·Mock Discovery · Secure Access Corp

Mock Discovery · Cheat Sheet

Left = the flow with landing lines. Right = landmines and honest deferrals. Bullets are talking points, italic quotes are how to lean in.
Rules Discover before you pitch · Architecture before dashboard · Ask permission before demos · "I don't know" is fine · write it down · Commercial → AE
1
Give them the floor
10-15 min
I'd rather understand what you're dealing with than show you a bunch of stuff that might not matter.
  • Quick intro · you, SE on the account, AE is out, commercial questions get parked
  • Frame · you want to understand their environment first
  • Then shut up and let them talk
What you need to leave the call knowing
  • Users · how many, where, contractor vs employee split
  • Apps they access · web / SSH-RDP / thick-client / SaaS
  • Where apps live · DC / AWS / Azure / hybrid
  • Current access story · VPN / ZTNA / both / vendor names
  • What's not working · in their words, not yours
  • Compliance drivers if any · timing · who else decides
2
Who Cloudflare is + broader platform
5 min
Before I zoom into anything specific, one quick picture that explains why our answer to this looks different than most vendors would pitch.
  • Only after they've talked · not before
  • Company frame · connectivity cloud · 330 data centers · ~95% of internet within 50ms
/network-map Zoom out. Let them see the dots. "The footprint is the product."
/vpn-vs-zerotrust Tab 1 · platform & connectivity. Point at the six hexes. One line each.
  • Zero Trust · what we're mostly here for
  • WAF + DDoS · same footprint blocks bad traffic
  • Workers · run code at all 330 locations
  • R2 · S3-compatible storage, no egress fees
  • AI Security · governance for what people paste into ChatGPT
  • Magic WAN / Transit · MPLS and firewall replacement over time
3
The bottleneck
7-10 min
The reason your VPN's hitting a wall isn't licenses, it's the design.
  • Frame first · VPN = pipe onto your network · ZTNA = broker in the middle, never on your network
  • The bottleneck is architectural · concentrator, DPI hop, trombone routing
  • Cloudflare's model has none of those · anycast lands them at closest data center, private backbone carries it
/vpn-vs-zerotrust Tabs 3, 5, 6 · VPN cost, side by side, latency math. Only Tab 6 if latency is a concern.
/argo Only if they name a specific region-to-region pain. Pick that region, show hop table.
4
Contractors
5-7 min
Contractors is actually two different problems with two different answers, so let me draw the line.
  • Web app (HTTP/HTTPS) → send them a URL, browser opens, SSO, done · no WARP, no install, no admin rights
  • Non-web (SSH, RDP, thick-client, database) → WARP or browser-rendered SSH/RDP
  • Can't install anything at all? → SSH and RDP render inside a Chrome tab · nothing to install
/browser-ssh-rdp The "you don't need to install anything" punchline.
  • Why this isn't just another VPN client · VPN puts you on the network, WARP doesn't · blast radius is one app, not your network
5
Deployment · two halves
5-7 min
There's two halves to rolling this out. Getting users onto Cloudflare, and getting your apps onto Cloudflare. Neither one is a hardware install.
Endpoint side · getting users onto Cloudflare
  • WARP client · push via MDM (Intune, Jamf, Kandji) or user-driven install
  • IdP hookup · Okta / Azure AD / Google Workspace / anything SAML or OIDC
  • Define apps and policies in the Zero Trust dashboard · per-app, not per-network-segment
  • Device posture optional · disk encryption, OS version, EDR agent checks before allowing access
Server side · getting apps onto Cloudflare
  • cloudflared tunnel · small daemon on the server, outbound connection to Cloudflare, zero inbound ports
  • WARP Connector · one install on a subnet gateway, whole subnet reachable
  • Both outbound-only from your side · no firewall changes, no new inbound rules
6
WARP or no-WARP · how to decide
3-5 min
There's one question that decides whether someone needs the client or not.
  • The question · is the app web (HTTP/HTTPS) or something else?
  • Web only → no WARP needed · Cloudflare Access in front · user hits URL, SSO, in
  • Non-web → WARP or browser-rendered path · WARP if they own the device, browser path if they can't install
  • Mixed environment · WARP for employees (fuller experience, device posture), URL-only for contractors and BYOD
  • Same policy engine either way · WARP or no-WARP, the access decision is identical
7
Close
2-3 min
Before I let you go, let me play back what I heard and make sure I'm not walking off with the wrong picture.
  • Play back the top 3 pains they surfaced · in their words
  • Recap what you showed and how each demo maps to a pain
  • Name any "I don't know" items you owe them
  • Propose a specific next step · technical deep-dive, POV, follow-up with AE
  • Get a date before you drop off · "we'll be in touch" is a fail

Landmines & honest answers

The stuff you should not improvise. Lean on these, don't guess.
The "I don't know" line · your safety net
Great question. Rather than guess, let me get you the tested answer and follow up.
Then: write it in the follow-up slot below and actually follow up. This line works for technical AND commercial questions. Sounds confident, not weak · you're framing it as respecting their question, not admitting a gap.
Pricing · contract · procurement
Defer to AE. "That's exactly the piece I want your AE to walk through when they're back."
Specific latency number for their stack
Don't commit. "Let me run a test from a Cloudflare probe in your region to your actual endpoint and get you the measured number."
"Does Zero Trust actually solve latency"
Physics has a floor. ~180ms round trip Mumbai to Virginia. Nobody beats it. What we eliminate · VPN handshake round trips, DPI at the concentrator, trombone routing. Roughly half the total. Not zero. Half.
"Just another VPN client"
VPN puts you on the network. WARP does not. On VPN, anything on the network is reachable. On WARP, you're connected to Cloudflare and stitched to one app at a time. Blast radius is one app, not your network.
"We already have role-based ACLs on our VPN"
ACLs on a VPN are network permissions and they drift. Segments blur, engineers move teams, ACLs don't get updated. Cloudflare is per-app, not per-network-segment. Every session re-verifies. Okta group change = access change on the next request.
"Can we secure SSH and RDP"
Yes. Two paths. WARP on the machine, or browser-rendered SSH/RDP with no client at all. Same policy engine either way.
"How do internal servers get onboarded"
cloudflared tunnel (per-server) or WARP Connector (per-subnet). Both outbound-only. Zero inbound firewall ports opened.
"What if Cloudflare goes down"
Anycast across 330 locations. Any single location issue, traffic reroutes automatically. For deeper resilience specifics · "let me get you our architecture doc rather than improvise."
"What else does Cloudflare do"
Zero Trust · WAF + DDoS · Workers · R2 · AI Security · Magic WAN / Transit. Point, name, move on. Don't demo any of them.
Dashboard "where do I click" question early
Acknowledge and defer. "I'll show you exactly that in a second. Let me finish the architecture picture first."
Competitor comparison · Zscaler, Netskope, Palo Alto
Don't trash them. "Fair question, they're all solving pieces of this. What I'd rather do is describe how we approach it and you tell me where the gap is." Then keep going.
Follow-ups I owe · fill in during the call