Cloudflare says cutting off customers like 8chan is an IPO ‘risk factor’

Networking and web security giant Cloudflare says the recent 8chan controversy may be an ongoing “risk factor” for its business on the back of its upcoming initial public offering.

The San Francisco-based company and former Battlefield finalist, which filed its IPO paperwork with the U.S. Securities and Exchange Commission on Thursday, earlier this month took the rare step of pulling the plug on one of its customers, 8chan, an anonymous message board linked to recent domestic terrorist attacks in El Paso, Texas and Dayton, Ohio, which killed 31 people. The site is also linked to the shootings in New Zealand, which killed 50 people.

8chan became the second customer to have its service cut off by Cloudflare in the aftermath of the attacks. The first and other time Cloudflare booted one of its customers was neo-Nazi website The Daily Stormer in 2017, after it claimed the networking giant was secretly supportive of the website.

Cloudflare, which provides web security and denial-of-service protection for websites, recognizes those customer cut-offs as a risk factor for investors buying shares in the company’s common stock.

“Activities of our paying and free customers or the content of their websites and other Internet properties could cause us to experience significant adverse political, business, and reputational consequences with customers, employees, suppliers, government entities, and other third parties,” the filing said. “Even if we comply with legal obligations to remove or disable customer content, we may maintain relationships with customers that others find hostile, offensive, or inappropriate.”

Cloudflare had long taken a stance of not policing who it provides service to, citing freedom of speech. In a 2015 interview with ZDNet, chief executive Matthew Prince said he didn’t ever want to be in a position where he was making “moral judgments on what’s good and bad,” and would instead defer to the courts.

“If a final court order comes down and says we can’t do something… governments have tanks and guns,” he said.

But since Prince changed his stance on both The Daily Stormer and 8chan, the company recognized it “experienced significant negative publicity” in the aftermath.

“We are aware of some potential customers that have indicated their decision to not subscribe to our products was impacted, at least in part, by the actions of certain of our paying and free customers,” said the filing. “We may also experience other adverse political, business and reputational consequences with prospective and current customers, employees, suppliers, and others related to the activities of our paying and free customers, especially if such hostile, offensive, or inappropriate use is high profile.”

Cloudflare has also come under fire in recent months for allegedly supplying web protection services to sites that promote and support terrorism, including al-Shabaab and the Taliban, both of which are covered under U.S. Treasury sanctions.

In response, the company said it tries “to be neutral,” but wouldn’t comment specifically on the matter.

Cloudflare files for initial public offering

After much speculation and no small amount of controversy, Cloudflare, one of the companies that ensures that websites run smoothly on the internet, has filed for its initial public offering.

The company, which made its debut on TechCrunch’s Battlefield stage back in 2010, has put a placeholder value of the offering at $100 million, but it will likely be worth billions when it finally trades on the market.

Cloudflare is one of a clutch of businesses whose job it is to make web sites run better, faster and with little to no downtime.

Recently the company has been at the center of political debates around some of the customers and company it keeps, including social media networks like 8chan and racist media companies like the Daily Stormer.

Indeed, the company went so far as to cite 8chan as a risk factor in its public offering documents.

As far as money goes, Cloudflare is — like other early-stage technology companies — losing money. But it’s not losing that much money, and its growth is impressive.

As the company notes in its filing with the Securities and Exchange Commission:

We have experienced significant growth, with our revenue increasing from $84.8 million in 2016 to $134.9 million in 2017 and to $192.7 million in 2018, increases of 59% and 43%, respectively. As we continue to invest in our business, we have incurred net losses of $17.3 million, $10.7 million, and $87.2 million for 2016, 2017, and 2018, respectively. For the six months ended June 30, 2018 and 2019, our revenue increased from $87.1 million to $129.2 million, an increase of 48%, and we incurred net losses of $32.5 million and $36.8 million, respectively.

Cloudflare sits at the intersection of government policy and private company operations and its potential risk factors include a discussion about what that could mean for its business.

The company isn’t the first network infrastructure service provider to hit the market. That distinction belongs to Fastly, whose shares likely have not performed as well as investors would have liked.

Screen Shot 2019 08 15 at 10.10.17 AM

Cloudflare has raised roughly $332 million to date from investors, including Franklin Templeton Investments, Fidelity, Union Square Ventures, New Enterprise Associates, Pelion Venture Partners and Venrock. Business Insider reported that the company’s last investment gave Cloudflare a valuation of $3.2 billion.

The company will trade on the New York Stock Exchange under the ticker symbol “NET.” Underwriters on the company’s public offering include Goldman Sachs, Morgan Stanley, JP Morgan, Jefferies, Wells Fargo Securities and RBC Capital Markets.

Apple expands its bug bounty, increases maximum payout to $1M

Apple is finally giving security researchers something they’ve wanted for years: a macOS bug bounty.

The technology giant said Thursday it will roll out the bug bounty program to include Macs and MacBooks, as well as Apple TV and Apple Watch, almost exactly three years after it debuted its bug bounty program for iOS.

The idea is simple: you find a vulnerability, you disclose it to Apple, they fix it — and in return you get a cash payout. These programs are wildly popular in the tech industry as it helps to fund security researchers in exchange for serious security flaws that could otherwise be used by malicious actors, and also helps fill the void of bug finders selling their vulnerabilities to exploit brokers, and on the black market, who might abuse the flaws to conduct surveillance.

But Apple had dragged its feet on rolling out a bug bounty to its range of computers. Some security researchers had flat-out refused to report security flaws to Apple in absence of a bug bounty.

At the Black Hat conference in Las Vegas, head of security engineering and architecture Ivan Krstić announced the program to run alongside its existing iOS bug bounty.

Patrick Wardle, a security expert and principle security researcher at Jamf, said the move was a “no brainer.”

Wardle has found several major security vulnerabilities and dropped zero-days — details of flaws published without allowing the companies a chance to fix — citing the lack of a macOS bug bounty. He has long criticized Apple for not having a bug bounty, accusing the company of leaving a void open for security researchers to sell their flaws to exploit brokers who often use the vulnerabilities for nefarious reasons.

“Granted, they hired many incredible talented researchers and security professionals — but still never really had a transparent mutually beneficial relationship with external independent researchers,” said Wardle.

“Sure this is a win for Apple, but ultimately this a huge win for Apple’s end users,” he added.

Apple said it will open its bug bounty program to all researchers and increase the size of the bounty from the current maximum of $200,000 per exploit to $1 million for a zero-click, full chain kernel code execution attack with persistence — in other words, if an attacker can gain complete control of a phone without any user interaction and simply by knowing a target’s phone number.

Apple also said that any researcher who finds a vulnerability in pre-release builds that’s reported before general release will qualify for up to 50% bonus on top of the category of vulnerability they discover.

The bug bounty programs will be available to all security researchers beginning later this year.

The company also confirmed a Forbes report, published earlier this week, saying it will give a number of “dev” iPhones to vetted and trusted security researchers and hackers under the new iOS Security Research Device Program. These devices are special devices that give the hackers greater access to the underlying software and operating system to help them find vulnerabilities typically locked away from other security researchers — such as secure shell.

Apple said that it hopes expanding its bug bounty program will encourage more researchers to privately disclose security flaws, which will help to increase the protection of its customers.

Read more:
Apple restricts ads and third-party trackers in iPhone apps for kids
New book looks inside Apple’s legal fight with the FBI
Apple has pushed a silent Mac update to remove hidden Zoom web server
Many popular iPhone apps secretly record your screen without asking
Apple rebukes Australia’s ‘dangerously ambiguous’ anti-encryption bill
Apple Card will make credit card fraud a lot more difficult

Capital One’s breach was inevitable, because we did nothing after Equifax

Another day, another massive data breach.

This time it’s the financial giant and credit card issuer Capital One, which revealed on Monday a credit file breach affecting 100 million Americans and 6 million Canadians. Consumers and small businesses affected are those who obtained one of the company’s credit cards dating back to 2005.

That includes names, addresses, phone numbers, dates of birth, self-reported income and more credit card application data — including over 140,000 Social Security numbers in the U.S., and more than a million in Canada.

The FBI already has a suspect in custody. Seattle resident and software developer Paige A. Thompson, 33, was arrested and detained pending trial. She’s been accused of stealing data by breaching a web application firewall, which was supposed to protect it.

Sound familiar? It should. Just last week, credit rating giant Equifax settled for more than $575 million over a date breach it had — and hid from the public for several months — two years prior.

Why should we be surprised? Equifax faced zero fallout until its eventual fine. All talk, much bluster, but otherwise little action.

Equifax’s chief executive Richard Smith “retired” before he was fired, allowing him to keep his substantial pension packet. Lawmakers grilled the company but nothing happened. An investigation launched by the former head of the Consumer Financial Protection Bureau, the governmental body responsible for protecting consumers from fraud, declined to pursue the company. The FTC took its sweet time to issue its fine — which amounted to about 20% of the company’s annual revenue for 2018. For one of the most damaging breaches to the U.S. population since the breach of classified vetting files at the Office of Personnel Management in 2015, Equifax got off lightly.

Legislatively, nothing has changed. Equifax remains as much of a “victim” in the eyes of the law as it was before — technically, but much to the ire of the millions affected who were forced to freeze their credit as a result.

Mark Warner, a Democratic senator serving Virginia, along with his colleague since turned presidential candidate Elizabeth Warren, was tough on the company, calling for it to do more to protect consumer data. With his colleagues, he called on the credit agencies to face penalties to the top brass and extortionate fines to hold the companies accountable — and to send a message to others that they can’t play fast and loose with our data again.

But Congress didn’t bite. Warner told TechCrunch at the time that there was “a failure of the company, but also of lawmakers” for not taking action.

Lo and behold, it happened again. Without a congressional intervention, Capital One is likely to face largely the same rigmarole as Equifax did.

Blame the lawmakers all you want. They had their part to play in this. But fool us twice, shame on the credit companies for not properly taking action in the first place.

The Equifax incident should have sparked a fire under the credit giants. The breach was the canary in the coal mine. We watched and waited to see what would happen as the canary’s lifeless body emerged — but, much to the American public’s chagrin, no action came of it. The companies continued on with the mentality that “it could happen to us, but probably won’t.” It was always going to happen again unless there was something to force the companies to act.

Companies continue to vacuum up our data — knowingly and otherwise — and don’t do enough to protect it. As much as we can have laws to protect consumers from this happening again, these breaches will continue so long as the companies continue to collect our data and not take their data security responsibilities seriously.

We had an opportunity to stop these kinds of breaches from happening again, yet in the two years passed we’ve barely grappled with the basic concepts of internet security. All we have to show for it is a meager fine.

Thompson faces five years in prison and a fine of up to $250,000.

Everyone else faces just another major intrusion into their personal lives. Not at the hands of the hacker per se, but the companies that collect our data — with our consent and often without — and take far too many liberties with it.

Internet group brands Mozilla ‘internet villain’ for supporting DNS privacy feature

An industry group of internet service providers has branded Firefox browser maker Mozilla an “internet villain” for supporting a DNS security standard.

The U.K.’s Internet Services Providers’ Association (ISPA), the trade group for U.K. internet service providers, nominated the browser maker for its proposed effort to roll out the security feature, which they say will allow users to “bypass UK filtering obligations and parental controls, undermining internet safety standards in the U.K.”

Mozilla said late last year it was planning to test DNS-over-HTTPS to a small number of users.

Whenever you visit a website — even if it’s HTTPS enabled — the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. The security standard is implemented at the app level, making Mozilla the first browser to use DNS-over-HTTPS. By encrypting the DNS query it also protects the DNS request against man-in-the-middle attacks, which allow attackers to hijack the request and point victims to a malicious page instead.

DNS-over-HTTPS also improves performance, making DNS queries — and the overall browsing experience — faster.

But the ISPA doesn’t think DNS-over-HTTPS is compatible with the U.K.’s current website blocking regime.

Under U.K. law, websites can be blocked for facilitating the infringement of copyrighted or trademarked material or if they are deemed to contain terrorist material or child abuse imagery. In encrypting DNS queries, it’s claimed that it will make it more difficult for internet providers to filter their subscribers’ internet access.

The ISPA isn’t alone. U.K. spy agency GCHQ and the Internet Watch Foundation, which maintains the U.K.’s internet blocklist, have criticized the move to roll out encrypted DNS features to the browser.

But the ISPA’s nomination quickly drew ire from the security community. Amid a backlash on social media, the ISPA doubled down on its position. “Bringing in DNS-over-HTTPS by default would be harmful for online safety, cybersecurity and consumer choice,” but said it encourages “further debate.”

When reached, a Mozilla spokesperson did not immediately comment.

Mozilla isn’t the first to roll out DNS-over-HTTPS. Last year Cloudflare released a mobile version of its 1.1.1.1 privacy-focused DNS service to include DNS-over-HTTPS. Months earlier Google-owned Jigsaw released its censorship-busting app Infra, which aimed to prevent DNS manipulation.

Mozilla has yet to set a date for the full release of DNS-over-HTTPS in Firefox.

Newly public CrowdStrike wants to become the Salesforce of cybersecurity

Like many good ideas, CrowdStrike, a seller of subscription-based software that protects companies from breaches, began as a few notes scribbled on a napkin in a hotel lobby.

The idea was to leverage new technology to create an endpoint protection platform powered by artificial intelligence that would blow incumbent solutions out of the water. McAfee, Palo Alto Networks and Symantec, long-time leaders in the space, had been too slow to embrace new technologies and companies were suffering, the CrowdStrike founding team surmised.

Co-founders George Kurtz and Dmitri Alperovitch, a pair of former McAfee executives, weren’t strangers to legacy cybersecurity tools. McAfee had for years been a dominant player in endpoint protection and antivirus. At least, until the emergence of cloud computing.

Since 2012, CrowdStrike’s Falcon Endpoint Protection platform has been pushing those incumbents into a new era of endpoint protection. By helping enterprises across the globe battle increasingly complex attack scenarios more efficiently, CrowdStrike, as well as other fast-growing cybersecurity upstarts, has redefined company security standards much like Salesforce redefined how companies communicate with customers.

“I think we had the foresight that [CrowdStrike] was going to be a foundational element for security,” CrowdStrike chief executive officer George Kurtz told TechCrunch this morning. The full conversation can be read further below.

CrowdStrike co-founder and CEO George Kurtz.

Have I Been Pwned is looking for a new owner

Troy Hunt has revealed he’s looking for an acquirer for the breach notification service he set up more than five years ago — aka: Have I Been Pwned.

In a blog post discussing the future of the service, Hunt details how traffic to the site has exploded since January when he uploaded a massive 773M record list of breached emails and passwords that could be used for automated unauthorized logins (aka credential stuffing).

“The extra attention HIBP started getting in Jan never returned to 2018 levels, it just kept growing and growing,” he writes, saying he realized he was getting close to burn out trying to manage the service solo. Hence his decision to seek an acquirer.

HIBP has ridden a wave of growing concern about data breaches and Internet security, with Hunt taking the decision to accept a commercial sponsorship via a partnership with password manager firm 1Password last year.

Its growing profile has also led the service finding favor with governments wanting to monitor their own domains.

Sketching what he hopes to achieve with more resources behind HIBP, Troy writes: “Imagine a future where I’m able to source and process much more data, proactively reach out to impacted organisations, guide them through the process of handling the incident, ensure impacted individuals like you and me better understand our exposure (and what to do about it) and ultimately, reduce the impact of data breaches on organisations and consumers alike. And it goes much further than that too because there’s a lot more that can be done post-breach, especially to tackle attacks such as the huge rate of credential stuffing we’re seeing these days. I’m really happy with what HIBP has been able to do to date, but I’ve only scratched the surface of potential with it so far.”

At this stage Hunt says he’s met with KPMG’s M&A division to discuss the process of finding a new owner. Although he also says he intends to remain personally involved in the service.

“In meeting with the M&A folks, it quickly became apparent how much support I really needed,” he writes. “The most significant thing that comes to mind is that I’d never really taken the time just to step back and look at what HIBP actually does. That might sound odd, but as it’s grown organically over the years and I’ve built it out in response to a combination of what I think it should do and where the demand is, I’ve not taken the time to step back and look at the whole thing holistically. Nor have I taken enough time to look at what it could do… but there’s so much potential to do so much more and I really needed the support of people that specialise in finding the value in a business to help me see that.”

Hunt’s blog includes a list of “commitments for the future of HIBP” — including that he remains a part of it, and that “freely available consumer searches should remain freely available”. (Albeit ‘should’ is not the same as ‘will’.)

Other items on his wish list are more capabilities for the service; reaching a larger audience; playing a bigger role in changing consumer; greater support for organizations to use HIBP; and “more disclosure — and more data”.

“There’s a whole heap of organisations out there that don’t know they’ve been breached simply because I haven’t had the bandwidth to deal with it all,” he notes on the latter — a sentence that should send a chill up spines everywhere. 

There’s no named acquirer in the frame as yet, although Hunt sounds like he has a short-list — writing that there’s “a solid selection [of potential acquirer organizations] that are at the front of my mind” and “also a bunch that I have enormous respect for but are less well-equipped to help me achieve this”.

He also says he considered but dismissed taking VC to scale the service into a company himself — as it would inevitably amp up his responsibilities when he’s looking for a way to spread the load.

“As the process plays out, I’ll be working with KPMG to more clearly identify which organisations fit into the first category,” he goes on. “As I’m sure you can imagine, there are some very serious discussions to be had: where HIBP would fit into the organisation, how they’d help me achieve those bullet-pointed objectives above and frankly, whether it’s the right place for such a valuable service to go. There are also some major personal considerations for me including who I’d feel comfortable working with, the impact on travel and family and, of course, the financial side of the whole thing. I’ll be honest – it’s equal parts daunting and exciting.”

A couple of commenters on the blog post ask Hunt whether he’s considered/approached Mozilla as a potential owner — and in a reply to one he writes: “Being a party that’s already dependent on HIBP, I reached out to them in advance of this blog post and have spoken with them. I can’t go into more detail than that just now, but certainly their use of the service is enormously important to me.”

Security startup Bugcrowd on crowdsourcing bug bounties: ‘Cybersecurity is a people problem’

For a cybersecurity company, Bugcrowd relies much more on people than it does on technology.

For as long as humans are writing software, developers and programmers are going to make mistakes, said Casey Ellis, the company’s founder and chief technology officer in an interview TechCrunch from his San Francisco headquarters.

“Cybersecurity is fundamentally a people problem,” he said. “Humans are actually the root of the problem,” he said. And when humans made coding mistakes that turn into bugs or vulnerabilities that be exploited, that’s where Bugcrowd comes in — by trying to mitigate the fallout before they can be maliciously exploited.

Founded in 2011, Bugcrowd is one of the largest bug bounty and vulnerability disclosure companies on the internet today. The company relies on bug finders, hackers, and security researchers to find and privately report security flaws that could damage systems or putting user data at risk.

Bugcrowd acts as an intermediary by passing the bug to the companies to get fixed — potentially helping them to dodge a future security headache like a leak or a breach — in return for payout to the finder.

The greater the vulnerability, the higher the payout.

“The space we’re in is brokering conversations between different groups of people that don’t necessarily have a good history of getting along but desperately need to talk to each other,” said Ellis.

Three ‘new rules’ worth considering for the internet

In a recent commentary, Facebook’s Mark Zuckerberg argues for new internet regulation starting in four areas: harmful content, election integrity, privacy and data portability. He also advocates that government and regulators “need a more active role” in this process. This call to action should be welcome news as the importance of the internet to nearly all aspects of people’s daily lives seems indisputable. However, Zuckerberg’s new rules could be expanded, as part of the follow-on discussion he calls for, to include several other necessary areas: security-by-design, net worthiness and updated internet business models.

Security-by-design should be an equal priority with functionality for network connected devices, systems and services which comprise the Internet of Things (IoT). One estimate suggests that the number of connected devices will reach 125 billion by 2030, and will increase 50% annually in the next 15 years. Each component on the IoT represents a possible insecurity and point of entry into the system. The Department of Homeland Security has developed strategic principles for securing the IoT. The first principle is to “incorporate security at the design phase.” This seems highly prudent and very timely, given the anticipated growth of the internet.

Ensuring net worthiness — that is, that our internet systems meet appropriate and up to date standards — seems another essential issue, one that might be addressed under Zuckerberg’s call for enhanced privacy. Today’s internet is a hodge-podge of different generations of digital equipment, unclear standards for what constitutes internet privacy and growing awareness of the likely scenarios that could threaten networks and user’s personal information.

Recent cyber incidents and concerns have illustrated these shortfalls. One need only look at the Office of Personnel Management (OPM) hack that exposed the private information of more than 22 million government civilian employees to see how older methods for storing information, lack of network monitoring tools and insecure network credentials resulted in a massive data theft. Many networks, including some supporting government systems and hospitals, are still running Windows XP software from the early 2000s. One estimate is that 5.5% of the 1.5 billion devices running Microsoft Windows are running XP, which is now “well past its end-of-life.” In 2016, a distributed denial of service attack against the web security firm Dyn exposed critical vulnerabilities in the IoT that may also need to be addressed.

Updated business models may also be required to address internet vulnerabilities. The internet has its roots as an information-sharing platform. Over time, a vast array of information and services have been made available to internet users through companies such as Twitter, Google and Facebook. And these services have been made available for modest and, in some cases, no cost to the user.

Regulation is necessary, but normally occurs only once potential for harm becomes apparent.

This means that these companies are expending their own resources to collect data and make it available to users. To defray the costs and turn a profit, the companies have taken to selling advertisements and user information. In turn, this means that private information is being shared with third parties.

As the future of the internet unfolds, it might be worth considering what people would be willing to pay for access to traffic cameras to aid commutes, social media information concerning friends or upcoming events, streaming video entertainment and unlimited data on demand. In fact, the data that is available to users has likely been compiled using a mix of publicly available and private data. Failure to revise the current business model will likely only encourage more of the same concerns with internet security and privacy issues. Finding new business models — perhaps even a fee-for-service for some high-end services — that would support a vibrant internet, while allowing companies to be profitable, could be a worthy goal.

Finally, Zuckerberg’s call for government and regulators to have a more active role is imperative, but likely will continue to be a challenge. As seen in attempts at regulating technologies such as transportation safety, offshore oil drilling and drones, such regulation is necessary, but normally occurs only once potential for harm becomes apparent. The recent accidents involving the Boeing 737 Max 8 aircraft could be seen as one example of the importance of such government regulation and oversight.

Zuckerberg’s call to action suggests a pathway to move toward a new and improved internet. Of course, as Zuckerberg also highlights, his four areas would only be a start, and a broader discussion should be had as well. Incorporating security-by-design, net worthiness and updated business models could be part of this follow-on discussion.

Fastly, the content delivery network, files for an IPO

Fastly, the content delivery network that’s raised $219 million in financing from investors (according to Crunchbase), is ready for its close up in the public markets.

The eight-year-old company is one of several businesses that improve the download time and delivery of different websites to internet browsers and it has just filed for an IPO.

Media companies like The New York Times use Fastly to cache their homepages, media and articles on Fastly’s servers so that when somebody wants to browse the Times online, Fastly’s servers can send it directly to the browser. In some cases, Fastly serves up to 90 percent of browser requests.

E-commerce companies like Stripe and Ticketmaster are also big users of the service. They appreciate Fastly because its network of servers enable faster load times — sometimes as quickly as 20 or 30 milliseconds, according to the company.

The company raised its last round of financing roughly nine months ago, a $40 million investment that Fastly said would be the last before a public offering.

True to its word, the company is hoping public markets have the appetite to feast on yet another “unicorn” business.

While Fastly lacks the sizzle of companies like Zoom, Pinterest or Lyft, its technology enables a huge portion of the activities in which consumers engage online, and it could be a bellwether for competitors like Cloudflare, which recently raised $150 million and was also exploring a public listing.

The company’s public filing has a placeholder amount of $100 million, but given the amount of funding the company has received, it’s far more likely to seek closer to $1 billion when it finally prices its shares.

Fastly reported revenue of roughly $145 million in 2018, compared to $105 million in 2017, and its losses declined year on year to $29 million, down from $31 million in the year-ago period. So its losses are shrinking, its revenue is growing (albeit slowly) and its cost of revenues are rising from $46 million to around $65 million over the same period.

That’s not a great number for the company, but it’s offset by the amount of money that the company’s getting from its customers. Fastly breaks out that number in its dollar-based net expansion rate figure, which grew 132 percent in 2018.

It’s an encouraging number, but as the company notes in its prospectus, it’s got an increasing number of challenges from new and legacy vendors in the content delivery network space.

The market for cloud computing platforms, particularly enterprise-grade products, “is highly fragmented, competitive and constantly evolving,” the company said in its prospectus. “With the introduction of new technologies and market entrants, we expect that the competitive environment in which we compete will remain intense going forward. Legacy CDNs, such as Akamai, Limelight, EdgeCast (part of Verizon Digital Media), Level3, and Imperva, and small business-focused CDNs, such as Cloudflare, InStart, StackPath, and Section.io, offer products that compete with ours. We also compete with cloud providers who are starting to offer compute functionality at the edge like Amazon’s CloudFront, AWS Lambda, and Google Cloud Platform.”