Capital Flywheels added Cloudflare to the Paper Portfolio as part of the December 2019 update.
Over the past year, Cloudflare has done quite well (~+315%) and ranks as one of the top performers in the Paper Portfolio:
A year ago, Capital Flywheels highlighted how Cloudflare was already playing an important role in keeping the internet up and running but has the potential to become even more important – one of the most important internet companies in the coming years – if it successfully leverages its position to build out the developer platform of tomorrow and the future.
Initially, most investors seemed to outright ignore the story (stock was approximately flat for 6 months) but this changed around spring of 2020.
Since then Cloudflare has been on a meteoric rise.
Not only has it become clear that Cloudflare is a major beneficiary of the pandemic and digital transformation initiatives now taking the world by storm, investors are increasingly willing to embrace the concept and promise of “edge computing” as envisioned by players like Cloudflare (and Fastly).
While many people have already written a lot about Cloudflare, the magic that separates Cloudflare from peers still seem to be highly under-appreciated. And Capital Flywheels hopes to highlight some of those areas today.
And because of this magic, Capital Flywheels believes Cloudflare will become one of the most important internet companies in the coming years and one of the most consequential investments in the Paper Portfolio.
That great giant, Atlas, whose shoulders bear the circling sky.Ovid, Metamorphoses
Atlas the baleful; he knows the depths of all the seas, and he, no other, guards the tall pillars that keep the sky and earth apart.Homer, Odyssey
Source: Civilization VI
Cloudflare was founded just a little over a decade ago in 2009. Despite its short history, Cloudflare has become one of the most important companies powering the internet.
What makes Cloudflare so important is its role in network security. By virtue of its distributed global network, Cloudflare has positioned itself as an important defensive system against distributed denial of service (DDoS) attacks.
In recent years, the internet has increasingly come under attack by foreign threat actors. One common method of attack – DDoS – works by directing an overwhelming amount of traffic towards a targeted website / service in order to overwhelm the server and bring the service offline. Such attacks are normally conducted by assembling a large network of malware-infected devices that allow the perpetrator to coordinate actions across the devices and implement a simultaneous wide scale attack.
The most straightforward way to fend off such an attack is to leave enough idle capacity to handle a sudden spike in activity. Most companies other than the largest internet companies likely do not have a lot of idle capacity. As a result, most companies, except for the very largest, likely do not have the capabilities to fend off massive DDoS attacks.
This is how Cloudflare established itself as an important player in keeping the internet up and running.
Many companies protect their websites and services by working with Cloudflare. Not only does Cloudflare manage traffic to ensure top-notch performance, its globally distributed network can help diffuse any / most DDoS attacks by supplying the necessary capacity to prevent being overwhelmed (by drawing on the servers they have placed around the entire world). This is important because no matter how good a website or service is, it means nothing to users if it cannot be accessed. And it is through this advantageous positioning that Cloudflare has inserted itself into the backbone of the internet across a number of areas.
For example, Cloudflare helped defend a part of the internet from a record-breaking 300 Gbit/sec attack back in March 2013:
A squabble between a group fighting spam and a Dutch company that hosts Web sites said to be sending spam has escalated into one of the largest computer attacks on the Internet, causing widespread congestion and jamming crucial infrastructure around the world.
Millions of ordinary Internet users have experienced delays in services or could not reach a particular Web site for a short time.
However, for the Internet engineers who run the global network the problem is more worrisome. The attacks are becoming increasingly powerful, and computer security experts worry that if they continue to escalate people may not be able to reach basic Internet services, like e-mail and online banking.
The attacks were first mentioned publicly last week by CloudFlare, an Internet security firm in Silicon Valley that was trying to defend against the attacks and as a result became a target.Source: NYT
That record-breaking attack was exceeded just a few months later in February 2014…and Cloudflare once again came to the rescue:
A record-breaking distributed denial-of-service (DDoS) attack Monday peaked at 400 Gbit/s, which is about 100 Gbit/s more than the largest previously seen DDoS attack.
DDoS defense firm CloudFlare disclosed the attack — against one of its customers — Monday. “Very big NTP reflection attack hitting us right now. Appears to be bigger than the #Spamhaus attack from last year, tweetedCloudFlare CEO Matthew Prince, referring both to attacks that target vulnerabilities in the Network Time Protocol, as well as the March 2013 DDoS attack against Spamhaus, which peaked at a record-breaking 300 Gbit/s.Source: Dark Reading
In fact, when something goes wrong at Cloudflare, people tend to notice:
Many major websites and services were unreachable for a period Friday afternoon due to issues at Cloudflare’s 22.214.171.124 DNS service. The outage seems to have started at about 2:15 Pacific time and lasted for about 25 minutes before connections began to be restored.
“This afternoon we saw an outage across some parts of our network. It was not as a result of an attack,” the company said in a statement. “It appears a router on our global backbone announced bad routes and caused some portions of the network to not be available. We believe we have addressed the root cause and monitoring systems for stability now. We will share more shortly—we have a team writing an update as we speak.”
Discord, Feedly, Politico, Shopify and League of Legends were all affected, giving an idea of the breadth of the issue. Not only were websites down but also some status pages meant to provide warnings and track outages. In at least one case, even the status page for the status page was down.Source: TechCrunch
What’s important to realize is that the internet that we have all come to depend on and spend our lives in, is quite fragile. We take the existence of the internet and the availability of the internet for granted. But cyberspace is not like physical space. There is no US Navy patrolling these “seas” to ensure that there is freedom of navigation and freedom of passage. Our ability to access the internet at all is highly dependent on a few key players, of which Cloudflare is increasingly becoming one of them.
Consider the DDoS attack on Hong Kong activists back in late 2014, which (once again) broke the record for largest attack from the 2013 and 2014 examples above:
The intense skirmishes inside Hong Kong’s Occupy Central protests haven’t just taken place on the streets, but online too. The largest cyber attack in history has been carried out against independent media sites in Hong Kong over the past few months, according to the company protecting them, increasing in their intensity each time pro-democracy activists announced new activities or developments.
The distributed denial of service (DDoS) attacks have been carried out against independent news site Apple Daily and PopVote, which organised mock chief executive elections for Hong Kong. Now the content delivery network Cloudflare, which protects Apple Daily and PopVote, says the DDoS attacks have been unprecedented in scale, pounding the sites with junk traffic at a remarkable 500 gigabits per second.Source: Forbes
Leaving aside politics and whether one believes Hong Kong activists are worth defending, this example is a perfect illustration of how fragile the global internet can be (especially when it comes to politically sensitive information) and what a privileged role Cloudflare plays.
Of course, this swings both ways…Back in 2018, Cloudflare became a topic of controversy since they were used by the Daily Stormer, a right-wing media website associated with neo-Nazis, to defend themselves from hackers trying to rid the internet of neo-Nazi content:
Without Cloudflare’s protection, the Daily Stormer and those other sites might well have been taken down by vigilante hackers intent on eliminating Nazi and white-supremacist propaganda online. Hankes and the SPLC weren’t accusing Cloudflare of spouting racist ideology itself, of course. It was more that Cloudflare was acting like the muscle guarding the podium at a Nazi rally.Source: Wired
Initially, Cloudflare defended their position in the name of free speech…arguing that it should not be Cloudflare’s role to determine which websites can live and which websites will have to die. Cloudflare ultimately relented and cut ties with the Daily Stormer, but not before further convincing people (including Capital Flywheels) just how important Cloudflare has become with regards to the modern operations of the internet.
Perhaps one final example to whet your appetite – The 2020 US Presidential election was expected to be one of the most sensitive and critical elections in history with potential for foreign interference across the election infrastructure chain. As you can imagine, being entrusted with the task of defending that infrastructure is not only an important civic duty, but an honor.
And Cloudflare was selected by more than half of all US states to play that role:
More than half of U.S. states are using Cloudflare’s election website security service, CEO Matthew Prince told CNBC’s Jim Cramer on Tuesday.
Athenian Project offers local and state governments free enterprise products to defend election infrastructures, including voter data and election return information, from cyberattacks, a critical component in a fraught political environment.
“We’ve been able to thwart a number of attacks, but we see everything is going very smoothly,” Prince said in a “Mad Money” interview. “Registrations are happening and we’re doing everything we can to ensure that the election, which is coming up, will be free and fair and … that cyber attacks will not be the lead story at the end of the day.”Source: CNBC
The point of all these examples is this –
Many companies argue that they are critical, that they play an important role. But there are only a handful of companies that do truly play that critical role, and Cloudflare is one of them.
Cloudflare is not just another fast growing tech company…it’s the US Navy of the internet.
It’s (one of a few) Atlas holding up the digital world.
Call me a dreamer, but that importance feels like it should be worth more than the current ~$25 billion market cap (and certainly worth more than the ~$6-7 billion market cap of the company when it was added to the Paper Portfolio a year ago).
Is it a CDN?
Aside from security, one of the most common comparisons investors tend to make is between Cloudflare and Fastly. While Fastly is absolutely a content delivery network (CDN) company trying to execute on a vision not too dissimilar from Cloudflare’s long-term vision, Cloudflare should not be viewed as a CDN.
While Cloudflare certainly offers CDN services, it’s not what makes Cloudflare special. And focusing too overtly on Cloudflare’s CDN capabilities will all too likely highlight Cloudflare’s weaknesses that ultimately won’t matter in terms of executing on the long-term vision.
So what is a CDN?
When it comes to content on the internet, especially images and videos, moving it around can take some time. Years and years ago before internet infrastructure became widely built-out, many companies stored their content on their own servers in a single (or few) location. However, users are distributed all around the world. Whenever a request comes in, it requires sending that content to people wherever they are…the farther they are, the more effort it takes to get the content to them. This problem becomes even bigger when you consider how many people are using the internet today compared to years ago and how dominant images and videos have become to our internet consumption.
One of the most important innovations for managing this issue is the creation of the concept of a CDN. Instead of storing content at the origin server, you alleviate the problem by simply putting servers all around the world and storing the content closer to the user.
How it works in practice is that whenever a user requests new content, the request goes all the way to the origin server. And as the origin server pushes the content out to the user, a copy of it will be stored at the CDN server closest to the user. When future requests are made for the same content by any user, it can be delivered from the closest CDN server instead of going all the way to the origin server.
Here’s what it looks like graphically:
Source: Human Who Codes
CDN companies like Fastly and Akamai play an important role in ensuring content is delivered quickly. Nobody wants their TikTok videos to take an eternity to load. And companies like Fastly and Akamai ensure that users never have to wait.
As mentioned above, Cloudflare does offer some CDN services, but it’s a very small portion of what they do.
By virtue of having a globally distributed network, Cloudflare seems like it should be able to offer CDN services, but Cloudflare’s hardware and network is optimized for security and not content. As a result, Cloudflare isn’t the best at offering CDN services for media companies and hence doesn’t much compete against Fastly or Akamai in this realm. In fact, if CDN is specifically what you are interested in, you would likely be better served by looking at companies other than Cloudflare.
But the good thing is that CDN is not actually that good of a business so it doesn’t matter that much that Cloudflare isn’t that good at it. The CDN industry has historically been prone to competition and price compression since it can be fairly commoditized.
Next Generation Computing?
So depending on who you ask, Cloudflare is either a leading CDN company or a leading security company.
While both of those descriptions do cover some aspects of Cloudflare, neither are complete.
And if you simply assume Cloudflare is just a CDN or just another security player, you will likely completely miss the grand vision that Cloudflare is uniquely positioned to enable.
What does this mean in practice?
Here’s what Cloudflare’s products and platform look like on paper:
If you think of Cloudflare as just a security company, you will mostly only focus on this part:
If you think of Cloudflare as just a CDN, you will mostly only focus on this part (as you can see, viewing Cloudflare as a CDN is probably a misleading view of the company):
But what makes Cloudflare interesting is not only all of the other stuff they do beyond security and CDN / caching like on the reliability side, but rather the single scalable development platform that it all runs on top of:
The long-term potential of this single scalable development platform is ultimately not only a function of what Cloudflare can do with it, but also what external developers can do with it.
Many modern tech companies have single scalable development platforms, but they are largely used only internally and only lightly exposed to the outside world (via APIs), if at all.
For Cloudflare, not only are all of their internal products built on top of this platform with demonstrated ability to deliver industry leading performance and security, this platform is being opened up to external developers, which will allow 3rd party code to run anywhere in the world, at the edge, with unparalleled performance in a way that has never been possible before.
This is the dream of “edge computing”. And this is known as Cloudflare Workers.
The right way to think about this is not just another cloud platform…what Cloudflare is enabling is a new way of running and distributing code.
The right comparison is with operating systems like iOS and Android and Windows.
Windows allows a developer to run and execute code across 1 billion PCs across the world. iOS allows a developer to run and execute code across 1 billion iOS devices across the world. Android allows a developer to run and execute code across 3 billion Android devices across the world.
And what Cloudflare is enabling is not just another cloud development platform, but the ability for developers to run and execute code anywhere around the world, at the edge, from the servers that make up Cloudflare’s globally distributed network.
What about Amazon AWS? Don’t they enable something similar?
On the public cloud front, AWS continues to lead the pack given the enormous capabilities possible through their network of datacenters spanning the world across 77 key availability zones:
However, when developers sign up and write code for AWS, they are still generally writing code for a specific datacenter / region, not for the whole network.
This means the code is executing at a specific location regardless of where the users are located.
This is fundamentally different from what Cloudflare is enabling, which is a platform capable of executing code across the whole network as if it is one single datacenter and can execute at the datacenter that is closest to the end user.
This is why Cloudflare’s founder, Matthew Prince, dislikes the term “edge computing” and much prefers the term “severless computing”. Severless computing is already entering conversations but it is usually used to refer only to servers within a single datacenter. Cloudflare goes further. Because that is truly what Cloudflare is aiming for – a global development platform that is agnostic of not only the servers within a single datacenter, but agnostic of all servers across the whole network and tailored to where the end user is located.
To be fair, AWS has already launched something similar through AWS Lambda@Edge (AWS Lambda is the serverless compute offering hosted in a single region, while AWS Lambda@Edge is the serverless compute offering hosted at the edge across the network)…but Amazon is increasingly becoming a controversial vendor with many companies seeking to diversify to avoid Amazon dependence…while Cloudflare has the benefit of being an entirely neutral partner.
But even before taking into consideration Amazon’s non-neutrality, edge computing is not a core focus for Amazon…and it shows.
Cloudflare’s capabilities in terms of edge compute drastically outstrip what Amazon is able to offer.
For example, as early as 2018, Cloudflare Workers was already executing code at the edge materially faster than Lambda@Edge:
The above chart shows you the percentile of code (horizontal axis) vs the amount of time it takes to execute (vertical axis) – lower is better. Workers clearly executes code faster than Lambda@Edge across the entire distribution, and the vast majority of Workers code executes in basically no time.
And that was 2018.
And it’s not just Amazon. Cloudflare compares well vs the other hyperscalers (Google and Microsoft) as well:
Source: Datacenter Knowledge
If you thought that was impressive, earlier this year Cloudflare announced something that sounds like it should be impossible:
Unlike containers, Cloudflare Workers utilize isolate technology, which measure cold starts [time it takes to load and execute a new copy of a serverless function] in single-digit milliseconds. Well, at least they did. Today, we’re removing the need to worry about cold starts entirely, by introducing support for Workers that have no cold starts at all – that’s right, zero. Forget about cold starts, warm starts, or… any starts, with Cloudflare Workers you get always-hot, raw performance in more than 200 cities worldwide.Source: Cloudflare
Yes…0 milliseconds cold starts. How do you beat 0?
Cloudflare certainly has a mountain to climb ahead of it with the largest challenge coming from AWS, but if successful, Cloudflare has the potential to become one of the giants.
What Would you Like to Do?
If you can dream it, you can do it.Walt Disney
This is all great…but what can you do with this?
Investors have gotten really starry-eyed. There’s a lot of material out there discussing all of the cool new things that you can do better when you have code executing at the edge.
For example, internet of things (IoT) is a common topic. The idea is that soon our lives will be filled with devices everywhere. You may already have a smart speaker or a smart doorbell, but you will have more. And many of these devices will continue to get smarter with new AI-enabled features. For example, perhaps your Ring doorbell in the future will be able to use AI to detect whether someone standing at your door is an authorized person or not.
Leaving aside the privacy implications of all of this, if we want such capabilities and it proliferates across our lives, it will become extremely taxing on internet infrastructure if all of that video and audio data needs to be shuffled back and forth to core datacenters for processing. It would materially ease the pressure on our internet infrastructure if code can be executed at an edge server like what Cloudflare offers (assuming the doorbell itself does not have enough computing power to execute much code on its own).
Other examples include tailoring online services to where your user requests are coming from. For example, an e-commerce website can execute dynamic code at the edge that tailored language, currency, and payment methods to where the request is coming from. Currently this is handled in a very static way with companies creating separate websites for each country they operate in. But with dynamic code at the edge, you can easily imagine a future where companies do not have to create separate websites for each country but rather have a single service that can be dynamically tailored to the user depending on where the request comes from…all possible and courtesy of edge computing.
I’ll leave it up to you to dream the dream (and as a reminder, you can find a lot of examples online that others have already written about).
Of course, the company believes the most interesting use case for this over the near / medium term is something more mundane but more important…
As Capital Flywheels wrote recently about the potential deep fragmentation of the internet into more localized segments, Cloudflare Workers (and edge computing in general) will be a critical piece of enabling localization.
Governments around the world are already starting to push in this direction by requiring local data processing. This creates enormous challenges for services that only have origin servers in a small number of locations. For example, a mid-sized enterprise running their online operations only out of the US may have a hard time serving customers in other countries if those countries require data to not leave those foreign borders. Cloudflare Workers would be a beautiful solution to this problem by abstracting all of the need for developers to focus on this problem at all…the developer can simply code their service in a way that will allow Cloudflare to dynamically store and execute code locally without having to move anything outside of those borders.
The fragmentation of the internet is likely one of the biggest changes coming for all of us. And Cloudflare is positioned to play a role.
Starting Points Matter
2020 has been fascinating in more ways than expected.
One of the more fascinating things for Capital Flywheels has been the change in sentiment around both Cloudflare and Fastly.
While Cloudflare was sort of overlooked for a while until mid-year, many investors already understood the story to some extent…they just weren’t excited by it until mid-year.
Fastly, on the other hand, was a completely different animal. Most investors rightly understood it to be a CDN. However, most investors wrongly believed it to be a bad business just because CDN tends to be a challenging space to be in.
However, what’s fascinating is that investors materially warmed up to Fastly’s story given how similar Fastly’s long-term vision is to Cloudflare. And at one point, Fastly and Cloudflare’s market caps were neck and neck.
Although Capital Flywheels recently added Fastly to the Paper Portfolio on the view that Fastly is indeed a very good CDN with potential to do more, Capital Flywheels believes that investors are likely making a mistake if they think Cloudflare and Fastly have the same potential just because they are executing on the same vision.
Yes, both of them have security, CDN, and edge computing offerings and are pursuing the same vision.
But, Capital Flywheels believes Cloudflare is much better positioned to actually accomplish it than Fastly.
And it all comes down to starting points.
There is no other way to say this other than to say that Cloudflare is starting on 2nd base (or 3rd base) whereas Fastly is starting at 1st base.
What makes you say that?
1/ The first and most relevant advantage for Cloudflare is their historical positioning as a security company rather than a CDN.
This difference in positioning is extremely important because it means that Cloudflare and Fastly are starting with different hardware in their edge datacenters.
Since Fastly is mostly a CDN, their hardware is skewed towards storage in order to hold all of the images and videos that need to be delivered from the edge.
Cloudflare, on the other hand, is focused on security. This means their hardware is overwhelmingly skewed towards compute since compute is necessary for security functions.
While both Fastly and Cloudflare are both aiming to become edge computing companies, Cloudflare has a very large head start in hardware compared to Fastly.
2/ The second major advantage for Cloudflare is Cloudflare’s footprint.
The funny thing about Fastly is that it’s a very successful CDN without having the large distributed CDN footprint that you would expect for a CDN.
In fact, Fastly’s footprint is actually quite small…
Currently, Fastly is present in about 55 cities.
Here’s a reminder of what Cloudflare’s footprint looks like:
Cloudflare has a presence in over 200 cities.
What’s funny about Fastly is that they have been taking share from CDN peers that have materially larger footprints. Fastly’s most capable CDN peer is Akamai…and Akamai is present in more than 1,700 locations.
So how does Fastly compete as a CDN without actually building out a massive CDN footprint?
Here’s what Fastly says:
Deploying thousands of small, scattered points of presence (POPs) may have worked for legacy CDNs in the dial-up era, but the internet has become increasingly dynamic, and spinning disks no longer get the job done. Fastly has taken a fundamentally different approach: we’ve focused our efforts on placing fewer, more powerful POPs at strategic markets around the world. With Tier 1 transit, solid-state drive (SSD) powered servers, and an engineering team that lives to optimize for speed, we’ve built a blazing-fast network that requires less hardware to deliver comprehensive global reach. Fastly’s high-density POPs enable us to serve more from cache, including static and event-driven content. This improves your cache hit ratio, resulting in better user experiences.Source: Fastly
Not only does Fastly confirm what Capital Flywheels highlighted above (hardware is focused on SSD / storage), Fastly’s whole strategy is to utilize better hardware and a more modern software architecture to outcompete older peers.
Unfortunately for Fastly, the strategy they have employed successfully against legacy CDN peers is unlikely to help them much in pursuing the grand edge computing vision that lies ahead.
Not only does Fastly not have the right hardware (yet), it also does not actually have a large edge network footprint…it was (and is) winning the CDN race with an entirely asymmetric strategy of not being a large edge network at all.
Only time will tell if they can do the same for edge computing without having a large edge network…but Capital Flywheels believes the odds are low.
In addition, Fastly is outcompeting legacy CDN peers because legacy CDN peers are working with old software architectures…Fastly won’t have this advantage against Cloudflare because both Fastly and Cloudflare are built on modern software. Cloudflare is no slouch.
3/ Fastly’s higher exposure to enterprises – often viewed as an advantage – is going to become their anchor.
Fastly currently has the advantage of a better customer base (at least when it comes to CDN). Fastly has a much higher mix of enterprise customers. Cloudflare, on the other hand, is much more skewed towards small businesses.
The advantage of enterprise is that customers tend to be more stable and more willing to pay.
Cloudflare’s skew towards smaller businesses mean customers have less ability to pay, and many don’t survive long.
While the enterprise skew is a material positive for Fastly in existing segments, it is a major disadvantage when it comes to edge computing and new products because enterprises value stability above all. This means means Fastly has lower ability to roll out and test new features, whereas Cloudflare has a large (and willing) small business customer base that it can experiment on before rolling out to enterprises.
Much like how enterprises stuck with Windows XP even way past expiration date (enterprises don’t like change), Fastly’s enterprise customer mix means that moving fast is not an option.
I think we are already starting to see this anchor when you compare the relative pace of new product rollouts from Cloudflare vs Fastly. Cloudflare is rolling out new features very quickly, whereas Fastly is not.
I’m sure everything Cloudflare is rolling out is already something Fastly has thought about and is working on, but Fastly is just rolling out at a slower pace.
It’s a Big World
Hopefully by now I’ve convinced you that the vision that Cloudflare (and Fastly) are executing towards are worth being a part of.
I think Cloudflare has a better chance of getting there first because it’s already got a head start.
But ultimately, does it matter if Cloudflare gets there first? Can’t they both get there eventually?
The internet is indeed a very large place, and the market is very large. So, yes, there is a pretty good chance that they can both get there and do well.
One thing that I think is worth monitoring in order to understand whether both can win is the evolving network effects around security and edge compute.
No one doubts that there can be many players in the CDN space (which is why it is competitive) because it is ultimately a fairly commoditized product. Players with similar footprints ultimately have similar performance. Fastly has better software (right now), but the software edge will eventually wane as peers catch up. And when that happens, CDN is just…CDN.
However, this is not the case when it comes to security and edge compute because there are natural network effects that accrue to the leaders.
For example, we are already starting to see this with Cloudflare. As they sign up more and more customers for their security products (like DDoS), it gives them an intelligence and network advantage that is hard for smaller peers to match.
Capital Flywheels believes edge computing will also have network effects that will favor the first mover. In addition, computing is generally an area where there tends to be lock-in. Once a developer writes code specifically for Cloudflare Workers, it will require effort to adapt that code for another platform. And this lock-in will likely grow over time as the capabilities enabled by Cloudflare Workers grows and as developers develop evermore sophisticated code at the edge.
After a certain point, it becomes a struggle to go anywhere else.
To say it’s a large world is obvious…but if there are truly network effects in the long run, then even a large world will slowly shrink down to 1.
Disclosures: I own shares in NET. I have no intention to transact in any shares mentioned in the next 48 hours.