Technical Partner Brief · May 2025

Cloudflare + Cythera
Smarter Security, Together

How Cloudflare's global network and platform capabilities complement Cythera's managed security services — delivering stronger outcomes for Australian organisations.

× Cythera

Jason Clarke · Senior Solutions Engineer · Cloudflare Western Australia

Part One

About Cythera

Australia's specialist cybersecurity partner — who they are and what they deliver

Australia's Cybersecurity Specialist

Who They Are

Cythera is a pure-play cybersecurity firm founded in 2018, now part of Bastion Security Group — backed by Quadrant Private Equity. The merger brings together Quantum Security, ZX Security, Helix Security, Cassini CTI, and Cythera under one regional platform.

150+ dedicated cybersecurity specialists
400+ clients across ANZ
Offices: Perth, Melbourne, Sydney, Brisbane, Auckland, Wellington
Sectors: Government, Healthcare, Financial Services, Education, Critical Infrastructure

What Makes Them Different

Human-led, not tool-led

Named analysts embedded with every client — not just alerts and dashboards

Local expertise, regional reach

Deep ANZ threat landscape knowledge, SOC operations based locally

Full-spectrum capability

From GRC and advisory through to red teaming and 24/7 MDR — all in-house

150+Cybersecurity specialists

400+ANZ clients

24/7SOC monitoring

19 minAvg. threat response

Service Portfolio — Four Practice Areas (1/2)

Assess & Improve

Identify gaps, benchmark maturity, plan the path forward

Penetration Testing (App, Network, Cloud, OT/SCADA)
Cyber Maturity Assessments — NIST CSF, Essential Eight
Audit & Assurance / ISO 27001
AI Penetration Testing · DevSecOps Review

Detect & Respond

24/7 threat visibility and rapid incident containment

MDR — Microsoft Sentinel, CrowdStrike, Rapid7 InsightIDR
Cassini Cyber Threat Intelligence (CTI)
Digital Forensics & Incident Response (DFIR)
Threat Hunting · Attack Surface Monitoring · 19 min avg. response

MDR technology stack: Microsoft Sentinel · CrowdStrike Next-Gen SIEM · Rapid7 InsightIDR · Swimlane SOAR — all operated from Cythera's local ANZ Security Operations Centre.

Service Portfolio — Four Practice Areas (2/2)

Protect & Secure

Always-on protection across every layer of the environment

Managed Protection (MSSP)
Security Architecture & Engineering
Endpoint Protection · Email Security
Web Filter, CASB & DLP
Vulnerability Management & Assessment

Advise & Empower

Strategic guidance, governance, and capability uplift

vCISO / Virtual Security Architect
GRC — SWIFT, PCI DSS, NIST, Essential Eight
Employee Cyber Training & Awareness
Certification & Accreditation
Executive & Board Reporting

ISO 27001 certified. Cythera supports 400+ clients across government, healthcare, financial services, education, and critical infrastructure across Australia and New Zealand.

The Partnership Opportunity

Cythera's clients need protection at the network and application layer — a gap that Cloudflare is purpose-built to fill. The combination creates an end-to-end security stack with no blind spots.

Cythera detects & responds

MDR, CTI, DFIR, threat hunting — human-led response after a threat enters the environment

Cloudflare prevents & enforces

Zero Trust, WAF, DDoS, Gateway, AI controls — stop threats before they reach the environment

Shared client outcomes

Clients get prevention + detection + response — a complete security lifecycle, not siloed tools

Resell & refer motions

Cloudflare's platform complements Cythera's existing MDR and MSSP practices — no overlap, high value-add

Australian compliance alignment

Essential Eight, Privacy Act NDB, IRAP — both vendors align to ANZ regulatory requirements

Perth presence

Cythera's Perth office at 152 St Georges Tce — Jason Clarke, Cloudflare SSE for Western Australia, is locally embedded

Part Two

The Cloudflare Platform

Global network · Zero Trust · Application security · AI infrastructure

One Global Network — Built for Everything

The Network

330+ cities in 125+ countriesIncluding ~30 locations in Mainland China

500 Tbps of network capacityInterconnected with ~13,000 networks globally

Within 50ms of 95% of the internetMore internet exchanges than any other provider

210+ cities running GPUsAI inference at the edge, globally distributed

Scale & Trust

215BThreats blocked per day (Q4 2025)

93MHTTP requests/sec avg

38%Fortune 500 are CF customers

31.4 TbpsLargest DDoS ever — auto-mitigated

Why this matters for Cythera's clients: Cloudflare's network is not a vendor appliance — it is the internet infrastructure itself. Every request is inspected, accelerated, and protected before reaching the customer environment.

Zero Trust & SASE — Cloudflare One

Cloudflare One replaces legacy VPN and perimeter architectures with identity-aware, context-driven access enforcement — delivered from the same global network, without additional hardware.

Access (ZTNA)

Identity-verified access to any application — cloud, SaaS, or on-prem. No VPN, no implicit trust, full audit trail.

Replaces VPN

Gateway (SWG)

DNS, HTTP, and network filtering for all users. Blocks malware, C2 traffic, and shadow IT without TLS inspection hardware.

Replaces proxy appliances

Magic WAN

SD-WAN replacement as a service — connect branches, datacentres, and clouds over Cloudflare's global network with built-in security.

Replaces SD-WAN

Browser Isolation

Executes web sessions in Cloudflare's network — malicious code never reaches the endpoint device. Ideal for unmanaged devices.

Endpoint protection

DLP

Scans data in-flight for PII, credentials, and IP — inline on all user traffic, no agents or inline proxies required.

Data loss prevention

CASB

SaaS security posture — discovers misconfigurations in M365, Google Workspace, and 50+ SaaS apps. No traffic redirection needed.

SaaS visibility

Analyst recognition: Gartner SASE MQ 2025 — Visionary Forrester Zero Trust Wave 2025 — Strong Performer Forrester SSE Wave 2025

Application & Network Security

Application Security Layer

WAF — Web Application Firewall Managed rulesets + custom rules. Blocks OWASP Top 10, zero-days, and targeted attacks. 2025 Forrester WAF Wave: Leader.

DDoS Mitigation — Unmetered Automated mitigation at 500 Tbps capacity. No attack traffic billing. Largest attack ever (31.4 Tbps) stopped automatically.

Bot Management ML-based bot scoring. Distinguishes legitimate automation from credential stuffing, scraping, and ATO attacks.

API Shield Schema enforcement, rate limiting, and sensitive data discovery for API endpoints — runtime protection, not design-time.

Network Security Layer

Magic Firewall Stateless network firewall enforced globally — replace legacy perimeter firewalls with software-defined rules at Cloudflare's edge.

Cloudflare Tunnel Outbound-only connectors that expose internal services without opening inbound ports. No firewall rule changes required.

Spectrum DDoS protection and TCP/UDP proxying for any application — SSH, RDP, game servers, custom protocols.

For Cythera pen testers & architects: Cloudflare's WAF, bot, and API controls integrate via Terraform and REST API — testable, auditable, and versionable like any infrastructure-as-code deployment.

Compute, Storage & Developer Infrastructure

Beyond security, Cloudflare provides the infrastructure to build and run applications globally — relevant when Cythera's clients are building new workloads or modernising architecture.

Workers

Serverless compute at the edge — V8 isolates, runs globally across 330+ locations. Sub-ms cold starts. Used by 38% of Fortune 500.

D1 & KV

Globally distributed SQL database and key-value store — serverless, no connection pooling, scales from zero.

R2 Storage

S3-compatible object storage with zero egress fees. Significant cost reduction for data-heavy workloads vs AWS S3.

Workers AI

Run inference on 50+ open models from the edge — LLaMA 3.3, Mistral, Qwen, Stable Diffusion. No GPU provisioning required.

AI Gateway

Proxy layer for all LLM API calls — rate limiting, caching, observability, DLP scanning on prompts and responses.

Containers

Run containerised workloads on Cloudflare's infrastructure — lightweight, globally distributed, no k8s management overhead.

Architecture relevance: For Cythera's security architecture practice — Cloudflare's developer platform enables building security-native applications with WAF, Zero Trust, and DLP baked in from day one, not bolted on.

Why Cloudflare — Business & Technical Outcomes

Proven Business Impact — Forrester TEI, Jan 2026

227%ROI over 3 years

<6 moPayback period

35%Reduction in IT ops time

20%Licensing cost reduction

vs. Zscaler: Single platform — no separate ZIA/ZPA. vs. Palo Alto Prisma: No proprietary hardware; true SaaS. vs. Fortinet: Cloud-native from day one — no appliance lifecycle costs.

Technical Architecture Advantages

Single control plane — Zero Trust, WAF, Gateway, AI security all managed from one dashboard
No inline hardware — enforcement in Cloudflare's network; no appliances to rack, patch, or scale
Terraform & API-first — every configuration is automatable and auditable as code
WARP agent or agentless — flexible for managed and unmanaged devices
No attack traffic billing — DDoS always unmetered regardless of scale
ISO 27001, SOC 2, FedRAMP — compliance certifications relevant to ANZ government and regulated sectors

Part Three

AI Security

The new threat surface every organisation faces — and how to govern it

AI Adoption Is Outpacing Security

Three distinct AI threat surfaces have emerged simultaneously — each requiring a different response. Most organisations, including Cythera's clients, are exposed on all three.

Your People

Employees using ChatGPT, Copilot, and Claude daily — often without IT visibility. Corporate data, customer PII, and source code leaving in prompts.

Shadow AI

Your Applications

Dev teams building AI-powered products calling LLM APIs directly — no control layer, no visibility into cost, data exposure, or provider failures.

API risk

Your AI Agents

Agents reading files, sending emails, querying databases. A single compromised agent can exfiltrate data or execute actions at machine speed.

Agentic risk

The common thread: Traditional perimeter security was not designed for AI. Cloudflare — already deployed at the network layer — addresses all three surfaces from a single platform without adding new vendors or agents.

Three Pillars. One Platform. One Dashboard.

Pillar 1

End-User Protection

Employees using AI tools in the browser

Products: Cloudflare One · Gateway · DLP · Browser Isolation · CASB

Outcome: Shadow AI visibility + data loss prevention

Pillar 2

App & API Security

Applications calling LLM APIs programmatically

Products: AI Gateway · DLP on prompts & responses · Rate limiting · Observability

Outcome: Cost control + resilience + full audit trail

Pillar 3

Agentic & MCP Security

AI agents accessing tools, APIs, and data

Products: MCP Portal (open beta) · AI Gateway · AI Security for Apps · Gateway

Outcome: Zero Trust governance for every agent action

75% of employees use AI tools at work. 60% without IT approval. — Industry surveys, 2024

$10k+ cost from a single runaway agent loop — in minutes, without spend controls

MCP Model Context Protocol — the emerging standard for agent-to-tool connectivity. Governance is lagging adoption.

What Cloudflare Delivers — Pillars 1 & 2

Pillar 1 — End-User Protection

Complete VisibilitySee every AI tool in use — including unapproved shadow AI apps

Data Loss PreventionScan prompts and file uploads for PII, credentials, and IP before they reach any AI provider

Granular PolicyAllow, block, or restrict AI tools by user, group, device, or app — without blocking productivity

Compliance Audit TrailFull conversation logging with user attribution — supports Privacy Act NDB obligations

Pillar 2 — App & API Security

Cost ControlRate limits and budget caps per model, user, or app. Semantic caching cuts repeat API costs by up to 90%.

ResilienceAutomatic failover across 20+ LLM providers — if OpenAI is down, route to Anthropic or Workers AI

Full ObservabilityEvery prompt and response logged — token counts, latency, cost per request, guardrail triggers

DLP on Both DirectionsScan prompts before they reach the LLM and responses before they reach users — no TLS interception hardware

Pillar 3 — Governing AI Agents

The Risk Today

AI agents connected to your systems via MCP can:

Access tools and data beyond their intended scope
Be hijacked by malicious data returned from a tool call (prompt injection)
Connect to unvetted third-party MCP servers
Exfiltrate sensitive data at machine speed, without human review

MCP (Model Context Protocol) is the emerging standard for connecting AI agents to external tools. Adoption is accelerating — governance frameworks are not keeping pace.

What Cloudflare Delivers

Governed Tool Access

MCP Portal (open beta) gives agents a single, identity-enforced gateway to approved tools — only vetted servers are accessible

Shadow MCP Detection

Gateway detects and blocks employees connecting AI clients to unauthorised MCP servers outside the approved portal

Inbound App Protection

WAF-based AI Security scores every inbound prompt for injection risk and PII — protecting public-facing AI applications

Complete Audit Trail

Every tool call and LLM call logged centrally — who did what, when, with which agent. Supports board-level accountability.

AI Security — The Cythera + Cloudflare Story

Cythera's clients are adopting AI rapidly. Cythera's AI Penetration Testing capability identifies AI vulnerabilities — Cloudflare's platform enforces the controls to fix them at runtime.

Cythera Identifies

Prompt injection vulnerabilities in AI applications
Shadow AI usage across the organisation
Uncontrolled LLM API spend and data exposure
Weak agent governance and excessive permissions
Data leakage paths through AI tooling

Cloudflare Enforces

Inline DLP blocking on AI prompts and responses
Gateway policies to allow, block, or restrict AI tools
AI Gateway rate limits and spend caps per application
MCP Portal identity-enforcement on agent tool access
WAF injection scoring on every inbound AI request

227%ROI over 3 years — Forrester TEI, Jan 2026

<6 moPayback period — Forrester TEI, Jan 2026

FreeAI Gateway core features — observability, caching, rate limiting on any Cloudflare plan

Suggested Next Steps

Discovery Workshop — 1 hr

Map Cythera's client base against Cloudflare's product areas — identify the highest-value resell and refer opportunities by vertical and service line.

Joint PoC — 2–4 weeks

Deploy Cloudflare One or AI Gateway in a shared client environment. Measure shadow AI discovery, cost reduction, or agent governance against current baseline.

Partner Enablement

Technical training for Cythera's architects and engineers — Cloudflare One, AI security controls, and API/Terraform-based configuration management.

Contact

Jason Clarke

Senior Solutions Engineer — Western Australia

Cloudflare · jclarke@cloudflare.com

Cloudflare + CytheraSmarter Security, Together