Customer Talk Track

Single-page flow, top to bottom.

Opening

"Thanks for the time today. I know we're here primarily to talk about your VPN problems, and we're going to get there."

"But before we dive into the VPN side, I want to take a couple minutes to show you what Cloudflare is as a whole."

"It's going to make the Zero Trust conversation make a lot more sense, because where we fit in your environment isn't always obvious if you only know us from one product."

"Cool with that?"

Wait for them to nod. Don't move on until they agree.

What Cloudflare is

/vpn-vs-zerotrust · Tab 1 is already showing the platform diagram

"Look at the shape of this picture."

"On the left side are the people and devices you need to protect. Employees, contractors, the laptops they use, the offices they work from."

"On the right side is what they're trying to reach. Your apps, your servers, your networks."

"Everything in the middle is us. One network sitting in between, doing the work for both sides."

"And the reason that network is worth taking seriously. We've been doing this since 2009. We started by solving DDoS attacks at internet scale."

"Today we sit in front of about 20 percent of all web traffic on the internet."

"Last quarter we mitigated a record-breaking DDoS attack at 31 terabits per second, and we did it using 6 percent of our total capacity."

"I mention that not to brag. I mention it because that same network is what your Zero Trust traffic will ride on. Security and performance aren't bolted on after the fact. They're built into the same plumbing."

Now they have the platform picture in their head. You can pivot to their actual problems.

"Now that you have the picture of what we are, let me address the three things you brought up last time, one by one."

Problem 1 · Remote developers hitting cloud apps across the globe

The concern: "Our developers in India connect to AWS East. The traffic still has to cross the globe. How does Cloudflare actually solve that?"

Still on /vpn-vs-zerotrust · click the "Do the math · Latency" tab

"This is exactly your scenario right here on this page."

"You're right that the bits still have to cross the ocean. Mumbai to Virginia is about 180 milliseconds one way no matter who you use. We can't break the speed of light."

"What we change is everything else that happens along the way."

"Instead of the public internet, your traffic rides our private backbone between cities. Think highway versus surface streets."

"Instead of rebuilding the connection on every request, it stays open. No setup tax."

"Instead of bouncing through a security box in Virginia, the security check happens at the Cloudflare data center nearest your developer in Mumbai."

"The number we typically see is around 145 to 210 milliseconds on Cloudflare versus 280 to 490 milliseconds on a traditional VPN."

"Not zero. Cut in half. Honest math."

If they're still skeptical: Offer to set up a real test from one of their remote devs to a Cloudflare PoP versus their current VPN. The numbers are the numbers. We can prove it.

Problem 2 · VPN bottlenecks, drops, and contractor access

The concern: "Our VPN is at capacity. Bottlenecks. Daily connection drops. And our consultants can't install our security client. It's a problem for employees AND third parties."

Click the "What VPN costs you" tab on /vpn-vs-zerotrust

"What you're describing isn't a vendor problem. It's a design problem."

"Every employee, every contractor, every device, every request, all funneling through one box. On Monday morning when everyone signs in, the box can't keep up."

"With Cloudflare there is no box. Your people connect to the nearest of our 330 locations around the world, not a central concentrator. The load never piles up in one place."

"That solves the bottleneck and the drops."

"Now for your contractors, the ones who can't install your client."

Open /contractor-flow in a new tab

"This is the contractor scenario animated. Watch the right side of the screen."

"The contractor doesn't install anything. They open a URL in any browser. They log in with their own identity, whatever you allow. Google, Microsoft, even a one-time code over email."

"They're in. Scoped to just the one app you allowed them to reach."

"Nothing on their machine. Nothing for you to manage. Nothing that breaks when their laptop updates."

"And if you want to lock it down further, we can render the app inside a browser running on our infrastructure, so they see and click but nothing actually downloads to their device."

The line worth landing: "Your employees get the fast in-the-background experience. Your contractors get the no-install experience. Same security policy hits both, written one time."

Problem 3 · Server onboarding and RDP/SSH access

The concern: "How do I actually onboard my EC2 instances? And can I secure RDP and SSH servers through Cloudflare?"

Open /onboarding in a new tab

"Let me walk you through this properly, because there are three ways to onboard your server side, depending on what you're connecting."

"One. A single server or VM. Like an EC2 instance running an internal app. You install a small piece of software on the box called cloudflared. Three commands, five minutes. The server calls out to Cloudflare and holds the connection open. Nothing ever comes in from the internet. No public IP. No firewall hole. No port forwarded. From the outside, that server looks like it doesn't exist."

"Two. A whole VPC or subnet. When you've got a bunch of servers and you don't want to install something on every one. You install one connector on one server and tell it 'I speak for this whole network.' Every server behind it is reachable, without ever touching the others. This is the move for legacy stuff you can't modify."

"Three. A whole data center or cloud region. Network-level integration. Same idea but at the network edge. Tunnel from your router, or a literal direct cable between your network and ours."

Open /browser-ssh-rdp in a new tab

"And for your RDP and SSH question specifically. Yes, fully supported."

"This is what an admin actually sees. They open a URL in their browser. They get a full RDP session into your Windows server, or a full SSH session into your Linux server. Both running inside the browser. Nothing installed on their machine."

"Watch the right side. Every command, every click, every paste, all of it logged in real time. If you ever need to answer an audit question about who did what when, the answer is in there."

"We control access at the identity layer, not the network layer. So instead of 'this user is on the VPN therefore can reach the whole subnet,' it's 'this user is authenticated for THIS server, on THIS port, for THIS time window.'"

If he asks about the difference between CDN and Zero Trust: click the "CDN vs Zero Trust" tab on /vpn-vs-zerotrust. Two pipelines side by side. Public side is "anyone can show up, we filter the bad stuff." Zero Trust side is "no public door, identity verified first." Same network, two jobs.

Close and next steps

"So that's the three things you brought up, addressed one by one."

"One. Latency for remote developers. Cut roughly in half by riding our private backbone instead of the public internet."

"Two. Bottlenecks and contractors. No central box, and your third parties can be in within minutes without installing anything."

"Three. Server onboarding and RDP/SSH. Three patterns, all outbound-only, full audit trail on the privileged access."

"What I'd suggest as the next step is I put together a short architecture document specific to your environment. The PHI flow through Cloudflare for the HIPAA piece, plus a specific recommendation on each of the three problems we just walked. Can I get back to you within a week?"

"In the meantime I'll loop in our account team on the Enterprise conversation and the BAA process, so by the time you're ready you're not waiting on paperwork."

"What questions do you have for me right now?"