Cloudflare Competitor Matrix
Quick reference during calls — when a prospect mentions a competitor, find them here, scan the win-line, pivot back to value.
Each Cloudflare product has its competitive landscape below. Two columns matter:
Key differentiator — what's true about them, neutral framing.
How to win — the line that flips the conversation.
Rules of the road: never disparage competitors directly. State facts, position our advantages, acknowledge where they're strong. Honest competitive credibility wins more deals than spin.
Performance / Delivery
CDN All Plans
| Competitor | Key differentiator | How to win |
|---|
| Akamai |
Legacy CDN incumbent. Largest PoP footprint by raw site count. Strong enterprise sales motion. Many big retailers and banks still on Akamai contracts. |
"Akamai is a great CDN — and a great line item on your budget. We're typically 40-60% less expensive at the same or better performance, with security, DDoS, bot management, and dev platform unified on one bill. They charge separately for everything." |
| Fastly |
Modern CDN with strong developer story. Compute@Edge is their Workers equivalent. Smaller network than Cloudflare (~80 PoPs vs our 330+). |
"Fastly's a credible technical product. Two things to know: our network is ~4x larger (better last-mile performance), and our pricing is simpler — they meter per request and per gigabyte, we're flat per zone. Plus security is included, not an upsell." |
| AWS CloudFront |
Bundled with AWS workloads. Great when origin is already in AWS. Charges per request, per GB out, plus data transfer. |
"CloudFront is convenient if you're all-in on AWS, but the egress economics catch up fast. We're flat per zone, no egress fees from our edge, and we'll cache more aggressively. Most customers see their CDN bill drop significantly." |
| Microsoft Azure CDN |
Azure-bundled, also resells Verizon and Akamai under the hood. Being deprecated — Microsoft now pushes Azure Front Door. |
"Microsoft is actually winding down Azure CDN — they're migrating customers to Front Door, which is a much bigger architectural change. If you're going to do a migration anyway, evaluating us is a smart move." |
| CloudFront + Lambda@Edge |
CloudFront with edge compute. Lambda@Edge has slow cold starts and is limited compared to Workers. |
"Lambda@Edge cold starts in hundreds of milliseconds; Workers cold-starts sub-5ms. If edge compute matters at all, it's a different category of performance." |
DNS All Plans
| Competitor | Key differentiator | How to win |
|---|
| AWS Route 53 |
Bundled with AWS workloads. Per-zone + per-query pricing. Strong if heavily integrated with AWS internals (VPC private zones). |
"Route 53 charges per query — a million queries a month is real money. We're flat. We're also #1 on DNSPerf benchmarks consistently, while Route 53 ranks lower. For non-AWS-internal use cases, no contest." |
| NS1 / IBM |
Premium DNS with traffic management features (failover, geo). Acquired by IBM in 2023. Expensive. |
"NS1's traffic management is solid, but we cover those use cases via Load Balancing + DNS combined. And we're typically 60-80% less expensive at scale." |
| GoDaddy / Namecheap DNS |
Bundled with domain registration. Slow, no DDoS, basic feature set. |
"GoDaddy DNS is a free add-on to a registrar. We're a real DNS service — fastest in the world per DNSPerf, DDoS-protected, also free. Easy migration: change the nameservers." |
| Dyn (Oracle) |
Legacy player. Famous 2016 outage that took down Twitter, Reddit, Spotify. Now part of Oracle, declining. |
"Dyn was the cautionary tale in DNS resilience. If multi-provider DNS is on the table, Enterprise gives you Secondary DNS so you're never single-provider again." |
| Google Cloud DNS |
Bundled with GCP. Per-query pricing. Less performant globally than Cloudflare. |
"Google Cloud DNS is fine if you're inside GCP. Outside of it, we're meaningfully faster (DNSPerf) and flat-priced." |
Load Balancing
| Competitor | Key differentiator | How to win |
|---|
| F5 BIG-IP |
On-premises hardware. Powerful, expensive, complex. Enterprise standard for traditional data centers. |
"F5 hardware is a great solution for 2010. Today the load balancer should live at the edge with your CDN and WAF, not in a rack. Same outcome, far less operational pain, no hardware refresh cycles." |
| AWS ELB / ALB |
Bundled with AWS. Region-specific. Doesn't extend across clouds. |
"ALB is great inside one AWS region. The moment you go multi-region, multi-cloud, or hybrid, the math breaks. Ours is global anycast and works wherever your origins are." |
| NS1 Traffic Steering |
DNS-based traffic management. Good for geo-routing. |
"NS1 does it at the DNS layer; we do it at the edge proxy, which lets us react to real-time health, geo, and load with no DNS TTL lag." |
Application Security
DDoS Protection All Plans (Unmetered)
| Competitor | Key differentiator | How to win |
|---|
| AWS Shield Advanced |
~$3,000/month base + bandwidth fees during attacks. Only protects AWS-hosted resources. Requires Shield Response Team add-on for human help. |
"Shield Advanced charges you ~$3k a month plus surge bandwidth fees during an attack — the worst time to send your CFO a bigger bill. We're unmetered on every plan, including Free. We've never charged for attack traffic, ever." |
| Akamai Prolexic |
Premium DDoS scrubbing. Enterprise sales motion. Strong reputation for handling massive attacks. Expensive — often six figures annually. |
"Prolexic is solid but priced for the Fortune 100. We absorbed 31.4 Tbps recently — the largest publicly recorded attack. Same protection ships unmetered on every plan." |
| Imperva DDoS Protection |
Mature scrubbing service. Smaller network than us. Often paired with their WAF. |
"Imperva's network is meaningfully smaller — our 500+ Tbps capacity absorbs attacks they'd struggle with. And we don't charge during attacks." |
| Radware |
Legacy DDoS appliance vendor moving to cloud. Strong in financial services on-prem. |
"Radware appliances have fixed capacity — if the attack exceeds the box, you're offline. Our anycast network distributes the attack across 330 cities, so volumetric attacks become trivial." |
| Arbor / Netscout |
ISP-grade DDoS scrubbing hardware. Network operators use it. Not really comparable for application-layer attacks. |
"Arbor is great for ISP backbone protection. We're application-layer protection at the edge, which is where modern attacks (L7 floods, slow-loris, HTTP/2 abuse) actually happen." |
WAF Pro+
| Competitor | Key differentiator | How to win |
|---|
| AWS WAF |
Per-rule + per-request pricing. Costs spike during attacks. Managed rules cost extra. No threat intel of our scale. |
"AWS WAF charges per rule per month plus per million requests. During an attack, your bill goes up. Ours is flat per zone with rules included. Plus we see ~20% of web traffic globally — our threat intel updates rules in hours, not days." |
| Imperva (formerly Incapsula) |
Mature WAF with deep tuning options. Strong in finance and gov. Per-deployment pricing tends to be expensive. |
"Imperva's WAF is feature-rich, but you pay for it — both in dollars and in the SE time to tune it. Ours catches the OWASP top 10 out of the box and is updated continuously by our threat intel team. Time-to-protection is hours, not weeks." |
| F5 Advanced WAF / NGINX App Protect |
On-prem hardware or self-hosted. Powerful but operationally heavy. Customer manages rules and updates. |
"F5 means hardware, hardware refresh cycles, and a team to manage rules. Cloud WAF is the modern model — we manage the platform, customer manages policy, no boxes to rack." |
| Akamai Kona / App & API Protector |
Premium WAF tier on Akamai. Strong product. Enterprise pricing. |
"Kona is solid. Two questions worth asking: are you also paying separately for bot management, DDoS scrubbing, and a CDN? Because we bundle all of that, typically at 40-60% less." |
| Fastly Next-Gen WAF (Signal Sciences) |
Behavioral WAF with strong developer ergonomics. Smaller threat intel surface than us. |
"Signal Sciences pioneered behavioral WAF and it's a credible product. Where we win: scale of threat intelligence (~20% of web traffic), faster zero-day rule deployment, and integrated bot management." |
Bot Management Enterprise
| Competitor | Key differentiator | How to win |
|---|
| HUMAN (formerly PerimeterX) |
Bot-only specialist. Sophisticated detection. Premium pricing. Sits in front of the customer's stack as a separate layer. |
"HUMAN is genuinely strong on bot detection. The tradeoff: another vendor, another contract, another integration, another latency hop. We're built into the same platform handling your CDN/WAF/DDoS — same detection quality, no extra latency, lower total cost." |
| DataDome |
Bot-focused, popular in ecommerce. Strong real-time detection. Per-request pricing. |
"DataDome is a good standalone bot product. We do the same job inside the same platform doing your CDN and WAF — and our bot score is exposed directly to your WAF rules and Workers for arbitrary custom logic." |
| Kasada |
Bot-focused with a sophisticated client-side approach (JavaScript challenges). Newer player, growing. |
"Kasada's client-side challenge model is clever but adds latency to every request. We classify at the edge with minimal latency, then apply challenges only when needed. Better user experience for legitimate visitors." |
| Akamai Bot Manager |
Premium product on Akamai. Strong detection. Large minimum spend. Slow deployment cycles. |
"Akamai Bot Manager is a Cadillac product at a Cadillac price. We deploy in hours, not weeks, and the bot score is programmatically accessible everywhere — rules, Workers, analytics, logs." |
| F5 Distributed Cloud Bot Defense (Shape) |
F5 bought Shape Security. Strong on credential stuffing detection. Enterprise sales motion. |
"Shape was great at credential stuffing detection specifically. We cover the same problem plus the broader bot universe (scraping, scalping, fake signups, ad fraud, API abuse) in one product." |
| AWS WAF Bot Control |
Bundled with AWS WAF as a managed rule group. Basic categorization, no behavioral analysis. |
"Bot Control catches the obvious stuff — known bot user agents, basic patterns. It won't catch credential stuffing, scrapers using residential proxies, or sophisticated automation. If bots are a real business problem, it's not the answer." |
API Shield Enterprise
| Competitor | Key differentiator | How to win |
|---|
| Salt Security |
API-only specialist. Deepest API security feature set in market. Premium pricing. Adds latency hop. |
"Salt is the depth leader in pure API security. The question is whether you want a separate product and contract just for APIs, or APIs as part of your unified WAF/Bot/DDoS platform. For 80% of API security use cases, we're equivalent at a fraction of the cost." |
| Noname Security |
API security specialist. Discovery + posture + runtime protection. Recently acquired by Akamai. |
"Noname has strong API discovery. Now under Akamai, you're betting on Akamai's integration roadmap. We've had API Shield integrated with our platform for years." |
| Traceable AI |
API security + observability angle. Distributed tracing focus. Specialist product. |
"Traceable's distributed tracing angle is unique. For pure API protection (schema validation, JWT, sequence analytics, sensitive data detection), API Shield is built in and doesn't require a separate trace collection layer." |
| AWS API Gateway |
An API management product, not API security. Handles auth, throttling, billing. Not comparable to API Shield. |
"API Gateway manages APIs — auth, throttling, billing. API Shield secures APIs — schema validation, sequence analytics, sensitive data detection. They solve different problems; customers often run both." |
| Imperva API Security |
API protection module on top of Imperva WAF. Integrated with their existing customers. |
"Imperva's API module is a sensible add-on for existing Imperva customers. For greenfield, we get you to the same outcome with less operational complexity and lower TCO." |
Rate Limiting Pro+
| Competitor | Key differentiator | How to win |
|---|
| AWS WAF Rate-Based Rules |
Per-rule per-IP only. 5-minute fixed window minimum. Limited characteristics. |
"AWS rate limiting is per-IP only with rigid windows. We support per-session, per-JWT, per-header, per-ASN, sliding windows, and response-based counting — way more accurate for real abuse patterns." |
| Imperva Rate Limiting |
Part of their WAF stack. Solid but locked to their platform. |
"Imperva's rate limiting is fine if you're already on Imperva. We give you the same controls with multi-characteristic counting on Pro+, no extra license." |
| Custom application-layer code |
Customer writes rate limiting in their app or via Redis. Common pattern in homegrown setups. |
"Application-layer rate limiting means the attack already reached your servers — the worst time to defend. We block at the edge before traffic touches your origin, which protects performance AND security." |
Developer Platform
Workers Free + Paid
| Competitor | Key differentiator | How to win |
|---|
| AWS Lambda |
Largest serverless platform by far. Container-based, region-locked, cold starts 100ms-2s+. Charges per request + per GB-second of memory. |
"Lambda is region-based and cold-starts in hundreds of milliseconds, especially for Java/.NET. Workers run on V8 isolates globally with sub-5ms cold starts. For latency-sensitive logic (auth, personalization, A/B testing), it's a different category." |
| AWS Lambda@Edge |
Lambda at CloudFront edge locations. Slower cold starts than Workers, fewer regions, more limitations. |
"Lambda@Edge runs in a subset of CloudFront PoPs with significant limits — small payloads, no environment variables, no most Node APIs. Workers runs everywhere we do, with a full developer platform behind it." |
| Vercel Functions / Edge Functions |
Same underlying tech we use (V8 isolates), bundled with Vercel hosting. Tied to Vercel deployment model. |
"Vercel actually runs their Edge Functions on our infrastructure originally. Going direct gets you the same performance without the Vercel markup, and lets you integrate with R2, D1, KV, Queues, Durable Objects, and Workers AI natively." |
| Fastly Compute@Edge |
WebAssembly-based serverless. Strong performance. Smaller network than ours. |
"Compute@Edge is technically credible but the Wasm-first model has a learning curve. Workers supports JavaScript, TypeScript, Rust, Go, Python (via Wasm) — pick the language your team already knows." |
| Deno Deploy |
From the Deno team. Modern, V8-based. Smaller network. Less mature ecosystem. |
"Deno Deploy is a great developer experience. Our platform is broader — production maturity, larger network, more storage/compute primitives, enterprise support." |
| Self-hosted (Express/FastAPI/etc.) |
Customer runs their own servers somewhere. Full control, full operational responsibility. |
"Self-hosted gives you full control and full operational burden — servers, scaling, patching, monitoring. Workers eliminates the operational layer for stateless logic. Most customers keep their existing app, just push auth/personalization/edge logic to Workers." |
Workers AI Paid
| Competitor | Key differentiator | How to win |
|---|
| OpenAI API |
Frontier closed models (GPT-4, GPT-5). Best reasoning. Expensive at scale. Data leaves customer environment. |
"OpenAI is the right choice for complex reasoning tasks. For everyday workloads — classification, extraction, summarization, RAG — open models on Workers AI are dramatically cheaper, faster (edge inference), and keep your data on Cloudflare. Most customers use both, OpenAI for the hard stuff." |
| Anthropic Claude |
Excellent reasoning and writing. Premium pricing. External provider. |
"Claude is best-in-class for nuanced writing and reasoning. Workers AI complements it — use Claude where its strengths matter, use Workers AI for the high-volume routine tasks where Llama 3.3 is plenty smart and 10x cheaper." |
| AWS Bedrock |
Multi-model gateway in AWS. Hosts Claude, Llama, Mistral, Titan, etc. Region-locked. Per-model pricing. |
"Bedrock keeps you in AWS, which is a feature if you're all-in on AWS. Workers AI inference happens at the edge close to your users, which matters for latency-sensitive applications. And AI Gateway lets you proxy Bedrock too if you want one observability layer for all of it." |
| Groq / Together / Replicate |
Open model hosting providers. Often faster on raw inference. Different network footprints. |
"Groq is genuinely fast on inference latency. Workers AI gives you inference plus the surrounding platform — Vectorize for RAG, AI Gateway for observability, R2 for training data, Workers for orchestration. One platform vs stitching four together." |
| Self-hosted on GPUs |
Customer runs models on their own GPU infrastructure. Full control. Major capex and ops burden. |
"Self-hosting AI means buying or renting GPU capacity 24/7 even when not used, plus running the inference stack. Workers AI is pay-per-inference with no idle costs and globally distributed serving." |
Pages Free + Paid
| Competitor | Key differentiator | How to win |
|---|
| Vercel |
Best-in-class Next.js DX. Strong polish. Expensive bandwidth ($40+/TB) once you scale. Per-seat pricing. |
"Vercel has beautiful DX, especially for Next.js. Two practical issues at scale: bandwidth surprises (their billing spikes are well documented) and per-seat pricing. Pages has unlimited bandwidth on free tier and no per-seat cost — meaningful for big teams." |
| Netlify |
Early static hosting leader. Strong build pipeline. Bandwidth-based pricing. |
"Netlify pioneered the Git-to-deploy model. We're feature-parity at this point with the upside of unlimited bandwidth and tight integration with our security/compute platform." |
| AWS Amplify / S3 + CloudFront |
DIY static hosting on AWS. Flexible but operationally heavy. Egress charges accumulate. |
"S3 + CloudFront works, but you're stitching together storage, CDN, and a build pipeline yourself. Pages does all of that in one place, with no egress charges and integrated security." |
| GitHub Pages |
Free static hosting for GitHub repos. Limited (no custom build, no compute). Good for docs. |
"GitHub Pages is great for personal blogs and OSS docs. For anything with backend logic, custom domains beyond apex, or real traffic, Pages handles it without the limits." |
R2 / Object Storage Free + Paid
| Competitor | Key differentiator | How to win |
|---|
| AWS S3 |
The de facto standard. Charges $0.09/GB egress. Lock-in pattern: cheap to put in, expensive to read out. |
"S3 is great until you actually read your data. We're S3-compatible API, ~35% cheaper storage, and zero egress fees. Customers routinely save 60-80% just on egress. Migration via Super Slurper is a weekend project." |
| Google Cloud Storage |
GCS has similar egress charges to S3. Bundled with GCP workloads. |
"GCS is fine inside GCP, but you're paying egress every time data leaves. R2 is zero egress with the same durability guarantees." |
| Azure Blob Storage |
Microsoft's S3 equivalent. Similar egress economics. |
"Blob Storage works inside Azure. R2 is zero egress and S3-compatible — same migration story as moving from S3." |
| Backblaze B2 |
Cheap storage specialist. Lower egress than AWS. Smaller global footprint. |
"Backblaze has been the cheap-storage option for years. R2 matches the storage price and beats them on egress (zero vs $0.01/GB), plus we have a real global edge for serving." |
| Wasabi |
Another cheap S3-compatible storage option. Egress free but limited use cases. |
"Wasabi was the original 'no egress fees' play, but the network is small and they have download caps. R2 is no egress, no caps, and runs on our global edge." |
Stream / Video Paid
| Competitor | Key differentiator | How to win |
|---|
| Mux |
Developer-first video platform. Deep analytics. Per-minute pricing similar to ours. |
"Mux is a great product, especially their analytics. We're price-competitive and integrated with the rest of our platform — Workers, R2, signed URLs, Access. Better total-cost story when you're already on us." |
| AWS MediaConvert + S3 + CloudFront |
Stitched-together solution. Powerful but complex billing across multiple services. |
"AWS gives you encoding, storage, and delivery as separate line items, each metered separately. Stream is one per-minute price including all of it. Simpler, often cheaper, definitely less ops." |
| JW Player / Brightcove |
Full-featured enterprise video platforms with monetization, analytics, marketing. Pricey. |
"JW and Brightcove are video CMS platforms — they include things like marketing tools, recommendation engines, ad insertion. If you need video infrastructure (encode, deliver, secure), Stream is the developer-first answer at a fraction of the cost." |
| Vimeo / Wistia |
Hosted video services. Vimeo is consumer-tilted, Wistia is marketing-focused. Limited developer control. |
"Vimeo and Wistia are great for marketing video with their built-in tools. For embedded product video (tutorials, in-app, paywalled content), Stream gives you direct control without their UI in your product." |
| YouTube |
Free, biggest reach. Plays YouTube ads on your video. Their branding, their player, their recommendations. |
"YouTube is great for reach. Stream is for video that's part of your product — no ads, no related videos, no YouTube branding. Full control over the player and the experience." |
Zero Trust / SASE
Zero Trust / Access (ZTNA) Per-seat
| Competitor | Key differentiator | How to win |
|---|
| Zscaler ZPA |
Market leader in ZTNA. Strong enterprise sales motion. Largest ZTNA-only network. Pricey at scale. |
"Zscaler ZPA is the leader on pure ZTNA, no question. We win on three axes: (1) unified platform with WAF/DDoS/CDN/Workers, not just ZTNA; (2) typically 30-50% lower TCO at the same seat count; (3) faster pilot deployments — weeks vs months." |
| Palo Alto Prisma Access |
Strong SASE play. Deep inspection capabilities (DLP, sandboxing). Premium pricing. Heavy operational footprint. |
"Prisma has deeper packet inspection and DLP maturity in some areas. Where we win: deployment speed (hours to pilot vs weeks), unified platform (their SASE doesn't include CDN/WAF/DDoS), and price. We've closed most of the inspection-feature gap recently." |
| Netskope |
Strong on SWG/CASB. ZTNA is a more recent addition for them. Premium pricing. |
"Netskope started in SWG/CASB and added ZTNA later. We started Zero Trust from day one and the integration with our broader platform is tighter. For greenfield SASE deployments, we're usually faster to value." |
| Tailscale |
Peer-to-peer mesh VPN. Great for small teams and developers. Less enterprise-y. |
"Tailscale is awesome for engineering teams and small companies. For organizations needing identity-based policy, device posture, compliance audit logs, and SaaS app protection — Access is the enterprise-grade answer." |
| Twingate |
ZTNA startup. Modern UX. Smaller network. Less mature than Zscaler/us at enterprise scale. |
"Twingate is a good product with strong UX. Where we win: scale of the underlying network, integration with the rest of Cloudflare, enterprise compliance certifications (FedRAMP, etc.)." |
| Traditional VPN (Cisco AnyConnect, Palo GlobalProtect, Fortinet) |
The thing we're replacing. Customer connects to network, then can reach everything. Lateral movement risk. |
"VPNs were designed for an office-bound workforce. Today, lateral movement after credential compromise is the #1 breach vector. Zero Trust removes the network from the equation entirely — users authenticate to apps, not networks." |
Gateway / SWG Per-seat
| Competitor | Key differentiator | How to win |
|---|
| Zscaler ZIA |
Leader in cloud SWG. Mature DLP and inspection. Premium pricing. |
"ZIA is the SWG incumbent. We're typically faster to deploy (cloud-native vs their slightly older architecture), simpler policy model, and significantly cheaper. Plus same network as our WAF/DDoS — unified platform." |
| Netskope |
Strong CASB integration with SWG. Premium pricing. |
"Netskope's CASB depth is real. For most SWG use cases — DNS filtering, malware blocking, content categories, DLP — we're feature-comparable with much simpler ops and pricing." |
| Cisco Umbrella (formerly OpenDNS) |
DNS-layer filtering leader. Now part of Cisco. Strong at DNS but limited beyond it. |
"Umbrella is strong on DNS filtering. We do that AND L4/L7 inspection AND DLP AND RBI AND CASB in one product. Usually cheaper at scale and simpler to operate." |
| Menlo Security |
Pioneered remote browser isolation. SWG with isolation-first approach. |
"Menlo's RBI is well-regarded. Browser Isolation is built into our Gateway product — same outcome without a separate vendor and contract." |
| iboss |
Cloud-based SWG. Mid-market focus. |
"iboss serves mid-market well. For enterprise customers who need integration with WAF, DDoS, ZT in one platform, we typically win on consolidation." |
| Forcepoint |
Legacy SWG with strong DLP. Acquired Bitglass for CASB. Complex pricing. |
"Forcepoint has strong DLP heritage. We're getting there fast and the unified platform is much simpler to deploy and operate." |
CASB
| Competitor | Key differentiator | How to win |
|---|
| Netskope CASB |
Market leader in pure CASB. Deepest SaaS integration catalog. |
"Netskope CASB depth is the standout. We've built out the most common SaaS integrations (M365, Google Workspace, Salesforce, etc.) and our CASB is included with Zero Trust — no separate license." |
| Microsoft Defender for Cloud Apps |
Bundled with M365 E5. Native to Microsoft 365 ecosystem. |
"Defender for Cloud Apps is the obvious choice if you're already on E5. For organizations not all-in on Microsoft, our CASB plus the rest of our SASE platform is a stronger consolidation story." |
| Palo Alto Prisma SaaS |
Part of the broader Prisma platform. Solid feature set. |
"Prisma SaaS is integrated into their SASE story. We do the same in our Zero Trust suite, usually faster to deploy and lower TCO." |
DLP (Data Loss Prevention)
| Competitor | Key differentiator | How to win |
|---|
| Forcepoint DLP |
Legacy DLP leader. Deepest detection rules. Premium pricing. Complex deployment. |
"Forcepoint has the deepest DLP rule library in the industry. We cover the practical DLP use cases (PII, PCI, source code, custom regex) integrated into Gateway. Most customers don't need Forcepoint's depth — they need DLP that actually gets deployed." |
| Symantec DLP (Broadcom) |
Legacy DLP. On-prem heritage. Now under Broadcom. |
"Symantec DLP is the enterprise legacy choice. We're the modern cloud-native answer with significantly less operational burden." |
| Microsoft Purview DLP |
Bundled with M365 E5. Strong inside the Microsoft ecosystem. |
"Purview is native to M365. For traffic going outside M365 (general internet, other SaaS apps), Gateway DLP catches what Purview can't see." |
Browser Isolation (RBI)
| Competitor | Key differentiator | How to win |
|---|
| Menlo Security |
Pioneered RBI. Pure-play isolation. Premium product. |
"Menlo built the category. We built RBI into Gateway so it's one platform, one contract. For customers buying a unified SASE stack, no need for a separate RBI vendor." |
| Zscaler Browser Isolation |
Bundled into Zscaler SASE. Mature. |
"Zscaler bundles RBI like we do. If you're on us for ZT/SWG, our RBI is included — no need to stand up Zscaler just for isolation." |
| Island Browser |
Different category — enterprise browser, not just isolation. Replaces Chrome on managed devices. |
"Island is an enterprise browser, fundamentally different model. RBI streams pixels of a remote browser to any device, no client install needed. For BYOD scenarios, RBI wins; for managed-device-only environments, evaluate both." |
Network
Magic WAN Enterprise
| Competitor | Key differentiator | How to win |
|---|
| Traditional MPLS (AT&T, Verizon, Lumen, etc.) |
Private network lines between offices. Expensive, slow to change, requires telco contracts. |
"MPLS works — for a price. New sites take weeks, contracts are long, and it doesn't extend to public cloud. Magic WAN gives you the same connectivity over internet at typically 30-70% cost savings, with new sites in hours." |
| Cato Networks |
SASE-native competitor. Strong on SD-WAN + SASE convergence. Smaller network than us (~80 PoPs vs 330+). |
"Cato pioneered SASE convergence and they're a credible product. Where we win: 4x larger network footprint, broader platform (our DDoS, WAF, CDN are best-in-class), and usually lower TCO at scale." |
| Aryaka |
Managed SD-WAN with a global private backbone. Strong in Asia. Premium pricing. |
"Aryaka has a solid backbone in Asia. We have a larger global footprint and tighter integration with security. Often we partner — they handle SD-WAN at the branch, traffic terminates into our backbone." |
| Cisco SD-WAN (formerly Viptela) |
Strongest brand recognition. Appliance-heavy. Customers comfortable with Cisco ecosystem. |
"Cisco's strength is the appliance footprint and partner network. We complement rather than replace — many customers run Cisco SD-WAN at the branch and terminate into our backbone for the WAN/security side." |
| VMware VeloCloud |
Major SD-WAN player. Now under Broadcom. Future direction uncertain. |
"VeloCloud's future under Broadcom is uncertain. If you're evaluating SD-WAN now, that uncertainty alone is worth considering. We're a long-term-stable partner." |
| Versa Networks |
SASE-native, growing. Strong on multi-tenant for service providers. |
"Versa is a good product. We have native integration with their SD-WAN as a partner — branch terminates into our backbone, single security policy plane across both." |
| Fortinet Secure SD-WAN |
Bundled with Fortinet security. Strong if customer is already a FortiGate shop. |
"Fortinet works well if you're already deployed on FortiGate. We have native partner integration so you can keep FortiGate at the branch and use our backbone for transport and security." |
Magic Transit Enterprise
| Competitor | Key differentiator | How to win |
|---|
| Akamai Prolexic |
Premium network DDoS scrubbing. Strong reputation. Six-figure annual contracts typical. |
"Prolexic is the legacy gold standard. We absorbed a 31.4 Tbps attack — they haven't publicly absorbed anything close. Same protection at a fraction of the cost, with the rest of our platform alongside." |
| AWS Shield Advanced |
Only protects AWS workloads. Doesn't cover on-prem or other clouds. |
"Shield Advanced protects AWS. Magic Transit protects anything that has an IP address — your data centers, other clouds, anywhere." |
| Imperva DDoS |
Solid network DDoS. Smaller capacity than us. |
"Imperva's capacity is meaningfully smaller. Our 500+ Tbps network absorbs attacks that would saturate theirs." |
| Lumen / CenturyLink DDoS |
Telco-bundled DDoS, often included with transit. Limited capacity for big attacks. |
"Telco-bundled DDoS is fine for small-scale attacks. For anything serious, capacity matters — and our network capacity exceeds the largest telco scrubbing centers." |
Email
Email Security (formerly Area 1) Paid
| Competitor | Key differentiator | How to win |
|---|
| Proofpoint |
Email security incumbent. Strongest brand. Premium pricing. Mostly post-delivery model. |
"Proofpoint is the incumbent and a solid product. Our differentiators: pre-delivery detection via MX inline (Proofpoint is largely post-delivery on M365), infrastructure-based analysis (we see ~20% of web traffic to identify malicious infrastructure before campaigns launch), and integration with Browser Isolation. Independent tests like SE Labs show us outperforming on the sophisticated stuff (BEC, lookalikes)." |
| Mimecast |
Strong email security + archive. Mature platform. Premium pricing. |
"Mimecast's strength is the archive and continuity story. We focus on detection — pre-delivery, infrastructure-based, with independently verified superior catch rates on BEC and lookalike domains. Customers often pair us (detection) with Mimecast (archive)." |
| Abnormal Security |
API-based behavioral detection. Modern competitor. Strong on BEC. Growing fast. |
"Abnormal is the closest comp to what we do. Differences: we offer pre-delivery (MX inline) deployment for the highest catch rates, plus integration with our broader Zero Trust platform. Both are credible — bake-offs usually come down to deployment model and price." |
| Microsoft Defender for O365 |
Bundled with M365. Free if you have E5. Catches ~70-80% of phishing per independent tests. |
"Defender catches the obvious stuff well. The sophisticated attacks — BEC, lookalike domains, vendor compromise, conversational phishing — slip through more often than customers realize. SE Labs and independent tests consistently show third-party email security outperforming on those vectors. One blocked wire fraud often pays for the product for years." |
| Google Workspace built-in |
Bundled with Google Workspace. Good baseline, weaker on advanced attacks. |
"Same story as Microsoft — Google's built-in protection is decent on commodity threats but sophisticated phishing gets through. Our pre-delivery detection and infrastructure analysis catch what slips by." |
| IronScales |
Mid-market email security. AI-augmented. Growing. |
"IronScales serves mid-market well. For enterprise customers wanting unified security across email + web + apps, we're the consolidation play." |
Reference
Quick "who is who?" — competitor short codes
When you hear a name on a call and want to recognize what's in scope.
| If they say… | It's probably… | First-instinct pivot |
|---|
| Akamai | CDN, WAF (Kona), Bot Manager, Prolexic DDoS, Linode (compute) | Unified platform + price comparison. Their stack is multiple products on multiple contracts. |
| Imperva | WAF, DDoS, API Security, Bot, Cloud Data Security | Operational simplicity + cloud-native vs their on-prem heritage. |
| F5 | BIG-IP (LB/WAF), Distributed Cloud, NGINX, Shape (bots) | Cloud-native edge vs their data-center-centric model. |
| Zscaler | ZIA (SWG), ZPA (ZTNA), Internet Access, Private Access | Unified platform — they do SASE only. We do SASE + WAF + CDN + DDoS + dev platform. |
| Palo Alto | Prisma Access (SASE), Prisma SD-WAN, Prisma Cloud (CNAPP) | Faster deployment, unified platform, lower TCO. |
| Netskope | SWG, CASB, ZTNA, DLP | Broader platform — they're SASE-focused, we add WAF/DDoS/CDN. |
| AWS | CloudFront, WAF, Shield, S3, Lambda, Route 53 | Egress economics + multi-cloud + unified platform. |
| Fastly | CDN, Signal Sciences WAF, Compute@Edge | Larger network (~4x), broader security stack, simpler pricing. |
| Vercel | Pages, Edge Functions, KV (alternative dev platform) | Unlimited bandwidth, no per-seat, native security integration. |
| HUMAN / DataDome / Kasada | Bot management specialists | Same detection quality, integrated platform, no separate vendor. |
| Proofpoint / Mimecast / Abnormal | Email security | Pre-delivery detection + integration with web/app security. |
| Salt / Noname / Traceable | API security specialists | API Shield integrated with WAF/Bot/DDoS in one platform. |
| Tailscale / Twingate | ZTNA alternatives, often for engineering teams | Enterprise-grade compliance, integration with broader platform. |
Universal positioning lines
Reusable framing that works across competitive conversations.
The "unified platform" angle
"Almost everybody on the list does one or two things well. We're the only platform doing CDN, DDoS, WAF, Bot Management, API Security, Zero Trust, SASE, Workers, and storage at the level you'd buy each one standalone. The integration matters — same threat intel, same network, same policy plane. That's the consolidation play."
The "egress economics" angle
"Most clouds charge you when data leaves their network — that's how they lock you in. We don't charge egress from our edge, ever. Combined with R2's zero egress and Workers' edge compute, you can build entire architectures that just don't have the punitive cost structure other clouds have."
The "deploy speed" angle
"Compare deployment timelines. Most of our competitors are weeks-to-months to value. We can have you live in production with WAF, DDoS, CDN in hours. For ZT and SWG, days. Speed matters because security delayed is security denied."
The "threat intel scale" angle
"We see roughly 20% of all web traffic on the internet. Nobody else has that visibility — not Akamai, not AWS, not the security specialists. That's the basis of our managed rules, our bot intelligence, our DDoS signatures. Scale of intelligence directly converts to faster protection."
When to be honest about losing
Some competitors genuinely are better for specific use cases. Don't oversell. Examples: Salt Security has deeper pure API security analytics; Forcepoint has deeper DLP rule library; Imperva has mature on-prem-style WAF tuning. Acknowledge these honestly, then position around our broader platform value.
The "don't disparage" rule
Customers can smell competitive bashing from a mile away and it costs you credibility. State facts neutrally. "Akamai has been doing this for 25 years — they're a serious product. Here's how we're different." Acknowledge strength, then differentiate.