Cloudflare One

• Purpose-built edge network — all SSE services run natively on Cloudflare's own global infrastructure
• Single-pass inspection — DNS, SWG, ZTNA, DLP, RBI enforced at the same PoP in one pass
• One policy plane — unified rules across all products, single control surface
• Composable — programmable with Workers; integrates natively with Cloudflare's full stack (WAF, DDoS, CDN)
• Security-first origin — built from WAF/DDoS expertise, not networking appliances

• WAN-centric origin — Secure Access is built on Meraki SD-WAN and Umbrella DNS foundations
• Assembled from acquisitions — Umbrella (DNS/SWG), Duo (MFA), ThousandEyes (observability), AnyConnect/VPN — separate products, separate consoles
• Multiple policy engines — "public" vs. "private" policies create separate rule sets
• Traditional network focus — heavy L3 networking primitives (DHCP, IP, FQDN objects)
• Launched Nov 2023 — relatively new unified platform with immature integrations

Cloudflare One Network

• Anycast architecture — traffic routed to nearest PoP automatically
• Private backbone for inter-PoP transit (no public internet hops)
• Post-quantum cryptography enabled by default on all connections

• Traffic may traverse public internet between regional PoPs
• ThousandEyes DEX is a separate product (requires additional licensing)
• Latency can increase for users far from a regional PoP

• Agentless clientless access via browser for web apps, SSH, RDP, VNC
• Any IdP — Okta, Azure AD, Google, SAML, OIDC, hardware keys
• Device posture — CrowdStrike, SentinelOne, Intune, serial, OS version, disk encryption
• App connector (Cloudflare Tunnel) — outbound-only, no inbound firewall holes
• Private network access — IP/CIDR routing via WARP for non-web resources
• Service auth — mTLS and service tokens for M2M access

• Client-dependent — AnyConnect / Cisco Secure Client required for most scenarios
• Cisco-centric IdP — Duo is the preferred MFA; 3rd-party IdPs require additional config
• Device posture — ISE integration for posture; requires separate ISE licence
• Connector groups — complex to configure; mixes firewall and ZTNA concepts
• No clientless RDP/SSH — no native browser-based clientless access
• Policy fragmentation — separate "private" vs "public" policy namespaces

• DNS + HTTP + L4 Firewall — full stack in one pass, single policy engine
• TLS inspection at edge — no performance hairpin; PQC-ready by default
• 1.1.1.1 threat intelligence — Cloudflare's own DNS resolver; real-time threat feed from ~20% of web traffic
• Malware scanning — file uploads/downloads scanned inline
• Shadow IT discovery — automatic via CASB in the same dashboard
• DNS filtering included — no additional cost on any tier

• DNS + SWG via Umbrella — mature product (acquired 2015) but historically a separate SKU
• Cisco Talos threat intel — strong feed but separated from network telemetry
• TLS inspection available but requires Secure Access Client deployment
• Malware sandbox — Cisco Threat Grid is a separate product (links out of dashboard)
• Limited CASB integration — inline controls for only ~5 SaaS apps
• Umbrella brand transition — existing customers mid-migration to Secure Access UI

DLP

• Exact data match (EDM) — prevent leakage at scale
• ML classifiers for PII, PCI, PHI, source code, credentials
• Inline HTTP DLP — inspect uploads/downloads in real time
• AI-aware DLP — detects data submitted to LLMs (ChatGPT, Copilot)

CASB

• Inline CASB — block upload/share/download in real time
• API CASB — continuous posture scanning (M365, GWS, Salesforce, GitHub, Slack…)
• Shadow IT discovery — auto-detect unsanctioned SaaS apps

DLP

• DLP via SWG only — no dedicated DLP engine
• Limited classifiers; email DLP requires Cisco Secure Email (separate)
• No exact data match (EDM) documented
• No AI-aware DLP for LLM leakage scenarios

CASB

• Inline CASB: ~5–6 apps only (M365, Google, Webex, YouTube Enterprise, Box)
• API CASB: separate product — limited breadth
• Webhook integrations only — no vendor-specific logic

• Built-in, no extra licence — included with Cloudflare One
• Fleet status dashboard — real-time device connectivity across all PoPs
• Synthetic monitoring — HTTP/ICMP tests from device to any target
• Per-user path tracing — traceroutes from device → PoP → destination
• Unified log explorer — query ZT, DNS, SWG, Access logs in one interface
• Cloudflare Radar integration — correlate user DEX with global Internet health

• Separate product / licence — ThousandEyes not included in Secure Access
• Separate UI — Secure Access links out to ThousandEyes; no unified experience
• Strong standalone — ThousandEyes is market-leading for network observability on its own
• No unified log plane — Gateway, ZTNA, DEX logs live in separate systems
• No cross-signal correlation — identity + device + network events not tied together

• Single console — Access, Gateway, DLP, CASB, Email, DEX all in one dashboard at one.dash.cloudflare.com
• One policy engine — unified rules across Zero Trust products; no "public vs private" split
• Unified logging — query all traffic in a single Log Explorer
• Full Terraform support — every resource manageable as code via the Cloudflare Terraform provider
• No external links for core features — everything lives in the same authenticated session

• Multiple consoles — Secure Access, ThousandEyes, Cisco ISE, Cisco Secure Email, Sandbox — separate auth, separate URLs
• Two policy namespaces — "private" (ZTNA) and "public" (internet) policies are separate builders
• Dashboard links out — Experience Insights → "Integrate ThousandEyes now" (separate product)
• Complex sub-navigation — some nav items contain 20+ sub-pages with wildly different designs
• Positive UX elements: dynamic rule summary builder; simple onboarding flow (connect users → connect networks → build policy)

• AI Gateway — proxy for LLM API calls; log, rate-limit, block, or cache AI traffic
• AI Firewall — filter toxic, prompt-injection, or policy-violating LLM content
• AI-aware DLP — detect source code, PII, and credentials being submitted to ChatGPT, Copilot, Gemini
• Shadow AI detection — identify unsanctioned AI tool usage via SWG telemetry
• Workers AI — Cloudflare builds AI infrastructure, giving unique insight into AI threat patterns
• Post-quantum by default — ML-KEM on all connections; no extra cost

• Limited AI-specific controls — basic ChatGPT URL blocking available via SWG; no dedicated AI governance layer
• No AI Firewall — no prompt-injection or LLM output filtering
• No shadow AI detection purpose-built feature in Secure Access
• Cisco XDR integration — cross-product threat correlation; requires additional Cisco licensing
• AI-assisted threat scoring — in Cisco Talos roadmap; not currently in Secure Access dashboard
• Post-quantum: TLS 1.3 supported; no PQC by default unlike Cloudflare

• Free tier up to 50 users — full Zero Trust capability, no credit card
• Per-user pricing — simple and predictable; scales linearly
• No hardware required — 100% cloud-delivered; no appliances
• Cloudflare Tunnel — free connector; no inbound firewall rules
• Network services included — Magic WAN, CNI for branch/HQ (Enterprise)
• Broad ecosystem — all major IdPs, EDR, SIEM, SOAR supported

• No free tier — enterprise licensing required from day one
• Complex SKUs — Umbrella, Duo, ISE, ThousandEyes, Secure Email sold separately
• Cisco-ecosystem bias — best with Meraki, Catalyst, ISE, AnyConnect already deployed
• Client migration required — AnyConnect → Cisco Secure Client transition
• SD-WAN dependency — SASE requires Meraki or Catalyst SD-WAN investment
• Umbrella EOL transition — existing customers mid-migration; potential disruption