Product Code Database
Cloudflare, Inc. is an American technology company headquartered in San Francisco, California, that provides a range of internet services, including content delivery network (CDN) services, cloud cybersecurity, DDoS mitigation, and ICANN-accredited domain registration. The company's services act primarily as a Reverse proxy between website visitors and a customer's hosting provider, improving performance and protecting against malicious traffic.
Cloudflare was founded in 2009 by Matthew Prince, Lee Holloway, and Michelle Zatlyn. The company went public on the New York Stock Exchange in 2019 under the ticker symbol NET. Cloudflare has since expanded its offerings to include edge computing through its Workers platform, a public DNS resolver (1.1.1.1), and a VPN service known as WARP. In recent years, the company has integrated artificial intelligence into its infrastructure, acquiring companies such as Replicate and launching tools to manage AI bots and scrapers. According to W3Techs, Cloudflare is used by approximately 21.3% of all websites on the Internet as of January 2026.
The company has been the subject of controversy regarding its policy of content neutrality. While Cloudflare executives have historically advocated for remaining a neutral infrastructure provider, the company has terminated services for specific high-profile websites associated with hate speech and violence, including The Daily Stormer, 8chan, and Kiwi Farms, following significant public pressure. Cloudflare has also faced criticism and litigation regarding copyright infringement by websites using its services, notably losing a lawsuit against Japanese publishers in 2025. The company experienced significant global outages in late 2025 which disrupted services for major platforms internationally.
According to the company, the name 'Cloudflare' was chosen, over the initial 'WebWall', because it best described what they were trying to do: build a "firewall in the cloud."
In 2020, Cloudflare co-founder and COO Michelle Zatlyn was named president.
Cloudflare has acquired web-services and security companies, including StopTheHacker (February 2014), CryptoSeal (June 2014), Eager Platform Co. (December 2016), Neumob (November 2017), S2 Systems (January 2020), Linc (December 2020), Zaraz (December 2021), Vectrix (February 2022), Area 1 Security (February 2022), Nefeli Networks (March 2024), BastionZero (May 2024), and Kivera (October 2024). Since at least 2017, Cloudflare has used a wall of at its San Francisco headquarters as a source of randomness for encryption keys, alongside at its London offices and a Geiger counter at its Singapore offices. The lava lamp installation implements the Lavarand method, where a camera transforms the unpredictable shapes of the "lava" blobs into a digital image.
Cloudflare provided paid services to 162,086 customers.
In October 2024, Cloudflare won a lawsuit against patent troll Sable Networks. Sable paid Cloudflare $225,000, granted it a royalty-free license to its patent portfolio, and dedicated its patents to the public by abandoning its patent rights.
In November 2025, it was announced Cloudflare had agreed to acquire Replicate, a San Francisco–based platform that enables software developers to run, fine-tune, and deploy Open source machine-learning models via an API without managing infrastructure.
In January 2026, Cloudflare released an analysis regarding BGP routing leaks observed from the Venezuelan state-owned ISP CANTV (AS8048), which occurred on January 2 coincides with the arrest of Nicolás Maduro. While some security researchers had speculated that the outages were linked to U.S. cyber operations, Cloudflare's data indicated that the anomalies were consistent with a pattern of "insufficient routing export and import policies" by the ISP rather than malicious external interference.
In January 2026, Cloudflare acquired Human Native, an AI data marketplace that brokers transactions between developers and content creators, for an undisclosed amount.
On January 16, 2026, Cloudflare acquired The Astro Technology Company, the developers behind the open-source web framework Astro.
As of 2024, Cloudflare servers are powered by AMD Epyc 9684X processors.
Cloudflare also provides analysis and reports on large-scale outages, including Verizon’s October 2024 outage.
In 2024, Cloudflare launched a tool that prevents bots from scraping websites. To build automatic bot detector models, the company analyzed "AI" bots and crawler traffic.The company also launched an "AI" assistant to generate charts based on queries by leveraging "Workers AI".Cloudflare announced plans in September 2024 to launch a marketplace where website owners can sell "AI" model providers access to scrape their site’s content. Cloudflare also launched AI Audit, which provides analytics on "AI" models scraping their sites (along with the ability to block them altogether).
In March 2025, Cloudflare announced a new feature called "AI Labyrinth", which combats unauthorized "AI" data scraping by serving fake "AI"-generated content to LLM bots.
In March 2013, The Spamhaus Project was targeted by a DDoS attack that Cloudflare reported exceeded 300gigabits per second (Gbit/s). Patrick Gilmore, of Akamai, stated that at the time it was "the largest publicly announced DDoS attack in the history of the Internet". While trying to defend Spamhaus against the DDoS attacks, Cloudflare ended up being attacked as well; Google and other companies eventually came to Spamhaus' defense and helped it to absorb the unprecedented amount of attack traffic.
In 2014, Cloudflare began providing free DDoS mitigation for artists, activists, journalists, and human rights groups under the name "Project Galileo". In 2017, they extended the service to electoral infrastructure and political campaigns under the name "Athenian Project". By 2025, more than 2,900 users and organizations were participating in Project Galileo, including 31 US states.
In February 2014, Cloudflare claimed to have mitigated an NTP reflection attack against an unnamed European customer, which they stated peaked at 400 Gbit/s. In November 2014, it reported a 500 Gbit/s DDoS attack in Hong Kong. In July 2021, the company claimed to have absorbed a DDoS attack three times larger than any they'd previously recorded, which their corporate blog implied was over 1.2 Tbit/s in total. In February 2023, Cloudflare reported blocking a 71 million request-per-second DDoS attack which "the company says was the largest HTTP DDoS attack on record".
Cloudflare blocked the largest publicly recorded DDoS attack in August 2025, with volumetric attacks peaking at 11.5 terabits per second.
In 2020, Cloudflare released a JAMstack platform for developers to deploy websites on Cloudflare's Edge infrastructure, under the name "Pages".
In 2022, Cloudflare announced an Edge SQL database, D1, which is built on SQLite.
In August 2023, Cloudflare and IBM announced a partnership providing bot management capabilities to protect IBM Cloud customers from malicious bots and automated threats. The same month, Cloudflare was hired by SpaceX to boost the performance of Starlink. In September, the company launched Cloudflare Fonts as a competitor to Google Fonts.
Through a contract with the Cybersecurity and Infrastructure Security Agency, Cloudflare provides registry and authoritative DNS services to the .gov top-level domain. Cloudflare also launched Cloudflare for Campaigns in 2020, to offer free cybersecurity tools to political campaigns. Those tools expanded to include secure email systems in 2025.
In November 2020, Cloudflare announced Cloudflare for Teams, consisting of a DNS resolver and web gateway called "Gateway", and a zero-trust authentication service called "Access".
Cloudflare released an Oblivious HTTP relay service in 2022, called Privacy Gateway.
Cloudflare announced a partnership with PhonePe in January 2023 to secure its mobile payment system. In February, Cloudflare launched Wildebeest to allow Mastodon users to set up and run their own instances on Cloudflare's infrastructure.
In August 2023, Cloudflare started the Project Cybersafe Schools program as part of a $20 million grant program from Amazon Web Services, making 70 percent of public school districts in the United States eligible for no-cost cybersecurity services.
In March 2024, they announced Firewall for AI to defend applications running large language models (LLMs). In September, Cloudflare announced Ephemeral IDs, which identifies fraudulent activity by linking behavior to a client through a short-lived, generated ID, rather than the traditional means of using an IP address. The same month, the company also announced all ISP and equipment manufacturers could use their DNS resolvers for free.
Cloudflare introduced the Cloudforce One threat events platform in March 2025, offering real-time insights into cyberattacks using data gathered from Cloudflare's network.
Cloudflare announced the acquisition of Area 1 Security in February 2022, a company who developed a product designed to combat phishing email attacks.
Cloudflare acquired Nefeli Networks in March 2024, a cloud networking company, co-founded by computer scientist Sylvia Ratnasamy.
In March 2023, Cloudflare announced post-quantum cryptography will be made freely and forever available to , applications and Internet connections.
Cloudflare released the Speed Brain and Instant Purge features in September 2024, to significantly reduce page load latency by prefetching content, and invalidating cached content in under 150ms.
In 2024, Cloudflare announced plans to launch a new payment method, called Stripe Link, which went into beta in the fall.
Since 2010, Cloudflare has collaborated with the National Center for Missing & Exploited Children to provide data, files, and supplemental investigation from abuse reports observed on their network. Cloudflare designed a new NCMEC reporting system in 2024, updating it in 2025 by integrating Cloudflare Workflows and making the CSAM scanning tool accessible globally.
Affected services included Twitter, Spotify, Letterboxd, Uber, DoorDash, Indeed, Canva, Grindr, IKEA, Archive of Our Own, Wplace, news websites including Axios and Politico, AI and LLM services such as ChatGPT, Sora, and Microsoft Copilot, such as League of Legends, and any service relying on Cloudflare's security challenge software Turnstile. Access to WARP, Cloudflare's VPN service, was also briefly disabled in London. During the outage, a spokesperson for Cloudflare said the company had seen a "spike in unusual traffic", causing some traffic passing through its network to experience errors.
At 14:23 UTC, The Guardian reported that Cloudflare had released a fix. It also reported that maintenance was due at various locations, though this is not known to have caused the outages. At 14:42 UTC, Cloudflare informed users on its status page that the fix had been implemented and that it would take some time for remaining post-deployment issues to be fixed.
A technical postmortem of the incident was released the day following the outage. Cloudflare attributed the outage to a change in the configuration of a database, which caused an invalid file to be sent to all servers on the network.
In 2022, a research paper by Stanford University found that Cloudflare was a prominent CDN provider among several other providers that are disproportionately responsible for serving misinformation websites. Cloudflare has come under pressure on multiple occasions due to its services being utilized to access far-right content.
In a statement to Business Insider, Cloudflare CEO Matthew Prince said that he was repulsed by The Daily Stormer content while expressing regret at the fact that his decision to suspend services had taken the website offline: "The ability of somebody to single-handedly choose to knock content offline doesn’t align with core ideas of due process or justice. Whether that’s a national government launching attacks or an individual launching attacks."
As a self-described "free speech absolutist", Prince claimed he did not want to repeat the decision, and sought out protections for the company should they be faced with a similar situation in the future. Prince further addressed the dangers of large companies deciding what is allowed to stay online, a concern shared by a number of civil liberties groups and privacy experts. The Electronic Frontier Foundation, a US digital rights group, said that services such as Cloudflare should not be deciding what speech is acceptable and that illegal content should be handled through the legal system.
On August 5, 2019, two days after Prince's interview with The Guardian, Cloudflare terminated service to 8chan, causing the website to move to the dark web. Cloudflare explained that 8chan "have proven themselves to be lawless and that lawlessness has caused multiple tragic deaths. Even if 8chan may not have violated the letter of the law in refusing to moderate their hate-filled community, they have created an environment that revels in violating its spirit." Prince condemned the El Paso shooting as "abhorrent in every possible way", removing 8chan from the Internet was "the right thing to do".
In 2022, a campaign was launched by transgender activist Clara Sorrenti, who has previously been targeted by the forum, to pressure Cloudflare into terminating service for Kiwi Farms. Cloudflare responded by issuing a statement on its abuse policies and saying it didn't want to set precedent for speech on the internet with its "extraordinary" decision.
The company also released a blog post and likened their services to that of a public utility, emphasizing that they do not believe in shutting down security services based on content they find objectionable. They acknowledged that while it might be more popular to remove sites that the Cloudflare team finds offensive, they stood by their decision not to do so. The company also defended their decision by saying that they donated all earnings from anti-LGBTQ sites to an organization that advocated for LGBTIQ+ rights. The blog post mentioned Cloudflare's terms of use agreement, which allows them to terminate service due to "content that discloses sensitive personal information, and incites or exploits violence against people" but, according to The Guardian, the statement did not address how Kiwi Farms users' doxxing behavior did not violate these terms.
On September 3, 2022, Cloudflare blocked Kiwi Farms, citing urgent escalating rhetoric against targets of Kiwi Farms, stating that there is an "unprecedented emergency and immediate threat to human life". According to The Washington Post, there was a "surge in credible violent threats stemming from the site" and CEO Matthew Prince said that Cloudflare believes "there is an imminent danger, and the pace at which law enforcement is able to respond to those threats we don't think is fast enough to keep up".
Cloudflare said the move was "related to our attempts to understand FOSTA-SESTA, which is a very bad law and sets a very dangerous precedent". Assembly Four said that "Given Cloudflare's previous stances of privacy and freedom, as well as fighting alongside the EFF, we had hoped they would take a stand against FOSTA/SESTA".
In 2018, HuffPost documented that Cloudflare provided services for "at least 7 terrorist groups", as designated by the United States Department of State including Al-Shabaab, the Taliban, the Popular Front for the Liberation of Palestine, the al-Quds Brigades, the Kurdistan Workers' Party (PKK), the al-Aqsa Martyrs' Brigades, and Hamas. At the time, Cloudflare's general counsel, Doug Kramer, told The Huffington Post that he couldn't comment on specific cases in which Cloudflare was told about possible terrorist organizations using its services, but that Cloudflare does work with government agencies to be in compliance with its legal obligations.
In September 2019, Cloudflare reported in their Form S-1 filing that their technology was "used by, or for the benefit of, certain individuals or entities" that were blacklisted due to United States economic and trade sanctions regulations", including "entities identified in OFAC’s counter-terrorism and counter-narcotics trafficking sanctions programs, or affiliated with governments currently subject to comprehensive U.S. sanctions".
In 2018, Cloudflare was identified by the European Union's Counterfeit and Piracy Watch List as a "notorious market" which engages in, facilitates, or benefits from counterfeiting and piracy. The report noted that Cloudflare hides and anonymizes the operators of 40% of the world's pirate sites, and 62% of the 500 largest such sites, and "does not follow due diligence when opening accounts for websites to prevent illegal sites from using its services".
In 2020, an Italian court ruled Cloudflare had to block current and future domain names and IP addresses of the pirate IPTV service "IPTV THE BEST" for infringing on Lega Serie A intellectual property. At the time, Cloudflare was already blocking 22 domain names in Italy. German courts have similarly found that "Cloudflare and its anonymization services attract structurally copyright infringing websites."
Following the December 2024 court ruling, the Spanish LaLiga requested that telephone operators block Cloudflare's IP address ranges in February 2025. Cloudflare hosted websites that illegally broadcast soccer matches. As a result, the pirate platform DuckVision was shut down before the derby between Real Madrid and Atlético Madrid. The platform had 200,000 users and was backed by Cloudflare. The blocks affected major legitimate websites, including X, Vimeo, Steam, GitHub, and the Royal Spanish Academy.
Cloudflare's Project Galileo, launched in 2014, offers DDoS protection to for free. In 2022, they extended free protection to Ukrainian government and telecoms.
|
|
