Property	IP / Provider	CF Proxy?	Fortescue Controls It?
fortescue.com	64.239.109.1 — Vercel	⚠ Via Vercel's CF account	✗ No
investors.fortescue.com	Vercel (same infra)	⚠ Via Vercel's CF account	✗ No
zero.fortescue.com	Vercel (same infra)	⚠ Via Vercel's CF account	✗ No
capital.fortescue.com	Vercel (same infra)	⚠ Via Vercel's CF account	✗ No
content.fortescue.com	172.64.x.x — Cloudflare	✓ Via Sitecore's CF account	✗ No
vault.fortescue.com	104.18.x.x — Cloudflare	✓ Via Sitecore's CF account	✗ No

Cloudflare & Australian Cyber Defence

ASD's ACSC Annual Cyber Threat Report 2024–25

Australia's Government technical authority on cyber security

280%

Increase in DDoS incidents in Australia — year on year

ASD's ACSC responded to more than 200 incidents involving DoS or DDoS attacks. The rise of DDoS attacks against Australian organisations has the potential to cause significant disruptions across the Australian economy.

55%

Increase in DDoS attacks globally year on year — Cloudflare threat intelligence

Government Partnership

March 2025: ASD's ACSC co-published official DDoS guidance with Cloudflare Pty Ltd

Malicious website programme: ASD's ACSC uses Cloudflare's API-based abuse reporting to programmatically identify and act on malicious Australian websites

Cloudflare Network Scale

477 Tbps Network capacity
(and growing)

215B Cyber threats blocked
every day

22M+ Peak monthly threats
blocked (AU customers)

10× Increase in WAF &
Firewall events (AU)

Source: ASD's ACSC Annual Cyber Threat Report 2024–25 · cyber.gov.au · Cloudflare threat intelligence (slides provided by Cloudflare AU team)

Traffic Profile — Fortescue.com

Semrush Data — March 2026

121K Visits/month
+14% MoM

450K Page views/month
(3.71 pages/visit)

9:01 Avg session
duration

50% Bounce rate

Geographic distribution

🇦🇺 Australia

52% — 63K visits

🇬🇧 United Kingdom

21% — 26K visits

🇨🇦 Canada

11% — 14K visits

🇺🇸 United States

4% — 4.7K visits

HTTP Request Volume Estimate

Used for Cloudflare quote sizing

450K page views × ~30 sub-requests (Next.js SPA)

≈ 13.5M requests/month — fortescue.com

≈ 30–45M requests/month — all 4 zones combined

Page response sizes (measured)

fortescue.com/en/

~402 KB

investors.fortescue.com/en/

~285 KB

zero.fortescue.com/en/

~182 KB

ℹ For deal desk: Low-to-mid volume enterprise profile. Pricing argument is risk-adjusted value, not traffic cost savings.

Appendix

Vercel vs Cloudflare
DDoS Battlecard

A technical and commercial comparison for sales conversations

Architecture & Detection Model

Vercel

126 PoPs — L3/L4 only

TCP termination and basic volumetric drop. No WAF, no TLS, no L7 inspection at this layer.

↓ private network hop

20 Compute Regions — L7 firewall

TLS terminates here. WAF, challenge, JA3/JA4, DDoS rules all evaluated here — not at the edge. Attack traffic must reach a compute region to be assessed.

⚠ Sophisticated L7 floods reach the compute region before being assessed. No adaptive profiling. No ML scoring. Detection is static fingerprinting only.

Cloudflare Enterprise

330+ PoPs — Full stack at every city

TCP termination, TLS termination, HTTP DDoS managed ruleset, WAF, rate limiting and adaptive DDoS all fire at the ingress PoP. No extra hop required.

Adaptive DDoS — 7-day traffic baseline

Learns Fortescue's traffic profile. Detects deviation by geo, user agent, query string, and ML score. Escalates from Log → Block automatically — no human required.

✓ 477 Tbps network capacity (published). Attack traffic scrubbed closest to the attacker, not at a centralised compute region.

Billing & Availability During an Attack

Vercel — What happens

Attack traffic is billed

Requests served before mitigation kicks in incur Function invocation, Fast Data Transfer, and Edge Request charges. A 100K req/min L7 flood = millions of billable invocations per hour.

Spend limit hit → all 4 sites auto-pause

If Spend Management is configured, all projects return 503 DEPLOYMENT_PAUSED to every visitor. Fortescue effectively DDoS's themselves. Manual per-project recovery required.

Attack Challenge Mode = blanket JS challenge

Only manual defence available. All visitors — investors, media, suppliers — see "Vercel Security Checkpoint." Cannot be scoped to suspicious traffic only.

Alert fires at >100K req / 10 minutes

Notification only — no automated escalation. Fortescue must manually respond during a live attack with no real-time traffic analytics.

Cloudflare Enterprise — What happens

Zero billing for attack traffic

Cloudflare's unmetered DDoS model means attack traffic is absorbed at the network layer with no per-request, per-Gbps, or per-invocation charges. Predictable costs during any attack.

Sites stay online — always

100% uptime SLA. Legitimate traffic continues to be served while attack traffic is blocked. No self-pausing, no 503s for investors.

Managed Challenge — surgical, not nuclear

Challenge can be scoped to suspicious IPs, geos, or user agents. Legitimate investors browsing from known locations are never challenged.

Automated escalation — no human required

Adaptive DDoS moves from Log to Block automatically. Advanced alerts with filtering sent to SIEM/PagerDuty. Full Security Events audit trail available in real time.

Feature Comparison — Vercel vs Cloudflare Enterprise

Capability	Vercel (current state)	Cloudflare Enterprise + Advanced DDoS
L3/L4 DDoS mitigation	⚠ At 126 PoPs. Unpublished capacity limit.	✓ All 330+ cities. 477 Tbps published capacity.
L7 DDoS inspection location	✗ 20 compute regions only (extra hop)	✓ All 330+ PoPs at ingress — no extra hop
Adaptive / ML-based detection	✗ Not available	✓ 7-day traffic profiling, geo/UA/ML scoring
Attack traffic billing	✗ Billed until mitigation activates	✓ Zero — no attack traffic tax ever
Site availability during attack	✗ Risk of self-pause (503) if spend limit hit	✓ 100% uptime SLA — never self-pauses
Post-attack recovery	✗ Manual per-project unpausing	✓ Automatic — no action required
Fortescue visibility	✗ None — no logs, no dashboards	✓ Security Events, Logpush to SIEM, real-time analytics
DDoS sensitivity tuning	✗ Not configurable	✓ Per-rule sensitivity + 10 custom expression overrides
Challenge granularity	⚠ All-or-nothing (Attack Challenge Mode)	✓ Managed Challenge scoped to suspicious traffic only
Vendor transparency	✗ Black-box — no published ruleset or thresholds	✓ Published managed ruleset + public changelog
DDoS uptime SLA	✗ None published	✓ 100% uptime SLA (Enterprise)
Government endorsement (AU)	✗ None	✓ ASD's ACSC co-published DDoS guidance with Cloudflare (Mar 2025)
SASE / Zero Trust expansion	✗ Not available	✓ 50 Interna seats included with Externa package

Sources: Vercel documentation (vercel.com/docs) · Cloudflare documentation (developers.cloudflare.com) · Live infrastructure recon April 2026

Fortescue
L7 DDoS Protection

Customer Profile

Who is Fortescue?

Why Fortescue is a DDoS Target

Current State

Infrastructure Recon Findings

The Vercel DDoS Gap

Recommended Solution

Proposed Architecture

Cloudflare Enterprise + Advanced DDoS

Key Technical Considerations

Business Value

Why Cloudflare — and Why Now

Cloudflare & Australian Cyber Defence

Traffic Profile & Pricing

Traffic Profile — Fortescue.com

Indicative Cost Estimate

Recommended Next Steps

Vercel vs Cloudflare
DDoS Battlecard

Architecture & Detection Model

Billing & Availability During an Attack

Feature Comparison — Vercel vs Cloudflare Enterprise

Cloudflare & Australian Cyber Defence

Vercel vs CloudflareDDoS Battlecard

Architecture & Detection Model

Billing & Availability During an Attack

Feature Comparison — Vercel vs Cloudflare Enterprise

Vercel vs Cloudflare
DDoS Battlecard