SASE / Zero Trust / network services
Cloudflare One
Cloudflare sources evidence WAN any-to-any connectivity, Magic WAN Connector and Cloudflare One integrated SASE positioning.
Netify profile
Cloudflare One in depth
Platform and architecture
Cloudflare One delivers SASE from the same anycast edge that runs Cloudflare's CDN: 330+ cities, every service in every location, with traffic attracted to the nearest PoP and policy applied there. Connectivity options include the WARP agent, Magic WAN for site tunnels and Cloudflare Network Interconnect. There are no Cloudflare branch appliances; Magic WAN partners and standard IPsec/GRE handle site onboarding.
Security and SASE capability
Gateway (SWG), Access (ZTNA), CASB, DLP, email security and browser isolation compose the SSE layer, tightly integrated with Cloudflare's DDoS and application security heritage. Access is notably easy to adopt app by app. Depth in enterprise DLP and CASB trails the specialist leaders, while network-adjacent security (DDoS, WAF, bot management) is far beyond what SASE rivals carry.
Service, support and channel
Self-serve to enterprise sales motions, with UK partners growing; managed offers exist though carrier-style wrap is thinner than for appliance vendors. Deployment is fast and developer-friendly with excellent documentation. Enterprise support runs 24x7 with named contacts on larger contracts.
Commercials and the Netify verdict
Per-user Zero Trust plans with transparent public entry pricing and contract pricing at enterprise; Magic WAN priced separately. The Netify verdict: shortlist Cloudflare One when you already trust Cloudflare for performance or security, when fast app-by-app ZTNA adoption appeals, or when global edge reach per pound matters. Heavy CASB/DLP programmes and appliance-led branch estates fit other platforms better.
Questions
Cloudflare One: common buyer questions
Can Cloudflare One replace my VPN quickly?
Yes, that is its strongest entry point: Cloudflare Access publishes internal apps behind zero trust authentication app by app, often within days, without re-architecting the network first. Full SASE adoption can then proceed incrementally.
How do sites connect without Cloudflare appliances?
Magic WAN terminates standard IPsec or GRE tunnels from existing routers, SD-WAN edges or firewalls, and Cloudflare Network Interconnect offers private peering. Cloudflare partners with SD-WAN vendors rather than shipping edges.
Is Cloudflare One enterprise-ready for compliance-heavy estates?
Certifications and regional controls have matured substantially, and the edge offers strong data localisation suites. Deep DLP and CASB programmes should still benchmark against Netskope and Zscaler before committing.
Key differentiators
- Cloudflare global edge network provides one of the largest PoP footprints in the category for SASE traffic.
- Strong Zero Trust and SWG capability inheritance from the wider Cloudflare security platform.
- Magic WAN Connector provides simplified branch connectivity into the Cloudflare One platform.
Best fit for
- Buyers already using Cloudflare for DDoS protection, CDN or Zero Trust who want to extend into WAN.
- Organisations prioritising global PoP coverage and edge performance for SaaS access.
- Mid-market buyers attracted to Cloudflare One pricing transparency for Zero Trust user tiers.
Watch-outs
- SD-WAN capabilities (path selection, QoS, packet loss remediation) have limited public evidence compared to SD-WAN-first vendors.
- Less mature for very large branch estates with complex underlay requirements.
- Managed and co-managed service models are partner-led; this is primarily a self-service platform.
40 features, 6 categories
Capability matrix
Each capability is graded against public source evidence. Hover any status grade for a definition. Where evidence is limited, the grade reflects that uncertainty rather than assuming the capability is present.
Service delivery and operating model
| # | Capability | Status | Definition |
|---|---|---|---|
| F01 | Fully managed service | Partner / integrated | Provider designs, deploys, monitors, changes, supports and reports on the service. |
| F02 | DIY / self-managed model | Yes | Customer operates SD-WAN controller, policies, updates and incident response. |
| F03 | Co-managed service | Partner / integrated | Provider runs platform/support while customer retains selected policy or change rights. |
| F04 | Multi-tenant MSP / white-label support | Partner / integrated | Tenant isolation, delegated administration, branded portals, templates and service-provider scale. |
| F05 | Professional services and migration support | Partner / integrated | Discovery, design, pilot, staging, migration runbooks, rollback and training. |
| F06 | Last-mile circuit management | Partner / integrated | Sourcing, monitoring and support for broadband, DIA, LTE/5G, MPLS and cross-connects. |
| F07 | Lifecycle management | Partner / integrated | Hardware replacement, firmware upgrades, patching, renewals and EoL planning. |
| F08 | Flexible commercial model | Yes | Per-site, per-bandwidth, per-user, per-device, consumption, NaaS or bundled pricing. |
Network architecture and transport
| # | Capability | Status | Definition |
|---|---|---|---|
| F09 | Encrypted overlay fabric | Partial | Secure tunnels across broadband, DIA, MPLS, LTE/5G, satellite or private WAN. |
| F10 | Dynamic path selection | Partial | Real-time routing based on latency, jitter, packet loss, brownouts, MOS and policy. |
| F11 | Active-active link utilisation | Partial | Use multiple links concurrently rather than passive backup only. |
| F12 | Application-aware routing | Partial | Identification and routing for SaaS, UCaaS, ERP and custom applications. |
| F13 | QoS and traffic shaping | Partial | Per-application and per-class prioritisation, reservation and policing. |
| F14 | Packet loss remediation | Partial | FEC, packet duplication, jitter buffering, TCP optimisation and WAN optimisation. |
| F15 | Local internet breakout | Partial | Secure direct internet access from branch sites. |
| F16 | MPLS coexistence and migration | Partial | Hybrid MPLS/internet/cellular during transition. |
| F17 | Cellular and 5G support | Unknown | Integrated/external modem, SIM management, signal monitoring and failover. |
| F18 | Cloud on-ramp | Yes | Automated/simplified connectivity to AWS, Azure, Google Cloud, Oracle, Equinix, Megaport and SaaS. |
Gateway, PoP and backbone design
| # | Capability | Status | Definition |
|---|---|---|---|
| F19 | Public cloud gateways | Yes | Vendor-operated gateways/PoPs for SaaS optimisation, remote access or security enforcement. |
| F20 | Private PoPs / dedicated PoPs | Unknown | Customer-hosted, dedicated or sovereign PoP options. |
| F21 | Private global backbone | Yes | Vendor-owned or controlled backbone between PoPs. |
| F22 | Regional breakout and data residency | Yes | Pin traffic to countries, regions or approved inspection locations. |
| F23 | Multi-cloud transit fabric | Yes | Branch-to-cloud, cloud-to-cloud and user-to-cloud connectivity under common policy. |
| F24 | Flexible edge form factors | Partial | Physical, virtual, cloud marketplace, container or uCPE. |
| F25 | High availability design | Partial | Dual appliances, dual circuits, dual power, HA clustering and gateway redundancy. |
| F26 | SLA-backed service fabric | Partner / integrated | SLA for uptime, response, change handling and possibly latency/jitter/loss. |
Security and SASE capability
| # | Capability | Status | Definition |
|---|---|---|---|
| F27 | Integrated next-generation firewall | Yes | Stateful firewall, app control, IPS/IDS, malware inspection and URL filtering. |
| F28 | Full SASE platform | Yes | SD-WAN plus SWG, CASB, ZTNA, FWaaS, DLP, RBI, DNS security and threat prevention. |
| F29 | SSE ecosystem integration | Yes | Interoperation with Zscaler, Netskope, Palo Alto Prisma Access, Cisco Secure Access, Cloudflare etc. |
| F30 | Zero Trust Network Access | Yes | Identity and posture-based access to private applications. |
| F31 | Secure web gateway | Yes | URL filtering, SSL inspection, malware scanning and acceptable-use controls. |
| F32 | CASB capability | Yes | SaaS discovery, sanctioned/unsanctioned app control and SaaS policy enforcement. |
| F33 | Data loss prevention | Yes | Data classification, inspection, blocking, alerting and exception workflow. |
| F34 | Remote user access | Yes | Client or clientless access for remote workers, contractors and mobile users. |
| F35 | SOC/SIEM/SOAR integration | Yes | Syslog, APIs, event export, threat intelligence and workflow integration. |
Operations, assurance and automation
| # | Capability | Status | Definition |
|---|---|---|---|
| F36 | Centralised orchestration | Yes | Templates, intent-based policy, zero-touch provisioning and configuration compliance. |
| F37 | Customer portal and RBAC | Yes | Real-time status, role-based access, reporting, tickets and change requests. |
| F38 | Observability and digital experience monitoring | Yes | App experience, user experience, device health, SaaS telemetry and path analytics. |
| F39 | APIs and automation | Yes | REST APIs, Terraform, webhooks, event streaming and ITSM integration. |
| F40 | Managed service assurance | Partner / integrated | 24/7 NOC/SOC, proactive monitoring, incident ownership, RCA, service reviews and change governance. |
Commercial
Cost model and pricing visibility
Public pricing visibility
Quote-based. No complete public enterprise price was found in reviewed sources.
Cost model
Quote-based enterprise pricing; some Zero Trust user tiers public, Magic WAN enterprise requires quote.
Evidence
Primary sources
Every capability grade traces back to one of these sources. Reviewed 2026-05-22.
Verification notes
Capability matrix sourced from Netify internal vendor research (May 2026). Status grades reflect public source evidence only. Confirm via RFP. Qualitative fields (differentiators, best fit, watch-outs) are Netify editorial synthesis based on the evidence summary and capability profile; review before publishing. Extended dimensions (regions, clouds, AI, resilience, deployment speed, sectors, organisation fit, identity, platforms, support, logging) are indicative desk research grades from June 2026; confirm via RFP.