Original synthesis to sit alongside the encyclopedia article below. Not part of Wikipedia; verify facts on Wikipedia when precision matters.
Cloudflare is a San Francisco-based global technology company that provides a comprehensive suite of web infrastructure and cybersecurity services, including content delivery networks (CDN), distributed denial-of-service (DDoS) protection, web application firewalls (WAF), domain name system (DNS) management, edge computing and zero-trust security solutions. It uses a freemium pricing model to attract small and medium website users, while also serving large enterprises and government agencies.
Key moments
2009Founded by Matthew Prince and co-founders; secured initial $2 million venture capital funding later that year
2010-09Officially launched services after winning the TechCrunch Disrupt startup innovation award
2011Secured $20 million Series B funding; released WordPress plugin and named one of Wall Street Journal's most innovative internet & technology companies
2012Launched anti-censorship tool and opened free IPv6 gateway service for all websites
2013Gained over 1.5 million user accounts; launched Mirage 2.0 mobile device acceleration service
2023-01Implemented first price adjustment for paid subscription plans after 12 years
2026Operated 330 global data center nodes across its edge network
Cloudflare operates in a competitive global market for web infrastructure and cybersecurity tools, with key competitors across two main categories:
Akamai Technologies: The long-established market leader, boasting over 4,400 global nodes and focusing on stable, enterprise-grade services for large corporate clients
Fastly: A niche specialist in high-performance edge computing and real-time content delivery, popular among media and e-commerce brands with demanding traffic needs
AWS CloudFront: Amazon's CDN service, tightly integrated with the full Amazon Web Services cloud ecosystem for unified enterprise deployments
Google Cloud CDN: Leverages Google's global network infrastructure to offer cloud-integrated CDN and security solutions
Regional localized competitors: In the Chinese market, it faces competition from cloud-bundled services from Alibaba Cloud, Tencent Cloud and specialized CDN provider Wangsu Tech
Cloudflare is a leading player in the global edge infrastructure and cybersecurity space, building strong brand recognition through its accessible freemium model and consistent innovation. Its brand has grown rapidly by addressing critical pain points for website operators of all sizes, from small independent businesses to large national governments, establishing itself as a trusted name for DDoS protection, CDN services, and modern zero-trust security solutions. The brand benefits from strong alignment with high-growth emerging trends like edge computing and distributed digital infrastructure, which has helped it maintain consistent relevance in a fast-evolving technology market.
Cloudflare's brand is further strengthened by its public commitment to improving internet accessibility and security, which has fostered positive public perception and widespread community loyalty. Its open approach to engaging with developers and small business users has created a broad base of organic brand advocates, while its enterprise-focused service offerings have helped it secure high-value clients in heavily regulated industries. The company's visible role in mitigating high-profile cyberattacks and resolving major internet outages has also boosted its brand profile as a reliable defender of global digital infrastructure.
Brand leadership
Score: 82/100
Cloudflare holds a leading position in the CDN and DDoS protection market segments, outcompeting many legacy providers through its innovative distributed edge network model. It is widely recognized as a pioneer in edge computing and modern zero-trust security, setting key industry trends for performance and security in web infrastructure. Its leadership is strengthened by its unique ability to serve both entry-level users and large enterprise clients, giving it broader market influence than many niche competitors in the space.
Customer interaction
Score: 78/100
Cloudflare engages actively with its large global user base through community forums, open developer documentation, and regular public transparency reports. Its freemium pricing model encourages frequent interaction with small and medium-sized business users, while dedicated enterprise customer success teams maintain close, long-term relationships with large institutional clients. The company also leverages social media and public technical blogs to communicate product updates and industry insights, fostering ongoing brand engagement across user segments.
Growth momentum
Score: 85/100
Cloudflare has consistently grown its user base and annual revenue in recent years, expanding its product portfolio far beyond core CDN and DDoS services into zero-trust security and edge application hosting. It continues to gain meaningful market share from slower-moving legacy competitors, with rapidly growing adoption among enterprise and government clients. The brand is well-positioned to capitalize on increasing global demand for distributed cybersecurity and edge infrastructure, maintaining strong upward growth momentum.
Brand stability
Score: 75/100
As a publicly traded company with a consistent business model and strong customer retention rates, Cloudflare has built a stable brand presence in the global tech sector. It has weathered broad market fluctuations and high-profile cyber threats without significant damage to its reputation, maintaining consistent trust across its entire user base. While the competitive landscape for web infrastructure remains dynamic, the company's consistent product delivery and transparent communication practices have supported long-term brand stability.
Brand age
Score: 58/100
Cloudflare was founded in 2009, giving it approximately 17 years of brand history as of 2026, which is a moderate tenure for a technology company. It is younger than many legacy web infrastructure providers that have existed for decades, but has built significant global brand recognition far faster than most newer startups in the cybersecurity and edge computing space. Its relatively young age means it has avoided the brand stagnation that affects some older competitors, while still having enough operational history to establish solid market credibility.
Industry profile
Score: 88/100
Cloudflare is a very high-profile brand in the web infrastructure and cybersecurity industry, frequently cited in technology news and industry analysis for its innovation and public advocacy for the open internet. Its work on high-profile issues like mitigating record-large DDoS attacks and supporting privacy-focused internet practices has elevated its profile among both industry insiders and the general public. It is widely recognized as a key player shaping the future of edge computing and global digital security.
Global reach
Score: 80/100
Cloudflare operates a global edge network spanning hundreds of cities across more than 100 countries, serving customers across every major region of the world. It holds localized compliance certifications for major regulated markets including the European Union, Asia-Pacific, and North America, enabling it to serve multinational enterprises and government clients globally. While it has a larger concentrated customer base in its home region of North America, it continues to expand its sales and infrastructure presence in emerging markets, strengthening its global brand footprint.
AI can support reasoning around Cloudflare's brand value based on public market position, customer base and industry standing, but all derived figures are illustrative only. For a fully audited, official brand value assessment for Cloudflare, contact World Brand Lab directly.
type
Public
traded as
nyse: NET (Class A)
Russell 1000 component
num employees
5,156
num employees year
2025
revenue
US$2.168 billion
revenue year
2025
operating income
−US$207 million
income year
2025
net income
−US$102 million
net income year
2025
assets
US$6.036 billion
assets year
2025
equity
US$1.459 billion
equity year
2025
website
https://www.cloudflare.com
subsid
Area 1 Security
footnotes
‡R1R‡
Cloudflare, Inc. is an American technology company headquartered in San Francisco, California, that provides a range of internet services, including content delivery network (CDN) services, cloud cybersecurity, DDoS mitigation, and ICANN-accredited domain registration.[2] The company's services act primarily as a reverse proxy between website visitors and a customer's hosting provider, improving performance and protecting against malicious traffic.[3]
Cloudflare was founded in 2009 by Matthew Prince, Lee Holloway, and Michelle Zatlyn.The company went public on the New York Stock Exchange in 2019 under the ticker symbol NET.Cloudflare has since expanded its offerings to include edge computing through its Workers platform, a public DNS resolver (1.1.1.1), and a VPN service known as WARP.In recent years, the company has integrated artificial intelligence into its infrastructure, acquiring companies such as Replicate and launching tools to manage AI bots and scrapers.According to W3Techs, Cloudflare is used by approximately 21.3% of all websites on the Internet as of January 2026.[4]
The company has been the subject of controversy regarding its policy of content neutrality. While Cloudflare executives have historically advocated for remaining a neutral infrastructure provider, the company has terminated services for specific high-profile websites associated with hate speech and violence, including The Daily Stormer, 8chan, and Kiwi Farms, following significant public pressure.Cloudflare has also faced criticism and litigation regarding copyright infringement by websites using its services, notably losing a lawsuit against Japanese publishers in 2025.[5] The company experienced significant global outages in late 2025 which disrupted services for major platforms internationally.[6]
History
Cloudflare was founded on July 26, 2009, by Matthew Prince, Lee Holloway, and Michelle Zatlyn.[7][8] Prince and Holloway had previously collaborated on Project Honey Pot, a product of Unspam Technologies that partly inspired the basis of Cloudflare.[9] In 2009, the company was venture-capital funded.[10] On August 15, 2019, Cloudflare submitted its S-1 filing for an initial public offering on the New York Stock Exchange under the stock ticker NET.[11] It opened for public trading on September 13, 2019, at $15 per share.[12]
According to the company, the name 'Cloudflare' was chosen, over the initial 'WebWall', because it best described what they were trying to do: build a "firewall in the cloud."
Products
Cloudflare provides network and security products for consumers and businesses, utilizing edge computing, reverse proxies for web traffic, data center interconnects, and a content distribution network to serve content across its network of servers.[40] It supports transport layer protocols TCP, UDP, QUIC, and many application layer protocols such as DNS over HTTPS, SMTP, and HTTP/2 with support for HTTP/2 Server Push.[41] As of 2023, Cloudflare handles an average of 45 million HTTP requests per second.[42]
As of 2024, Cloudflare servers are powered by AMDEPYC 9684X processors.[43]
Outages and issues
Intrusions
On June 1, 2012, the hacker group UGNazi compromised some of Cloudflare CEO Matthew Prince's accounts and redirected visitors of the website 4chan to a Twitter account belonging to UGNazi.They allegedly used social engineering to trick AT&T support staff into giving them access to Prince's voicemail, then exploited a vulnerability in Cloudflare's use of Google's two-factor authentication system.Once in control of Prince's email account, UGNazi was able to redirect the 4chan domain through Cloudflare's database.[104][105]
Blocking crawlers
One notable drawback to Cloudflare's protection against malicious bots and malicious actors is that it also blocks web crawlers as well, making it difficult or impossible for services such as the Internet Archive (Wayback Machine) from capturing pages on affected domains.[106]
Controversies
Cloudflare has established a content neutrality policy and opposes the policing of its customers on the basis of free speech unless said customers break the law.[127][128] The company has faced criticism for not banning hate speech websites and websites allegedly connected to terrorism groups.[129] Cloudflare has maintained that no law enforcement agency has asked the company to discontinue these services and it closely monitors its obligations under U.S. laws.[130]
In 2022, a research paper by Stanford University found that Cloudflare was a prominent CDN provider, among several other providers, that are disproportionately responsible for serving misinformation websites.[131][132]
See also
List of CDNs in Content delivery network § Content delivery service and technology providers
In 2020, Cloudflare co-founder and COO Michelle Zatlyn was named president.[14]
Cloudflare has acquired web-services and security companies, including StopTheHacker (February 2014),[15] CryptoSeal (June 2014),[16] Eager Platform Co. (December 2016),[17] Neumob (November 2017),[18] S2 Systems (January 2020),[19] Linc (December 2020),[20] Zaraz (December 2021),[21] Vectrix (February 2022),[22]Area 1 Security (February 2022),[23] Nefeli Networks (March 2024), BastionZero (May 2024),[24] and Kivera (October 2024).[25] Replicate (November 2025),[26] and Human Native (January 2026).[27]Since at least 2017, Cloudflare has used a wall of lava lamps at its San Francisco headquarters as a source of randomness for encryption keys, alongside double pendulums at its London offices and a Geiger counter at its Singapore offices.[28] The lava lamp installation implements the Lavarand method, where a camera transforms the unpredictable shapes of the "lava" blobs into a digital image.[29][28]
In Q4 2022, Cloudflare provided paid services to 162,086 customers.[30][31]
In October 2024, Cloudflare won a lawsuit against patent troll Sable Networks.Sable paid Cloudflare $225,000, granted it a royalty-free license to its patent portfolio, and dedicated its patents to the public by abandoning its patent rights.[32]
In November 2025, it was announced Cloudflare had agreed to acquire Replicate, a San Francisco–based platform that enables software developers to run, fine-tune, and deploy open-sourcemachine-learning models via an API without managing infrastructure.[33]
In January 2026, Cloudflare released an analysis regarding BGP routing leaks observed from the Venezuelan state-owned ISP CANTV (AS8048), which occurred on January 2 coincides with the arrest of Nicolás Maduro.[34] While some security researchers had speculated that the outages were linked to U.S. cyber operations, Cloudflare's data indicated that the anomalies were consistent with a pattern of "insufficient routing export and import policies" by the ISP rather than malicious external interference.[35]
In January 2026, Cloudflare acquired Human Native, an AI data marketplace that brokers transactions between developers and content creators, for an undisclosed amount.[36]
On January 16, 2026, Cloudflare acquired The Astro Technology Company, the developers behind the open-source web framework Astro.[37][38][39]
Cloudflare also provides analysis and reports on large-scale outages, including Verizon’s October 2024 outage.[44]
Artificial intelligence
In 2023, Cloudflare launched "Workers AI", a framework allowing for use of NvidiaGPU's within Cloudflare's network.[45]
In 2024, Cloudflare launched a tool that prevents bots from scraping websites. To build automatic bot detector models, the company analyzed "AI" bots and crawler traffic.[46] The company also launched an "AI" assistant to generate charts based on queries by leveraging "Workers AI".[47] Cloudflare announced plans in September 2024 to launch a marketplace where website owners can sell "AI" model providers access to scrape their site’s content.[48] Cloudflare also launched AI Audit, which provides analytics on "AI" models scraping their sites (along with the ability to block them altogether).[49]
In March 2025, Cloudflare announced a new feature called "AI Labyrinth", which combats unauthorized "AI" data scraping by serving fake "AI"-generated content to LLM bots.[50][51]
DDoS mitigation
Cloudflare provides free and paid DDoS mitigation services that protect customers from distributed denial of service (DDoS) attacks.Cloudflare received media attention in June 2011 for providing DDoS mitigation for the website of LulzSec, a black hat hacking group.[52]
In March 2013, The Spamhaus Project was targeted by a DDoS attack that Cloudflare reported exceeded 300gigabits per second (Gbit/s).[53][54] Patrick Gilmore, of Akamai, stated that at the time it was "the largest publicly announced DDoS attack in the history of the Internet".While trying to defend Spamhaus against the DDoS attacks, Cloudflare ended up being attacked as well; Google and other companies eventually came to Spamhaus' defense and helped it to absorb the unprecedented amount of attack traffic.[55]
Edge computing
In 2017, Cloudflare launched Cloudflare Workers, a serverless computing platform for creating new applications, augmenting existing ones, without configuring or maintaining infrastructure.It has expanded to include Workers KV, a low-latency key-value data store; Cron Triggers, for scheduling Cron jobs; and additional tooling for developers to deploy and scale their code across the globe.[68]
In 2020, Cloudflare released a JAMstack platform for developers to deploy websites on Cloudflare's Edge infrastructure, under the name "Pages".[69]
In 2022, Cloudflare announced an Edge SQL database, D1, which is built on SQLite.[70]
In August 2023, Cloudflare and IBM announced a partnership providing bot management capabilities to protect IBM Cloud customers from malicious bots and automated threats.[71]
Internet security
In April 2020, Cloudflare announced it was moving away from using reCAPTCHA in favor of hCaptcha.[74] In September 2022, Cloudflare began to test Turnstile – an alternative to CAPTCHA. The product, instead of presenting a visual CAPTCHA for the user to solve, automatizes the verification process by conducting JavaScript-based checks inside the browser to determine whether the user is a real person or an automated entity. The algorithm reportedly uses machine learning to optimize the process.[75]
Through a contract with the Cybersecurity and Infrastructure Security Agency, Cloudflare provides registry and authoritative DNS services to the .govtop-level domain.[76] Cloudflare also launched Cloudflare for Campaigns in 2020, to offer free cybersecurity tools to political campaigns.[77] Those tools expanded to include secure email systems in 2025.[78]
SASE
Cloudflare's overarching secure access service edge (SASE) platform debuted in October 2020.[89]
Cloudflare announced the acquisition of Area 1 Security in February 2022, a company who developed a product designed to combat phishing email attacks.[90]
Cloudflare acquired Nefeli Networks in March 2024, a cloud networking company, co-founded by computer scientist Sylvia Ratnasamy.[91]
VPN
In 2019, Cloudflare released a VPN service called WARP,[92][93] and open sourced the custom underlying WireGuard implementation written in Rust.[94][95]
Other services
In January 2021, the company began providing its "Waiting Room" digital queue product for free for COVID-19 vaccination scheduling under the title "Project Fair Shot".[96] Project Fair Shot later won a Webby People's Choice Award in 2022 for Event Management under the Apps & Software category.[97]
In March 2023, Cloudflare announced post-quantum cryptography will be made freely and forever available to cloud services, applications and Internet connections.[98]
Cloudflare released the Speed Brain and Instant Purge features in September 2024, to significantly reduce page load latency by prefetching content, and invalidating cached content in under 150ms.[99]
In 2024, Cloudflare announced plans to launch a new payment method, called Stripe Link, which went into beta in the fall.
This can be bypassed by adding a Skip feature, whitelisting the Wayback Machine's IP range to allow archiving.
2016–2017 data leak
From September 2016 until February 2017, a Cloudflare bug nicknamed Cloudbleed[107] leaked sensitive data, including passwords and authentication tokens, from customer websites by sending extra data in response to web requests.[108]
November 2025 outage
On November 18, 2025, Cloudflare suffered a major global outage that caused widespread 500 errors, slowing down many platforms, making them unreachable or completely down for users around the world.[109][110][111]
Affected services included Twitter, Spotify, Letterboxd, Uber, DoorDash, Indeed, Canva, Grindr, IKEA, Archive of Our Own, Wplace, news websites including Axios and Politico, AI and LLM services such as ChatGPT, Sora, and Microsoft Copilot, online games such as League of Legends, and any service relying on Cloudflare's security challenge software Turnstile.[112][113][114][115] Access to WARP, Cloudflare's VPN service, was also briefly disabled in London.[116] During the outage, a spokesperson for Cloudflare said the company had seen a "spike in unusual traffic", causing some traffic passing through its network to experience errors.[117]
At 14:23 UTC, The Guardian reported that Cloudflare had released a fix.[118] It also reported that maintenance was due at various locations, though this is not known to have caused the outages.[118] At 14:42 UTC, Cloudflare informed users on its status page that the fix had been implemented and that it would take some time for remaining post-deployment issues to be fixed.[119]
A technical postmortem of the incident was released the day following the outage. Cloudflare attributed the outage to a change in the configuration of a database, which caused an invalid file to be sent to all servers on the network.[120][113]
December 2025 outage
On December 5, Cloudflare suffered another global outage,[121] which began at 09:00 AM UTC.[122] This was the second such outage in three weeks to affect Cloudflare's services.[123]
ACME WAF bypass
In January 2026, security researchers disclosed a vulnerability in Cloudflare's Web application firewall (WAF) that allowed attackers to bypass security rules and access origin servers directly.The flaw existed in the handling of ACME challenge requests; the logic disabled WAF protections for requests targeting the path without sufficiently verifying if the token matched an active validation attempt.[124] Cloudflare patched the vulnerability in October 2025, stating that the issue was a logic flaw rather than a code execution vulnerability and that there was no evidence of exploitation.[125][126]
Cloudflare has come under pressure due to its services being utilized to access
Cloudflare provided DNS routing and DDoS protection for the white supremacist and neo-Nazi website The Daily Stormer.In 2017, after previously refusing to take any action against the website,[133] Cloudflare stopped providing its services to The Daily Stormer after an announcement on the website asserted that Cloudflare executives were privately supporting its ideology.[134]
In a statement to Business Insider, Cloudflare CEO Matthew Prince said that he was repulsed by The Daily Stormer content while expressing regret at the fact that his decision to suspend services had taken the website offline: "The ability of somebody to single-handedly choose to knock content offline doesn’t align with core ideas of due process or justice. Whether that’s a national government launching attacks or an individual launching attacks."[128]
As a self-described "free speech absolutist", Prince claimed he did not want to repeat the decision, and sought out protections for the company should they be faced with a similar situation in the future.[133] Prince further addressed the dangers of large companies deciding what is allowed to stay online, a concern shared by a number of civil liberties groups and privacy experts.[135][136][137] The Electronic Frontier Foundation, a US digital rights group, said that services such as Cloudflare should not be deciding what speech is acceptable and that illegal content should be handled through the legal system.[134]
Mass shootings and 8chan
In 2019, Cloudflare was criticized for providing services to the far-right discussion and imageboard 8chan.The message board has been linked to mass shootings in the United States and the Christchurch mosque shootings in New Zealand.[138] In addition, a number of news organizations including The Washington Post and The Daily Dot have reported on the existence of child pornography and child sexual abuse discussion boards.[139][140][141] A Cloudflare representative said that the platform "does not host the referenced websites, cannot block websites, and is not in the business of hiding companies that host illegal content".[142] Cloudflare did not terminate service to 8chan until public and legal pressure mounted in the wake of the
Kiwi Farms
Cloudflare provided DDoS mitigation and acted as a reverse proxy for Kiwi Farms.The site often engages in harassment and doxxing of targets[148] and has been implicated in the suicides of at least three people.[149][150][151] Kiwi Farms also has a reputation for transphobic content, and its users have been accused of swatting vulnerable individuals.[152][153][154]
Switter
Switter was a social media network for the sex worker community, built by Australia-based company Assembly Four on Mastodon's open-source software, before Cloudflare dropped Switter as a client and ceased services in April 2018, citing terms of service violations.[167][168][169] This occurred shortly after the passage of FOSTA/SESTA, a set of bills criminalizing websites that facilitate or support sex trafficking in 2018.SESTA weakened protections for Internet infrastructure companies and was criticized on free speech grounds due to concerns about disproportionate impact and disruptions to the lives of sex workers.[170][171][172]
The Daily Stormer
Cloudflare provided DNS routing and DDoS protection for the white supremacist and neo-Nazi website The Daily Stormer.In 2017, after previously refusing to take any action against the website,[133] Cloudflare stopped providing its services to The Daily Stormer after an announcement on the website asserted that Cloudflare executives were privately supporting its ideology.[134]
In a statement to Business Insider, Cloudflare CEO Matthew Prince said that he was repulsed by The Daily Stormer content while expressing regret at the fact that his decision to suspend services had taken the website offline: "The ability of somebody to single-handedly choose to knock content offline doesn’t align with core ideas of due process or justice. Whether that’s a national government launching attacks or an individual launching attacks."[128]
As a self-described "free speech absolutist", Prince claimed he did not want to repeat the decision, and sought out protections for the company should they be faced with a similar situation in the future.[133]
Mass shootings and 8chan
In 2019, Cloudflare was criticized for providing services to the far-right discussion and imageboard 8chan.The message board has been linked to mass shootings in the United States and the Christchurch mosque shootings in New Zealand.[138] In addition, a number of news organizations including The Washington Post and The Daily Dot have reported on the existence of child pornography and child sexual abuse discussion boards.[139][140][141] A Cloudflare representative said that the platform "does not host the referenced websites, cannot block websites, and is not in the business of hiding companies that host illegal content".[142] Cloudflare did not terminate service to 8chan until public and legal pressure mounted in the wake of the
Kiwi Farms
Cloudflare provided DDoS mitigation and acted as a reverse proxy for Kiwi Farms.The site often engages in harassment and doxxing of targets[148] and has been implicated in the suicides of at least three people.[149][150][151] Kiwi Farms also has a reputation for transphobic content, and its users have been accused of swatting vulnerable individuals.[152][153][154]
Switter
Switter was a social media network for the sex worker community, built by Australia-based company Assembly Four on Mastodon's open-source software, before Cloudflare dropped Switter as a client and ceased services in April 2018, citing terms of service violations.[167][168][169] This occurred shortly after the passage of FOSTA/SESTA, a set of bills criminalizing websites that facilitate or support sex trafficking in 2018.SESTA weakened protections for Internet infrastructure companies and was criticized on free speech grounds due to concerns about disproportionate impact and disruptions to the lives of sex workers.[170][171][172]
Terrorism
In 2015, testimony to the United States House Committee on Foreign Affairs, it was reported that two of the top three online chat forums and nearly forty other web sites belonging to the Islamic State of Iraq and the Levant (ISIL) were guarded by Cloudflare.[173]
In 2018, The Huffington Post documented that Cloudflare provided services for "at least 7 terrorist groups", as designated by the United States Department of State including Al-Shabaab, the Taliban, the Popular Front for the Liberation of Palestine, the al-Quds Brigades, the Kurdistan Workers' Party (PKK), the al-Aqsa Martyrs' Brigades, and Hamas. At the time, Cloudflare's general counsel, Doug Kramer, told The Huffington Post that he couldn't comment on specific cases in which Cloudflare was told about possible terrorist organizations using its services, but that Cloudflare does work with government agencies to be in compliance with its legal obligations.
In September 2019, Cloudflare reported in their Form S-1 filing that their technology was "used by, or for the benefit of, certain individuals or entities" that were blacklisted due to United States economic and trade sanctions regulations",[174] including "entities identified in OFAC’s counter-terrorism and counter-narcotics trafficking sanctions programs, or affiliated with governments currently subject to comprehensive U.S. sanctions".
Crime
Cloudflare has been cited in reports by The Spamhaus Project, an international spam tracking organization, for the high numbers of cybercriminal botnet operations hosted by Cloudflare.[176][177][178] An October 2015 report found that Cloudflare provisioned 40% of the SSL certificates used by typosquattingphishing sites, which use deceptive domain names resembling those of banks and payment processors to compromise Internet users' banking and other transactions.[179] Cloudflare has been criticized for having a conflict of interest by providing DDoS protection to both the operators and victims of "stresser" services.[180][181]
Response to the Russian invasion of Ukraine
After Russia invaded Ukraine in late February 2022, Ukrainian Vice Prime Minister, Minister of Digital Transformation Mykhailo Fedorov[190] and others[191] called on Cloudflare to stop providing its services in the Russian market amidst reports that Russia-linked websites spreading disinformation were using the company's content delivery network services.[192] Cloudflare CEO Matthew Prince responded that the company decided to remain providing services to Russian people to counter Russia's attempts to raise a 'digital iron curtain'.[193][194] Prince shared that "Indiscriminately terminating service would do little to harm the Russian government but would both limit [Russian citizens'] access to information outside the country and make significantly more vulnerable those who have used us to shield themselves as they have criticized the government."[193]
Copyright lawsuit
In 2022, Japanese publishers Shueisha, Kodansha, Shogakukan, and Kadokawa Shoten filed a copyright lawsuit against Cloudflare, alleging that the service was distributing data to manga piracy sites and sought an injunction and ¥460 million (US$4 million) in damages. On November 19, 2025, a judge ruled in favor of the publishers. While the ruling recognized approximately ¥3.6 billion (US$24 million) in damages, Cloudflare was ordered to pay a total amount of ¥500 million (US$3.6 million), as the publishers claimed that Cloudflare was only partially responsible for the damages.[198]
207.S-1 Filing US SEC, retrieved December 2, 2022^
In 2014, Cloudflare began providing free DDoS mitigation for artists, activists, journalists, and human rights groups under the name "Project Galileo".[56] In 2017, it extended the service to electoral infrastructure and political campaigns under the name "Athenian Project".[57][58] By 2025, more than 2,900 users and organizations were participating in Project Galileo, including 31 US states.[59][60]
In February 2014, Cloudflare claimed to have mitigated an NTP reflection attack against an unnamed European customer, which it stated peaked at 400 Gbit/s.[61][62] In November 2014, it reported a 500 Gbit/s DDoS attack in Hong Kong.[63] In July 2021, the company claimed to have absorbed a DDoS attack three times larger than any it had previously recorded, which its corporate blog implied was over 1.2 Tbit/s in total.[64] In February 2023, Cloudflare reported blocking a 71 million request-per-second DDoS attack which "the company says was the largest HTTP DDoS attack on record".[65]
Cloudflare blocked the then largest publicly recorded DDoS attack in August 2025, with volumetric attacks peaking at 11.5 terabits per second (tbps).[66] This was surpassed in December 2025 when an Aisuru botnet launched a 31.4 tbps attack, with a requests-per-second rate exceeding 200 million, against multiple companies in the telecommunications sector, a campaign Cloudflare dubbed "The Night Before Christmas".[67]
In November 2020, Cloudflare announced Cloudflare for Teams, consisting of a DNS resolver and web gateway called "Gateway", and a zero-trust authentication service called "Access".[79]
Cloudflare released an Oblivious HTTP relay service in 2022, called Privacy Gateway.[80]
Cloudflare announced a partnership with PhonePe in January 2023 to secure its mobile payment system.[81] In February, Cloudflare launched Wildebeest to allow Mastodon users to set up and run their own instances on Cloudflare's infrastructure.[82]
In August 2023, Cloudflare started the Project Cybersafe Schools program as part of a $20 million grant program from Amazon Web Services, making 70 percent of public school districts in the United States eligible for no-cost cybersecurity services.[83]
In March 2024, it announced Firewall for AI to defend applications running large language models (LLMs).[84] In September, Cloudflare announced Ephemeral IDs, which identifies fraudulent activity by linking behavior to a client through a short-lived, generated ID, rather than the traditional means of using an IP address.[85] The same month, the company also announced all ISP and equipment manufacturers could use its DNS resolvers for free.[86]
Cloudflare introduced the Cloudforce One threat events platform in March 2025, offering real-time insights into cyberattacks using data gathered from Cloudflare's network.[87][88]
Since 2010, Cloudflare has collaborated with the National Center for Missing & Exploited Children to provide data, files, and supplemental investigation from abuse reports observed on its network.[101] Cloudflare designed a new NCMEC reporting system in 2024,[102] updating it in 2025 by integrating Cloudflare Workflows and making the CSAM scanning tool accessible globally.[103]
2019 El Paso shooting
, in which the associated manifesto was published to 8chan.
immediately after the shooting, CEO Matthew Prince defended Cloudflare's support of 8chan, saying that he had a "moral obligation" to keep 8chan online.
On August 5, 2019, two days after Prince's interview with The Guardian, Cloudflare terminated service to 8chan.[146] Cloudflare explained that 8chan "have proven themselves to be lawless and that lawlessness has caused multiple tragic deaths. Even if 8chan may not have violated the letter of the law in refusing to moderate their hate-filled community, they have created an environment that revels in violating its spirit."[145] Prince condemned the El Paso shooting as "abhorrent in every possible way", removing 8chan from the Internet was "the right thing to do".[147][145]
In 2022, a campaign was launched by transgender activist Clara Sorrenti, who has previously been targeted by the forum, to pressure Cloudflare into terminating service for Kiwi Farms.[158][159] Cloudflare responded by issuing a statement on its abuse policies and saying it didn't want to set precedent for speech on the internet with its "extraordinary" decision.[160]
The company also released a blog post[161] and likened its services to that of a public utility, emphasizing that it does not believe in shutting down security services based on content it finds objectionable.They acknowledged that while it might be more popular to remove sites that the Cloudflare team finds offensive, it stood by its decision not to do so.[162][163] The company also defended its decision by saying that it donated all earnings from anti-LGBTIQ+ sites to an organization that advocated for LGBTIQ+ rights.[164] The blog post mentioned Cloudflare's terms of use agreement, which allows them to terminate service due to "content that discloses sensitive personal information, [and] incites or exploits violence against people" but, according to The Guardian, the statement did not address how Kiwi Farms users' doxxing behavior did not violate these terms.[164]
On September 3, 2022, Cloudflare blocked Kiwi Farms, citing urgent escalating rhetoric against targets of Kiwi Farms, stating that there is an "unprecedented emergency and immediate threat to human life". According to The Washington Post, there was a "surge in credible violent threats stemming from the site" and CEO Matthew Prince said that Cloudflare believes "there is an imminent danger, and the pace at which law enforcement is able to respond to those threats we don't think is fast enough to keep up".[165][166][160]
Cloudflare said the move was "related to our attempts to understand FOSTA, which is a very bad law and [sets] a very dangerous precedent".Assembly Four said that "Given Cloudflare's previous stances of privacy and freedom, as well as fighting alongside the EFF, we had hoped they would take a stand against FOSTA/SESTA".[168]
Prince further addressed the dangers of large companies deciding what is allowed to stay online, a concern shared by a number of civil liberties groups and privacy experts.
, a US digital rights group, said that services such as Cloudflare should not be deciding what speech is acceptable and that illegal content should be handled through the legal system.
immediately after the shooting, CEO Matthew Prince defended Cloudflare's support of 8chan, saying that he had a "moral obligation" to keep 8chan online.
On August 5, 2019, two days after Prince's interview with The Guardian, Cloudflare terminated service to 8chan.[146] Cloudflare explained that 8chan "have proven themselves to be lawless and that lawlessness has caused multiple tragic deaths. Even if 8chan may not have violated the letter of the law in refusing to moderate their hate-filled community, they have created an environment that revels in violating its spirit."[145] Prince condemned the El Paso shooting as "abhorrent in every possible way", removing 8chan from the Internet was "the right thing to do".[147][145]
In 2022, a campaign was launched by transgender activist Clara Sorrenti, who has previously been targeted by the forum, to pressure Cloudflare into terminating service for Kiwi Farms.[158][159] Cloudflare responded by issuing a statement on its abuse policies and saying it didn't want to set precedent for speech on the internet with its "extraordinary" decision.[160]
The company also released a blog post[161] and likened its services to that of a public utility, emphasizing that it does not believe in shutting down security services based on content it finds objectionable.They acknowledged that while it might be more popular to remove sites that the Cloudflare team finds offensive, it stood by its decision not to do so.[162][163] The company also defended its decision by saying that it donated all earnings from anti-LGBTIQ+ sites to an organization that advocated for LGBTIQ+ rights.[164] The blog post mentioned Cloudflare's terms of use agreement, which allows them to terminate service due to "content that discloses sensitive personal information, [and] incites or exploits violence against people" but, according to The Guardian, the statement did not address how Kiwi Farms users' doxxing behavior did not violate these terms.[164]
On September 3, 2022, Cloudflare blocked Kiwi Farms, citing urgent escalating rhetoric against targets of Kiwi Farms, stating that there is an "unprecedented emergency and immediate threat to human life". According to The Washington Post, there was a "surge in credible violent threats stemming from the site" and CEO Matthew Prince said that Cloudflare believes "there is an imminent danger, and the pace at which law enforcement is able to respond to those threats we don't think is fast enough to keep up".[165][166][160]
Cloudflare said the move was "related to our attempts to understand FOSTA, which is a very bad law and [sets] a very dangerous precedent".
Assembly Four said that "Given Cloudflare's previous stances of privacy and freedom, as well as fighting alongside the EFF, we had hoped they would take a stand against FOSTA/SESTA".[168]
In 2018, Cloudflare was identified by the European Union's Counterfeit and Piracy Watch List as a "notorious market" which engages in, facilitates, or benefits from counterfeiting and piracy.The report noted that Cloudflare hides and anonymizes the operators of 40% of the world's pirate sites, and 62% of the 500 largest such sites, and "does not follow due diligence when opening accounts for websites to prevent illegal sites from using its services".[182][183]
In 2020, an Italian court ruled Cloudflare had to block current and future domain names and IP addresses of the pirate IPTV service "IPTV THE BEST" for infringing on Lega Serie A intellectual property.[184] At the time, Cloudflare was already blocking 22 domain names in Italy.[185] German courts have similarly found that "Cloudflare and its anonymization services attract structurally copyright infringing websites."[186]
Following the December 2024 court ruling,[187] the Spanish LaLiga requested that telephone operators block Cloudflare's IP address ranges in February 2025. Cloudflare hosted websites that illegally broadcast soccer matches. As a result, the pirate platform DuckVision was shut down before the derby between Real Madrid and Atlético Madrid. The platform had 200,000 users and was backed by Cloudflare.[188] The blocks affected major legitimate websites, including X, Vimeo, Steam, GitHub, and the Royal Spanish Academy.[189]
The company later said it had minimal sales and commercial activity in Russia and had "terminated any customers we have identified as tied to sanctioned entities".
Cloudflare's Project Galileo, launched in 2014, offers DDoS protection to NGOs for free.In 2022, they extended free protection to Ukrainian government and telecoms.[196][197]