unchanged."
🤝 Coexist play

Rare — R2 is usually a full replacement. Coexistence only if the customer has AWS-native services (Lambda, Athena, Redshift) that read from S3 and won't migrate.

In that case: use R2 for public-facing assets (images, videos, downloads) where egress dominates, keep S3 for AWS-internal analytics data.

Backblaze B2 R2
What they do well
  • Cheap storage ($0.006/GB, lowest in class)
  • S3-compatible API
  • Free egress to Cloudflare (Bandwidth Alliance partner)
  • Strong reputation in the backup community
Where they hurt
  • Smaller ecosystem than S3 or R2
  • No native compute integration
  • Fewer regions than R2
  • Egress to non-Cloudflare destinations still costs money
Where Cloudflare wins
  • Native Workers integration (no SDK required)
  • Zero egress to anywhere, not just to Cloudflare
  • Same $0.015/GB storage, cheaper than most, more integrated
Reality check
Backblaze is genuinely a Cloudflare partner (Bandwidth Alliance) — customers often use them together. If a customer picked B2 for pure archival cost, don't force a move to R2 unless they're building on Workers.
⚔ Compete play

When customer is building on Cloudflare compute — R2's native Workers integration wins.

🤝 Coexist play (common)

Backblaze for cold/archive storage, R2 for hot Worker-adjacent data. Bandwidth Alliance means free traffic between them.

Wasabi R2
What they do well
  • S3-compatible, cheap storage ($6.99/TB/mo)
  • No egress or API request fees
  • Popular for media/backup workloads
Where they hurt
  • 90-day minimum retention (deletes billed for 90 days regardless)
  • Smaller network than Cloudflare
  • No compute story
Where Cloudflare wins
  • No retention minimum
  • Native Workers integration
  • Global network for object serving
⚔ Compete play

When customer wants an S3 alternative AND compute integration. R2 wins on the compute side.

🤝 Coexist play

Wasabi for pure archival, R2 for anything Worker-adjacent.

AI Infrastructure Vendors

Cloudflare's play here is speed-to-model (Workers AI), governance (AI Gateway), and edge inference. We don't train frontier models, we serve them.

OpenAI (direct API) AI Gateway
What they do well
  • Best frontier models (GPT-4, GPT-4o, o1)
  • Strong tooling (function calling, vision, embeddings, assistants)
  • Fine-tuning, batch API, fastest to ship new capabilities
Where they hurt
  • No native caching layer — every request costs full token price
  • Rate limits per tier, sometimes surprising
  • No built-in cost tracking across teams/apps
  • Outages happen and there's no fallback
Where Cloudflare adds value
  • AI Gateway sits in front of OpenAI — caches responses, tracks cost per key, falls over to other providers on outage
  • Workers AI can serve smaller open-source models locally when frontier isn't needed
  • Cache the same prompt/response across your whole org, huge cost savings
Reality check
We do NOT compete with OpenAI's frontier models. We complement them via AI Gateway. Where we compete is smaller inference tasks — embeddings, classification, moderation, chat with open models — that don't need GPT-4-tier reasoning.
⚔ Compete play

Only for use cases where a smaller open model works. Embeddings, classification, moderation, simple chat.

"For your embedding pipeline, you don't need GPT-4. Workers AI can serve bge-large-en-v1.5 at a fraction of the OpenAI cost, right next to your data."
🤝 Coexist play (default)

AI Gateway in front of OpenAI, always.

"You keep OpenAI for the smart tasks. AI Gateway sits in front, caches identical prompts, tracks your team's spend, and gives you a fallback if OpenAI has an outage. Zero code change on your side."
Anthropic (Claude direct) AI Gateway
What they do well
  • Claude models excel at reasoning, coding, long context
  • Prompt caching built into their API
  • Strong constitutional AI safety story
Where they hurt
  • Same as OpenAI — no multi-provider fallback, no cross-team cost tracking
  • Rate limits, tier system
Where Cloudflare adds value
  • AI Gateway supports Anthropic natively
  • Multi-provider fallback (Anthropic → OpenAI → Workers AI)
  • Unified observability across providers
⚔ Compete play

Same as OpenAI — only for smaller tasks that don't need frontier reasoning.

🤝 Coexist play (default)

AI Gateway in front. Same story as OpenAI.

Replicate Workers AI
What they do well
  • Huge catalog of open-source models (thousands)
  • Cog framework makes any Python model deployable
  • Community-driven, tons of image/video/audio models
  • Pay-per-second billing
Where they hurt
  • Cold starts can be minutes for less-popular models
  • Not integrated with a broader compute platform
  • US-based inference, latency for global users
Where Cloudflare wins
  • Workers AI has curated model catalog (smaller, but no cold start)
  • Inference runs on Cloudflare's global network — closer to users
  • Integrated with the rest of your Cloudflare stack
⚔ Compete play

When customer needs specific models Workers AI already supports (Llama, Mistral, BGE embeddings, Whisper, etc.) with low latency.

🤝 Coexist play

Replicate for niche models Workers AI doesn't have, called via AI Gateway.

Fireworks / Together.ai Workers AI
What they do well
  • Fast inference for open-source LLMs
  • Fine-tuning support
  • Competitive pricing on token-heavy workloads
Where they hurt
  • Not part of a broader platform
  • Regional inference infrastructure
Where Cloudflare wins
  • Workers AI runs on global network, low latency everywhere
  • Same-account integration with the rest of your stack
  • AI Gateway can fan out across all these providers
⚔ Compete play

For teams that want serverless inference AND a broader platform, Workers AI wins.

🤝 Coexist play

AI Gateway in front, use whichever provider is fastest/cheapest for each task.

CDN / Edge Vendors

Our core historical business. Where Cloudflare has the strongest technical and price story simultaneously.

Fastly CDN + Workers
What they do well
  • VCL gives fine-grained cache control (developers love it)
  • Compute@Edge with Wasm runtime, real edge programmability
  • Strong media/streaming customer base
  • Fast purge (sub-second)
Where they hurt
  • Smaller network (~90 POPs vs Cloudflare's 330+ cities)
  • Bandwidth-based pricing, unpredictable at scale
  • WAF is add-on and less mature
  • Historical outages hurt reputation (June 2021 global outage)
  • No first-party DNS, Zero Trust, or Access story
Where Cloudflare wins
  • Bigger network, better POP coverage
  • Predictable request-based pricing (not bandwidth)
  • Unified platform: CDN + WAF + DDoS + DNS + Zero Trust
  • Workers on v8 isolates has better cold-start than Wasm
⚔ Compete play

When customer's Fastly bill is high, or they want a unified security stack, or they've had a Fastly outage.

🤝 Coexist play

Rare. Multi-CDN setups exist but usually customers pick one primary.

Akamai CDN + Full stack
What they do well
  • Largest CDN network by node count
  • Deep enterprise relationships, especially in finance/media
  • Prolexic DDoS protection is well-regarded
  • Compliance certifications for regulated industries
Where they hurt
  • Legacy pricing model, opaque contracts, aggressive renewals
  • Multiple portals for different products, poor UX
  • Long deploy times for config changes (hours)
  • Slow to innovate on developer experience
Where Cloudflare wins
  • Single dashboard, single API, single contract
  • Config changes propagate in seconds
  • Modern developer experience, Wrangler CLI, GitHub integrations
  • Bundled pricing is easier to model
⚔ Compete play

Renewal windows are the moment. Bring the "one platform, one bill, faster deploys" story.

"Akamai charges you three ways: for CDN, for WAF, for DDoS. Cloudflare is one bill, one dashboard, faster to configure, and half the cost at most tiers we've seen."
🤝 Coexist play

Multi-CDN failover setups. Cloudflare as primary, Akamai as secondary (or vice versa).

AWS CloudFront CDN + Workers
What they do well
  • Deep AWS integration (Lambda@Edge, S3 origin, ACM certs)
  • Signed URLs, signed cookies for content protection
  • Familiar for AWS-centric shops
Where they hurt
  • Bundled with AWS ecosystem — expensive egress from other clouds
  • Complex configuration (origin groups, cache behaviors, distributions)
  • WAF is separate service, another bill
  • Slower to deploy changes than Cloudflare
Where Cloudflare wins
  • Multi-cloud friendly, doesn't lock into any hyperscaler
  • Simpler mental model (Zone → rules → routes)
  • Deploy changes propagate in seconds vs minutes
  • All security bundled, no separate WAF/Shield/etc bill
⚔ Compete play

When customer is going multi-cloud or leaving AWS, or when their CloudFront + WAF + Shield stack is bleeding money.

🤝 Coexist play

Rare. Usually if a customer picks CloudFront, they're all-in on AWS.

Zero Trust / Security Vendors

Cloudflare One competes head-to-head with the big SSE vendors. Different sales cycle (security teams, longer eval).

Zscaler Cloudflare One (Access + Gateway)
What they do well
  • Category-defining SSE (ZIA for internet, ZPA for private apps)
  • Deep enterprise sales motion, well-connected in Fortune 500
  • Strong analyst rankings, "safe choice" for CISOs
  • Mature DLP, CASB, sandboxing
Where they hurt
  • Two separate products (ZIA + ZPA) with two consoles, two contracts
  • Very expensive at enterprise scale
  • Renewal negotiations are notoriously painful
  • Client agent is heavier than Cloudflare's WARP
  • No native CDN, WAF, or DDoS (integration required)
Where Cloudflare wins
  • Unified platform: Access + Gateway + DLP + CASB + Browser Isolation, one contract
  • Same edge network as your CDN and WAF (no extra hop)
  • Modern policy engine, easier to onboard apps
  • Cheaper at most tiers, especially for smaller footprints
⚔ Compete play

Renewal windows or new SSE evaluations. Lead with unified platform, cost, and modern policy management.

"Zscaler makes you buy the internet gateway and the private app gateway as separate products. We do both in one platform, on the same network as your CDN and WAF."
🤝 Coexist play

Uncommon. Most orgs pick one SSE. Occasionally Access replaces just ZPA while ZIA stays.

Palo Alto Prisma Access Cloudflare One
What they do well
  • Deep firewall heritage, strong security expertise
  • Prisma bundles many capabilities (SSE, CASB, DLP, SD-WAN)
  • Panorama for centralized management if you're already there
Where they hurt
  • Complex licensing (many SKUs, hard to price)
  • Heavy client agent, tenant setup slow
  • Bolted-together via acquisitions, UX inconsistency
Where Cloudflare wins
  • Purpose-built for cloud-native, not retrofit from firewall roots
  • Simpler pricing, one contract
  • Modern DX, easier for cloud teams to adopt
⚔ Compete play

Similar to Zscaler. Renewal or new eval. Emphasize simplicity and unified platform.

🤝 Coexist play

Rare. If PA is entrenched in the datacenter firewall layer, Cloudflare can still handle branch/user SSE.

Netskope Cloudflare One
What they do well
  • Strong CASB heritage, cloud app control
  • Advanced DLP and data protection
  • Good analyst standing in the SSE space
Where they hurt
  • Complex deployment (proxy modes, forwarders)
  • Client agent overhead
  • No native CDN or WAF
Where Cloudflare wins
  • Same network as CDN + WAF (one hop for everything)
  • Simpler deployment (WARP + policies)
⚔ Compete play

Same playbook as Zscaler/Palo Alto. Unified platform pitch.

🤝 Coexist play

Rare in this space.

Okta No direct — Access integrates
What they do well
  • Identity provider dominant in enterprise
  • SSO, MFA, lifecycle management, directory sync
  • Huge SaaS app catalog for SSO
Where they hurt
  • Expensive per user at scale
  • 2022 Lapsus$ breach dented reputation
  • Not a full ZTNA solution on its own
Where Cloudflare adds value
  • Cloudflare Access integrates with Okta as IdP
  • Access adds the "which apps can this user reach and from where" layer Okta doesn't do
  • WARP + Gateway extends the identity policy to network traffic
⚔ Compete play

We don't compete with Okta. Do not try.

🤝 Coexist play (default)

Access uses Okta as IdP. Standard pattern.

"You keep Okta for identity. We add the network layer: which apps your identified users can actually reach, from what devices, and under what conditions. Access + Okta is the standard pairing."

Hyperscalers

We do not compete with AWS/GCP/Azure as a category. We complement them and pick specific fights on cost (egress) and simplicity (unified platform).

AWS No direct — surgical competes
What they do well
  • Everything. Every workload, every service, every industry.
  • Deepest ecosystem, most tooling, most engineers who know it
  • Compliance/certifications for every regulated industry
  • Enterprise sales motion polished over 15+ years
Where they hurt
  • Egress costs. Egress costs. Egress costs.
  • Complexity: 200+ services, hard to know what's right
  • Bill surprises common (unbounded, hard to budget)
  • Multi-region setups are pain
  • Reserved-Instance and Savings Plans lock you in
Where Cloudflare picks fights
  • S3 → R2: egress kill
  • Lambda@Edge → Workers: better DX, no cold start
  • CloudFront → Cloudflare CDN: unified with WAF/DDoS
  • Shield/WAF → Cloudflare WAF: included, not add-on
Reality check
We are not the platform for RDS, EMR, SageMaker, EC2 fleets. We are the edge platform that sits in front of AWS or peels off specific expensive services. If a customer's core is AWS and it works, don't try to move the core. Move the expensive edges.
⚔ Compete play (surgical)

Never for the whole workload. Always for specific services where we win: object storage (R2 vs S3), CDN (vs CloudFront), edge compute (Workers vs Lambda@Edge), WAF (bundled vs Shield add-on).

🤝 Coexist play (default)

Cloudflare in front of AWS. Standard pattern. AWS handles backend compute, DB, ML. Cloudflare handles edge, security, and expensive-egress workloads.

"Keep AWS for what it's good at. Put Cloudflare in front for CDN, WAF, DDoS, and use R2 for anything with meaningful egress. That combination is what most modern shops run."
Google Cloud (GCP) No direct — surgical competes
What they do well
  • Data + ML — BigQuery, Vertex AI, TPUs are best-in-class
  • Cloud Run for containers is genuinely great DX
  • Networking + Kubernetes (GKE) strong
Where they hurt
  • Smaller market share, less ecosystem depth than AWS
  • Egress still expensive
  • Console UX inconsistent across products
  • Customer support less mature than AWS
Where Cloudflare picks fights
  • Cloud Storage → R2 (egress kill)
  • Cloud CDN → Cloudflare CDN (unified security)
  • Cloud Armor → Cloudflare WAF (bundled)
  • Cloud Run → Cloudflare Containers (global by default)
⚔ Compete play

Same as AWS. Surgical. Never whole-workload.

🤝 Coexist play (default)

Cloudflare in front of GCP. Common with data-heavy shops on BigQuery/Vertex.

Microsoft Azure No direct — surgical competes
What they do well
  • Enterprise ubiquity, especially in Microsoft-shops
  • Active Directory integration, Office 365 pairing
  • Strong compliance for regulated industries
  • Azure OpenAI integration for enterprise AI
Where they hurt
  • Fragmented product portfolio (many acquisitions bolted together)
  • Portal UX slow and inconsistent
  • Egress still expensive
  • Not as developer-friendly as AWS/GCP
Where Cloudflare picks fights
  • Blob Storage → R2 (egress kill)
  • Azure Front Door → Cloudflare CDN (better POP footprint)
  • Azure DDoS Protection → Cloudflare (included, not tier-locked)
⚔ Compete play

Surgical. Same pattern.

🤝 Coexist play (default)

Cloudflare in front of Azure. Common in enterprise. Access integrates with Entra ID (formerly Azure AD).

0 vendors marked