Business Plan

9 – 8 1 3 – 1 4 5
R E V : M A R C H 7 , 2 0 1 7
________________________________________________________________________________________________________________
Professor Thomas R. Eisenmann and Research Associate Alex Godden prepared this case . HBS cases are developed solely as the basi s for class
discussion. Cases are not intended to serve as endorsements, sources of primary data, or illustrations of effective or ineffective management.
Copyright © 2013, 2014, 2017 President and Fellows of Harvard College. To order copies or request permission to reproduce materials, call 1-800-
545-7685, write Harvard Business School Publishing, Boston, MA 02163, or go to www.hbsp.harvard.edu/educators. This publication may not be
digitized, photocopied, or otherwise reproduced, posted, or transmitted, without the permission of Harvard Business School.
T H O M A S R . E I S E N M A N N
A L E X G O D D E N
CloudFlare, Inc.: Running Hot?
On a Sunday evening in July 2012, CloudFlare, Inc. co-founders Matthew Prince (CEO), Michelle
Zatlyn (head of user experience), and Lee Holloway (lead engineer) met to discuss important personnel
matters. Another employee had just told Prince that he planned to leave the company. The resignation
would be CloudFlare’s fifth in three months. The cofounders had to determine whether this was natural
attrition for their rapidly growing startup or symptomatic of bigger issues.
CloudFlare protected websites and accelerated th eir traffic. The company, founded in 2009, had
experienced phenomenal growth, despite having no sales team and spending almost nothing on
marketing. CloudFlare’s network served over 2 bill ion page views daily—about 1% of total Internet
page views—for nearly 500,000 websites that cumulatively had 550 million unique monthly visitors
(see Exhibit 1 for traffic growth). However, only 35 employees—26 of whom were engineers—worked
for the San Francisco–based company. They had been attracted by a culture that emphasized self-
direction, minimal hierarchy, and few bureaucratic processes.
CloudFlare offered two related types of service. The first was an evolving combination of caching,
optimization, and delivery of content that loaded websites faster, reduced their bandwidth costs, and
absorbed big traffic spikes. The second offered greater security to websites by identifying potentially
harmful visitors who might engage in comment spam, excessive bot crawling, or distributed denial-of-
service (DDoS) attacks. CloudFlare principally targeted small and medium-sized websites that could
not afford the security software and content delivery network (CDN) services sold to large enterprise
customers by vendors such as Akamai, Limelight, and Barracuda.
Prince described CloudFlare as “an operating system for the Internet,” capable—by virtue of
inserting a globally distributed network of serversand software between customers’ websites and their
sites’ visitors—of much more than just security and traffic optimization. Indeed, CloudFlare was
already offering analytics and, through its recently launched platform, access to third-party web
applications that customers could add to their sites. The cofounders also believed that CloudFlare could
use its extensive knowledge of web-browsing patterns to help online publishers serve targeted ads—a
potentially huge opportunity.
Given its growth potential as well as the complexity and mission-critical nature of CloudFlare’s
technology, it was essential to continue to attract and retain outstanding engineers. Would the culture,
organizational structure, and hiring practices th at had served CloudFlare well in assembling a
remarkable team continue to meet the scaling startup’s needs?
For the exclusive use of T. EMBA, 2022.
This document is authorized for use only by Trium EMBA in Technology and Entrepreneurship taught by BRANDON MERCIK, New York University from Nov 2021 to May 2022.

813-145 CloudFlare, Inc.: Running Hot?
2
CloudFlare’s History
In 2001, Prince planted the seeds from which CloudFlare would grow when, along with former law
school classmates, he launched Unspam Technolo gies, Inc., which provided state governments and
corporations with solutions to the problem of unso licited e-mail. Prince and his cofounders acquired
some patents from a team of University of California, Santa Cruz, students who had been working on
a similar solution and, in the process, hired one of the team members, Lee Holloway.
Soon after joining Unspam, Holloway built a tool that tracked spammers who harvested e-mail
addresses. The tool evolved into Project Honey Pot, a not-for-profit, open-source effort that allowed
webmasters to place e-mail addresses with hidden tags on their sites. When e-mail spammers scraped
the addresses, the tags allowed Project Honey Pot to identify and catalog the spammers’ IP addresses.
Participating websites could then shut off access to offending IP addresses.
While Project Honey Pot was very popular with webmasters, Unspam’s main business was growing
slowly. Prince decided to stop taking a salary and to run Unspam remotely while completing an MBA
at Harvard Business School. There, he met Michelle Zatlyn, who previously had been a founding team
member at a startup that created employee rewards programs and later worked as a product manager
at Toshiba (see Exhibit 2 for founder bios). Prince felt that their abilities and personalities were
complementary, saying: “Michelle is one of those people who gets stuff done—she’s incredibly well
organized. If my strength is saying, ‘The opportunity is over there,’ hers is getting all the stuff done to
get us over there.”
During their second year at HBS, Prince and Zatlyn developed a plan for CloudFlare. They surveyed
webmasters, who expressed deep frustration with their inability to protect their sites from unwanted
access. Prince thought that CloudFlare’s concept might appeal to Holloway, who was still at Unspam.
Prince explained, “Lee had said, ‘You’ve always treated me fairly, but I’m getting offers.’ This wasn’t
about money; he wanted a big, new technical challenge. He didn’t see that at Unspam anymore. Lee
joined our team and helped us build CloudFlare’s first prototype.”
The team won the HBS Business Plan Contest in the spring of 2009, along with its $25,000 prize that
helped cover expenses after graduation, when Pr ince and Zatlyn joined Holloway in California.
Holloway spent the summer coding, while Zatlyn refined CloudFlare’s business model and Prince
sorted out CloudFlare’s relationship with Unspam. Prince wished to license Project Honey Pot’s data
from Unspam and to extract Holloway from his jo b there. Otherwise, Prince wanted to keep the
companies separate, since the businesses were very different.
The team commenced fund-raising and met Ray Rothrock of Venrock, a venture capitalist who had
deep experience with Internet infrastructure businesses. In November 2009, Venrock led a $2.05 million
Series A round in which Pelion Venture Partners also participated. Although Pelion was usually a late-
stage investor, it had a good relationship with Venrock, and Prince’s cofounder from Unspam now
worked at Pelion.
CloudFlare’s cofounders then bega n hiring engineers. By October 2010, after some alpha testing,
they were ready to launch publicly at TechCrunch Disrupt San Francisco, a high-profile competition
for technology startups. CloudFlare placed seco nd and won Disrupt’s “Most Innovative” award. A
wave of publicity followed, along with a surge of customer sign-ups and many unsolicited queries
from investors, even though CloudFlare had no pressing need for cash. Zatlyn explained: “Up to that
point, we’d spent only half of the capital that we’d raised. Our biggest expense had been for salaries,
and we’d been fairly frugal.”
For the exclusive use of T. EMBA, 2022.
This document is authorized for use only by Trium EMBA in Technology and Entrepreneurship taught by BRANDON MERCIK, New York University from Nov 2021 to May 2022.

CloudFlare, Inc.: Running Hot? 813-145
3
After meeting with several top-tier venture capital firms, the CloudFlare team connected especially
well with New Enterprise Associate’s Scott Sandell. In November 2010, CloudFlare raised a $20 million
Series B round from NEA, Venrock, and Pelion.
Business Model
Customer Value Proposition
Without CloudFlare, a visitor’s request for information from a website was sent to the site’s web
server. With CloudFlare, the request was sent instead through CloudFlare’s global network. There, the
visitor’s IP address was checked against a constantly updated list of malicious addresses, which was
prioritized by threat level. Algorithms also determined whether suspicious patterns warranted adding
the visitor to the list. Customers pre-specified their desired level of security, ranging from “I’m under
attack!” to blocking only the most serious threats.
If a request was trouble free, the visitor’s browser was directed to one of hundreds of CloudFlare
servers in 17 data centers around the world, wher e CloudFlare’s software cached less frequently
updated page elements (e.g., site logos). In parallel, requests for any page content not cached by
CloudFlare were directed to the customer’s servers. For content that it cached, CloudFlare could speed
delivery because the distance between the visitor and one of CloudFlare’s many data centers was
almost always less than the distance between the visitor and the customer’s servers (see Exhibit 3 for
network diagram). By relying on CloudFlare to deliver certain content, the customer also spent less on
bandwidth. On average, a website loaded twice as fast as it did before adopting CloudFlare and
reduced bandwidth use by 60%.
CloudFlare’s service could be enabled through a simple sign-up procedure that took less than five
minutes and required no new hardware, coding, or change in hosting service. Unlike incumbent CDNs,
CloudFlare did not ask customers to specify, file by file, which content should be cached. Basic service
was free; premium options offered faster performance, more advanced security, and other benefits for
subscription fees starting at $20 per month (see Exhibit 4 for subscription plans). From the outset,
CloudFlare’s founders believed that they were opening a new market, providing small and midsized
websites an affordable way to protect themselves and speed content delivery. Zatlyn explained: “We’re
not shrinking or seeking to steal share of the pie; we are expanding it. Most of our customers are online
publishers using such services for the first time. They spread the word about us, saying, ‘Wow, this
makes my site much better—it really works, and it’s free!’”
CloudFlare aimed to deliver more than just improved website performance: it sought to create a
sense of community among its customers and provide assurance that someone was available to help
them manage their sites. Giants like Google could afford big network operations teams to address
obscure technical issues like differential packet loss rates by time of day. By aggregating a huge volume
of traffic, CloudFlare could offer similar benefits to webmasters who otherwise could not afford expert
network operations staff. Zatlyn noted:
We knew that the webmaster’s sense of isolation was an emotive issue from our original
survey. We stress that we’re a community and we’re stronger together. That’s true technically:
as our traffic expands, we see more patterns, so the system actually learns and gets better. That’s
one reason why getting big fast matters. But it’s also true that a webmaster feels very much alone
as she struggles to cope with the bad actors and the bad luck that can slow down or even shut
down her site. One customer tracks online fraud, and the guys he exposes are constantly trying
to knock his site offline. He told us, “You’ve given me back three hours of sleep a night.”
For the exclusive use of T. EMBA, 2022.
This document is authorized for use only by Trium EMBA in Technology and Entrepreneurship taught by BRANDON MERCIK, New York University from Nov 2021 to May 2022.

813-145 CloudFlare, Inc.: Running Hot?
4
CloudFlare offered service to everyone without judgment, which won admiration from some of the
Internet’s anti-corporate elements. For example, CloudFlare had protected LulzSec, a hacker group that
had protested anti-piracy campaigns and overregulation of the Internet by compromising corporate
and government sites. LulzSec became the target of massive hacker counterattacks, but CloudFlare
helped keep its site operational. CloudFlare’s management initially struggled over what to do about
LulzSec, but decided to avoid the “slippery slope” of playing censor. This policy had paid dividends.
For instance, many escort agencies in Turkey relied upon CloudFlare to protect against attacks by
fundamentalist groups. After word got around th at CloudFlare’s protection worked, CloudFlare
signed up several mainstream Turkish corporations and government agencies.
CloudFlare had few competitors offering similar services to its target customers. Traditional CDN
offerings from firms like Akamai and Limelight were typically aimed at large enterprise customers, as
were security products and services from vendors like Barracuda and Juniper. Google offered
PageSpeed to help smaller sites deliver content fast er, but did not match CloudFlare’s full range of
caching and security services. Companies targeting the “long tail” of small to midsized websites (e.g.,
Incapsula, Sitelock, Cotendo) usually focused on only a subset of CloudFlare’s services.
CloudFlare’s highly efficient infrastructure, described below, allowed the startup to compete on
cost. Zatlyn recounted one recent example: “We had a customer paying a big incumbent $1.5 million
per year, which was supposedly a deep discount. We said we could profitably serve them for $40,000
a year. They asked, ‘Did you leave a zero off?’ We can offer big savings, because to date, we’ve only
spent $2 million on network equipment.”
Technology and Operations
Three technological trends had allowed CloudFlare to offer its innovative service for free or at much
lower rates than rivals. First, bandwidth costs had been declining sharply for many years. Second, a
shift from spinning disc drives to flash memory–based, solid-state drives (SSDs) had greatly boosted
speeds at which drives could write and access data—a key requirement for CDNs. Since 100% of its
servers had SSDs, CloudFlare gained cost and performance advantages over incumbent CDNs, which
had lots of legacy spinning disc drives. Third, as a new entrant, CloudFlare was able to build its entire
network around high-capacity servers with multicore processors that executed programming
commands in parallel. Again, this gave CloudFlare an edge over incumbent CDNs, which would have
to rewrite their software code in order to leverage multicore processors.
CloudFlare’s state-of-the-art technology had recently made possible a new premium feature,
Railgun, that allowed CloudFlare to serve much of the 34% of web content that previously was
uncacheable because it was generated dynamically (e.g., personalized pages). Railgun’s innovative
approach identified content on a page that had changed by comparing a dynamically generated page
with versions previously served. This required a large number of rapid, concurrent server requests,
which were readily handled by CloudFlare’s servers by virtue of their multicore processors and SSD
drives.
CloudFlare outsourced the physical installation, operation, and maintenance of its servers to data
center operators around the world, to whom it paid fees based largely on space required. CloudFlare
employees did no work inside the data centers; rather, they provided the data center operators with
detailed instructions on physical installation requirements, then managed software installation and
monitored server performance remotely. Such outsourcing arrangements had long been employed by
incumbent CDNs.
For the exclusive use of T. EMBA, 2022.
This document is authorized for use only by Trium EMBA in Technology and Entrepreneurship taught by BRANDON MERCIK, New York University from Nov 2021 to May 2022.