Post-Quantum, Deepfakes & Agile SASE: Cloudflare One's Biggest Week

Hello everyone and welcome to This Week in NET. We're back for another March edition and for another topical episode. Last week we had a chat about Cloudflare's new 2026 spread report and now we have an edition related to our SASE blog takeover. So it's full of announcements related to SASE, Secure Access Service Edge. I'm your host João Tomé based in Lisbon Portugal as usual in the Cloudflare Lisbon office library and before we go into this conversation why not do a run through of our blog because other than SASE related blogs we also have many other cool blogs that we should mention. Just to pick a few AI security for apps is now generally available. So in this case providing a security layer to discover and protect AI powered applications regardless of the model or hosting provider. It's what is this about. We are also making AI discovery free for all plans to help teams find and secure shadow AI deployments. Always relevant these days. Also slashing agent token costs by 98%. It's another blog. It's all about how Cloudflare now returns RFC 9457 compliance structure markdown and JSON error payloads to AI agents. So it's replacing heavyweight HTML pages which machine readable instructions. This reduces token usage by over 98% brittle parsing into efficient control flow. Really important these days of course. Active defense another blog post introducing a stateful vulnerability scanner for APIs. Cloudflare's new web and API vulnerability scanner helps teams proactively find logic flaws. So another announcement. On the front of hardware, if you like hardware, let's just give one piece of news. In this case it's all about Cloudflare partnering with NVIDIA regarding a Nemotron 3 Super which is launched now with Cloudflare and of course it's across now our developer platform. In this case it's all about having more parameters, 100 billion total parameters. It's all about making models more efficient, more better. If you like developments per se, we've been shipping as crazy in terms of new features, new stuff just dropping not only on agents SDK, we spoke about code mode in previous episodes, but also workflows integration. There's workers related novelties. For example, workers are no longer limited to 1000 subrequests per invocation. There's many things you should look at. So for that, check our blog and also our changelog. And now without further ado, here's my conversation with Warnessa Weaver, senior product manager, but also Yumna Mohassam, a senior product manager. They were the ones responsible for the SaaS blog takeover. Hello and welcome. Thanks for having us. Can you explain why not Warnessa? Where are you based? I think you're both based in the same place, right? Yeah. I'm Warnessa. I am based in Texas. Me too. I'm in Texas. A little north of Warnessa in Dallas here. And for those who don't know, what can we explain about having a SaaSy takeover week specifically? What is this week about and how it came to be? So, you know, this year we have been really focused on our SaaSy platform. We want to make sure that everyone is aware that we have a very agile platform that is very composable and programmable for everyone. It fits organizations' needs. And we also wanted to make sure we're addressing what companies are talking about right now, what is front of mind for them. And so we spent a lot of time coming up with these blogs that are addressing real needs of our, you know, CISOs, CIOs. And that's what you're going to see as we dive deeper into these blogs is all their security needs, all their front of mind needs like simplicity, governance, being met, and us just going deep into our platform and trying to enhance all the features that we have. Yeah. And I also want to add to that, we also thought it was extremely important for us to showcase some of our partners and our network and talk about how they are using our SaaSy platform to really help their clients modernize their SaaSy architecture. And a lot of what we learned there, you know, was extremely eye -opening. And so it was really great to be able to showcase those stories as well. I remember doing this show early on with John Graham-Cumming. He was our CDO at the time and editor-in-chief of the blog. And he was mentioning all of these names, SaaSy, CISO, like CISO, different names for different things. Do you still feel sometimes overwhelmed on the abbreviations that are around with so many names? Honestly, it's just the norm. It's just the way that we speak. I think so many of these abbreviations are just like second nature to us at this point. We don't even really think about the, I guess, more spelt out terms of what's behind these acronyms and abbreviations. But ultimately, the story behind each of them are essentially what makes the work that we do here so important. Also curious about, and you wrote a blog post about the blog takeover specifically. What is Agile SaaSy? What can we say there, for example? That's one of the principles as well, right? You want to answer from a GTM perspective, Yumna? Yeah, so Agile SaaSy, it's another term that we're using to just describe how our platform is so composable, where it can fit the organization's needs rather than having a rigid collection of tools that are not speaking to each other. And we see that in the market a lot of times with acquisitions going on, with a lot of companies end up doing is just bringing in different tools and saying, oh, now we have a complete platform versus making sure the tools are actually speaking to each other, making sure those connections and visibility and logs are transferable with each other. And so that's what our platform does really well. And then it's also, you know, that's one part of it. We're also talking about easy to use. We're also talking about it being programmable. Also, how the journey starts. Every organization is different. Maybe they want to start with clientless access versus having a device client installed on every device. And so we provide all these options to make it very easy for organizations to start where it's needed and secure the most risky stuff first. So if you have a lot of third party contractors or you have a lot of partners that you're working with, it might be easier to use our clientless access option to start off versus having device clients installed on everything. And so, you know, just having that flexibility, having that easy to use platform is what we are, what we call agile sassy. What do you think, Vanessa? Anything else you want to add here? I think the only other thing that I would add to that is probably just sort of like double clicking on the composable and programmable piece. And really talking about how Cloudflare 1 is natively built on top of Cloudflare's global network. Right. So you don't have like sometimes when we look at like more legacy sassy vendors, things are just bolted on via through acquisition or something different. And so you don't really get the advantages that we see or that our Cloudflare 1 customers will see with the Cloudflare 1 platform being built on top of the global network that we already have that exists and spans over 300 cities. So I think that's one piece that I would add there. The global network part is a really interesting part, too, because it does reduce a lot of latency in our platform and does help bring those connections faster and that security faster. And so because we are everywhere, we can provide you with better performance as well. Makes sense. Actually, there are. So the week was spread out. It was not only a week. It spread out in terms of days over a week in this case. And we had and you were mentioning a bit of that. This blog post called the truly programmable sassy platform. A very specific one in terms of what programmability actually means, building the most programmable SaaS platform. So there's a lot there. What is that specifically trying to achieve in this situation? Yeah. So you spoke a little bit about how some of our competitors are a lot more rigid in what they offer. And like I just said, Cloudflare 1 runs on the same network as the rest of our Cloudflare offerings, including the developer platform. Right. So what that means is that each of our services are all running on the same levels. They're all running on the same servers. And so we kind of we get the advantage of being able to quickly call into any of our products that are within various sectors of what we offer at Cloudflare. So essentially what we talk about when we're saying programmability or composability is that we know every customer has a different need as far as their security architecture and the products that they're going to be deploying. And what Cloudflare 1 offers is the ability to customize that our offering to fit what it is that you need at your company within that time. Right. So, for example, we start to think about our customers. We want to enable them to actually extend policy decisions with like custom logic in real time. So instead of some of the predefined actions, like if you see this, I want you to block or if you see that I want you to allow or log, you can actually dynamically inject certain actions into those policies. So, for example, if we have a gateway policy match, instead of just being limited to those specific actions, you can invoke a Cloudflare worker directly and that will run your code at the edge in real time with full access to the request content. So we've seen some customers use this in very unique ways. For example, building out a worker to just identify if a device has been inactive for a specified amount of time, and if so, revoking the registration and requiring the user to re -auth. And this was done because the way that we currently have this tool set up, it's done on like a per app basis. And for this particular customer, the per app way is not the way they wanted to actually invoke this. They cared about a time limit. Right. So instead of having to submit the feature request, wait for it to get prioritized and actually develop and implement it, they were able to easily go in, build a worker and use that programmability in order to be able to quickly get the fix that they needed. Absolutely. There's a few examples in the blog specifically as well, right? Yeah, definitely. And the blog actually goes a little bit more into how you'll see us like really deepen that integration and make it more native. So we want to get to a point to where you can actually create these custom actions directly in the Cloudflare gateway policy builder versus having to go out directly to the worker side and build there. Makes sense. Early on, even before that, we had a blog post that connects something that is really close to heart in terms of Cloudflare, which is post-quantum encryption. But in this case, to Cloudflare one, to a SaaS offering. Yeah, this is something that we're really excited about. We are the world's first SaaSy platform to ship modern standards compliant post-quantum encryption. While the rest of the industry is starting to talk about quantum readiness, we're delivering it in GA today. So something interesting that's happening these days is that hackers are using something called Harvest Now Decrypt Later. They're starting to steal information and then just sitting on it, even though it's encrypted, waiting for powerful quantum computers to become available so they can then crack that information. And that's where security organizations like NIST have set a deadline of 2030 or something for every organization to address this kind of threat. We did that right now. We are delivering this in GA, where we are saying that we have implemented hybrid MLKEM, or K-E-M, which provides quantum safe protection without sacrificing any security. And so this isn't just a feature. We provide full access across Cloudflare IPsec, Cloudflare One Appliance, and our security gateway. And it's part of our easy-to-use story. It's part of our story of how we want our organization to be ahead of threats that we're seeing come into the market. Absolutely. And post-quantum is really one of those things that has been really important for Cloudflare since a few years now. And it's definitely scary to think that encryption could be broke, even with older data. So quite important to see in a more sassy corporate perspective as well, right? Where should we go next in terms of blogs? Anything we want to highlight more? Do you want to get into some of the addressing identity? So maybe Mind the Gap? Yeah, let's do that. That's actually a great title. Mind the Gap, New Tools for Continuous Enforcement from Boot to Login. Very British. Mind the Gap. For Nessa, do you want to talk about... Yeah. Yeah. Okay. So Mind the Gap, I think a good call -out when we were building the narratives for the sassy blog takeover is we didn't want to just create a blog for every new feature or every new capability that we had. We really wanted to put together a story and a solution for our readers, right? And so what you see in this blog is what we're addressing from our Cloudflare One client side, but then also Cloudflare Access. And so we have two different features that this blog is essentially addressing. And the first one is all around when you have a new employee or they receive their device in the mail and it's like until they actually set things up, they're not really being protected, right? Because the client isn't necessarily installed. And so you kind of have this like black box or black space or a gap, essentially, where anything could happen and you're totally unaware to it. And the other piece of this is it can also happen when a session expires and the user has either just forgotten to re-auth or they have intentionally chosen to not re -auth and kind of bypass that restriction. And so what this offers is a new way for us to actually close that gap so that you no longer lose the visibility and your security posture remains intact until the local machine allows it. So it's us using the firewall to come in and to block the access to the Internet in order to ensure that the person who is behind the keyboard, you know, isn't doing anything malicious or sometimes even unintentionally, but could actually be risky and eliminating that risk across the board. So that's from the Cloudflare One client side. But then we also sort of get into what are we doing for Cloudflare Access? And so the second portion of this blog talks about closing the loop on, you know, when we do have your own, you have something signed up for through like your primary security anchor, whether it be Okta or Google, you know, and they require MFA at the initial login. But what we actually really need to do is create this secondary route of trust. So Cloudflare One and Cloudflare Access is now offering independent MFA. So it's essentially a secondary way for us to ensure that whoever it is that is logging in actually should be logging in. And so we can do this through a few different ways. It could be either through biometrics. It could be a time-based one-time password or even a security key. And so this really gives the administrators the flexibility to determine how users have to authenticate and also how often it needs to be done. So these are, you know, two really good ways that we're hoping to close this gap that you probably don't really even think about because how often does it actually happen or how often does it occur? But these are two of the most risky gaps that we have identified in the access world. It's really interesting, even in the fact that I did an episode about our threat report and definitely the ways that attackers are using to explore even multi-factor authentication is quite scary in a sense. So having many options and protections in place, definitely it's important in this situation, right? Yeah, definitely. And I think even that threat report could probably bring us to maybe our next blog, you know, where we talk about a partnership with NameTag. So maybe we want to hop over to that one? Yeah, that's a good idea. That was another blog that we, you know, where we're addressing access and how we're improving or addressing AI-driven fraud these days as well as deep fake. Yes, that's the one. With, you know, AI-driven frauds, we're seeing a massive rise in ghost employee operations as well as sophisticated laptop farms. And so we're seeing a lot of attackers using AI to pass video interviews and fabricate IDs. So what, you know, what we wanted to do was make sure that we are addressing these gaps in security. While Zero Trust is great at verifying device as well as credentials, this is a new threat that we want to address where we want to make sure that the person holding the device is not a fraud, right? And it's not AI-driven. And so what we did was we partnered with NameTag where we're directly integrating with Cloudflare workforce verification. And so with NameTag's deep fake defense engine within our access policies, organizations can now require a quick selfie as well as a government ID scan to make sure the person that's using the device is an actual person. Not just an AI or ghost employee trying to get into the system. And so this ensures that the right person and a real person is actually getting into the system. And it's another deep layer of, you know, making sure Zero Trust works for you and our platform is addressing the latest threats that are out there. Yeah, there are many details in the blog in terms of how it works, even images and the layer defense specifically also highlighted here. It's a cool one for sure. Anything we want to say more in terms of other blogs? We had so many blogs last week. Not all the blogs are related to the SaaS takeover, but many are. Where should we go next? What was your last one, Yuna? What about the user risk scoring one on adaptive access? Oh, adaptive access. Yeah, I was doing adaptive access. Which one is that? It's like stop breaching. Stop reacting to breaches. Yeah, stop reacting to breaches. I was there. Yeah. You know, they all have one tag that's alike. We should have given you that link. So then you wouldn't have had to at least dig through so many different ones. That's true. There's many last week. But here it is. Stop reacting to breaches and start preventing them with user risk scoring. What is this about? So, user risk scoring is a really critical feature. It's almost impossible to kind of be everywhere at all times, right? To build these policies that are going to block everything. And what user risk scoring does is provide you with a more continuous view and a continuous scan of what your users are actually doing on the network. And so, with user risk scoring, we are able to set up very kind of lightweight policies around specific detectors or triggers and then essentially take action based off of if a user's risk score hits that certain level, right? So, instead of having a more binary approach, it allows you to be a little bit more dynamic. And so, for example, you may have policies that are actually built around various DLP detections, but user risk score allows you to say, if someone hits 15 DLP detections within this certain amount of time, then they should no longer be able to access these specific tools. We can kind of switch that up, right? And so, a lot of what we've done in the user risk scoring was essentially that. But what we did and what we announced for our SASE takeover is that we now have adaptive access. So, instead of just saying, hey, let me know if Una hits 15 DLP detections, it's like, if this person does hit 15 DLP detections, then I now want to label them as a medium risk. And if you are medium risk, then you cannot access these specific sets of applications. So, it really takes it from a more, you know, just kind of visibility into like actually putting things into action. And so, you're able to take these risk scores and now quickly and easily apply them into your existing access policies to, you know, as an additional piece of data that we go and calibrate on before we make a decision on if someone is allowed to access that application. And additionally, we also are allowing third party signals from CrowdStrike or SentinelOne to come into and work with these access policies, right, Vanessa? Yeah. Yeah, that's correct. So, you can, you know, you can take some more endpoint triggers, right? So, maybe there is some device posture insights and we can actually take those, use them along with other telemetry that we have within our Cloudflare One network, put those together and then make decisions based on it. What is this about then? Data security vision in Cloudflare One, what is this about? Yeah. So, sort of like I said earlier, we really wanted to make sure that we were telling like full narratives and giving you a singular solution, right? And so, from the endpoint to the prompt, a unified data security vision is also just that. So, this blog talks about a couple of different areas across Cloudflare One where we are implementing new data security features and capabilities. And so, when you start to think about it, you know, when you hear data security, you think to DLP, you know, you think about CASB, but you may not necessarily think about browser-based RDP, right? But with browser-based RDP, we want to make sure that we are continuing to like actually secure that entryway for, you know, we have a lot of like contractors and partners and various customers who actually kind of on-ramp through there because they can't necessarily download like the Cloudflare One client into their device. And so, with browser-based RDP, what we just announced is actually being able to apply clipboard controls. So, with these controls, we are giving administrators the ability to enable various copy-paste workflows for users and then enforce granular controls over the context of which, right? So, essentially being able to look at if the user is accessing a customer support portal, which may contain like some sensitive customer information, then, you know, we may allow them to copy and paste into the session. However, we might block copy and pasting out of the session, right, just because we want to prevent that data from leaking onto an endpoint device that is actually being unmanaged via the company. So, that's like one really good way that we're doing that. Another key feature that we talk about here is AI visibility into Microsoft 365 Copilot. So, in Q3 of last year, we had our AI week where we did a ton of new functionality around generative AI protection. And, you know, this supported us actually going in and be able to apply DLP content and intent categorization to prompts and attachments from a group of generative AI providers. And at the same time, it also allowed us to enable similar protections through CASB in a more retroactive way, right? So, being able to go through and scan all the prompts that have been sent and then notify administrators on what we found after the fact. And so, one of the things that we did via the SASE Takeover this year is actually going in and adding a new generative AI provider for that functionality within CASB. And so, now you're able to do those same types of scannings through Microsoft 365 Copilot. So, I'm sure a lot of our customers are going to be extremely happy if they're, you know, kind of in a Microsoft house within their company. And so, they now are getting this AI visibility that they once were not getting. And last year, when Vanessa mentioned that we did a couple of integrations with CASB, now we're doing AI integrations with Chad, GBT, Cloud, Gemini, and Copilot. So, it's a broad range of the most popular platforms that we're covering with our API integrations with CASB, which is very exciting. Makes sense. So, I think one of the things that I like actually enjoyed, I probably enjoyed this the most out of, you know, all the things that I did with leading the SASE Takeover from the product side for this year, was being able to work hands-on with our partner network and learn from them about, you know, the various situations and challenges that they come across when they're helping our customers onboard to Cloudflare 1. And the two people that I talked with at both Adapture and Taktek were some of literally the most favorite conversations that I've had. It's just great to hear partners from our network be so stoked, not only about what we are building, but like what we have already built and what we're offering. And so, this blog, you know, kind of has a couple quotes here and there where they talk about how the work that they were doing with some of the more legacy SASE vendors would take them 18 months and coming to Cloudflare 1 and deploying some of our products like Cloudflare Access. And they actually see this decrease in where they're able to deploy it within four to six weeks. And so, I think this is a fantastic, like, just look into what our partners see every day. And, you know, not only talking to, like, at Adapture, I spoke with Greg O'Connor, who leads their strategic partnerships. But then I also got to speak with a lot of their solutions architects and, like, the people who are literally, you know, have their boots on the ground and are actually working with our customers alike. And so, this is a really good blog into seeing what is their experience like and what are they most excited about. And I think, like, from Kyle at Tech Tech, he talked a lot about programmability. And so, we talked about that blog and it's just really cool to see that we have people, customers and partners who have challenges. And the way that Cloudflare 1 is structured, they're able to, like, quickly go in and build a solution that works just for them. You know, Kyle was able to do that for some of his clients as well. Really interesting to see, especially with the people using more and more and companies using more and more AI, having safeguards, having many perspectives regarding public LLMs is quite important to see specifically as well, right? Yeah, most definitely. I think Greg even spoke about just, you know, speed was always really important for people. You know, the longer your migration project is, that's literally more money coming out just to, like, you know, fund that. So, speed has always been important, but really with the way that generative AI and AI as a whole is just kind of, like, kind of taking over, speed has become just the number one priority for a lot of our partners and our customers. And so, our AI security suite is a really good way for them to be able to access and to control that. I think we like to say we are the fast path to AI. And so, you know, we have some stories in about how we offer that as well. Makes sense. There's many blog posts, including on that regard, the building security overview dashboard. There's another one I saw recently. Let me see if I can fetch it. It's, yeah, here it's this one. Beyond the blank slate, how Coffler accelerates your Zero Trust journey. It's also related, right? Yeah. So, this blog is more of an internal tool, but the good thing is that, you know, our customers, they get to reap the benefits of it. So, when it comes to, like, actually onboarding and deploying a new product or solution, you know, you really start from blank slate. There's no templates. There's no right way to do something, right? And so, what our SE team at Cloudflare One has done, they've put together just that. They've put together some of the best practices. And naturally, not every company is the same. And so, you know, we don't make assumptions. But foundationally, we want to make sure that customers are coming in and with this, they're coming in and we're able to quickly take them to step one, right? From that blank slate to step one. So, what that project does is there are, like, some Terraform templates that we're able to apply into your tenant or into your account to get you going. So, that you're able to kind of come in and then customize, therefore, where it makes most sense for you. And I also noticed this one felt maybe it's interesting about evolving Cloudflare's Threat Intelligence Platform, actionable, scalable, and ETL-less. Also, an interesting one in terms of capabilities, in terms of observability, Threat Intelligence Platform specifically, related to our Cloudflare One team that also did the Threat Intelligence blog, right? Yeah, this one is on our AppSec side, not Cloudflare One. So, I can't really speak in great detail about it. Of course. Well, I think we have a good summary. And of course, for those that want to learn more and see more, they should see our blog and the many blog posts that we have. We'll share the direct link for the more SASE-related blogs here. Anything we want to add specifically on what should people take from this week specifically? Yeah. So, you know, at Cloudflare, we're always trying to address the needs of our customers. And so, what we found that right now, the main use cases that people are worried about, you know, is one, modernizing remote access. They are always thinking about how to implement Zero Trust into their environment and making sure they do it in a way that's easy, securing the risky parts first. And so, we have a lot of blogs around modernizing remote access, and we have another thing is phishing protection, making sure our email security product and platform is addressing those needs. And we have a very AI-powered threat platform that is addressing the latest threats that are out there, which we're seeing AI threats being very growing a lot in numbers and making it easier to penetrate into the system very easily. And so, our platform addresses and grows with those AI-powered defenses that we have. Then we have our Cloudflare coffee shop networking, as well as our DNS filtering use cases where, you know, the idea of just working from an office is so, it's not common anymore. People are working from anywhere, everywhere, making it just easier to do their work, but in a secure manner without reducing productivity. And then, I saved the one that's trending the most to the last, our AI adoption. So, as you guys were mentioning that, Vanessa was mentioning, it's bad to AI adoption is a big use case. Everyone's been talking about it. Everyone wants to address AI -related threats, even if it's in phishing, it's in access, it's in, you know, just amount of how a workforce is using AI generally. And then, we're now even seeing AI agents being used all the time and agentic workflows. And so, we are looking at AI in a wholesome, in a very comprehensive manner and trying to address all of those needs. And this is just from a SASE site. If you look at our AppSec platform, our developer platform, we're doing other things to address AI security needs as well for external facing LLMs or making it easier for developers to use AI in their workflows as well with our developer platform. So, we are addressing this very comprehensively across Cloudflare in general. And then, we do offer a very fast path to safe AI adoption. And so, the idea is not to address, not to slow down work and not adopt AI just because you're scared of the security risk, but do it in a fast way with the SASE platform that you already have. It's interesting to see the ecosystem at work. You can see deployments in other areas that are not Zero Trust actually helping than the Zero Trust platform and the other way around as well. So, you can see the ecosystem building on the ecosystem in terms of capabilities, in terms of leveraging AI without being too much scared of the risks that are around. Quite interesting to see for sure. Have a great week and rest after all of these blogs that are coming out. So, have a good rest. Yeah, this was just the starting of the year. So, I'm really excited to see how much more we do and how many more things are coming. So, keep an eye out on our Cloudflare blogs to see everything else we're doing. Yeah, definitely. And that's a wrap. It's done. Thank you.