Airlines
Booking engine resilience, multi-jurisdiction compliance, NDC API protection, fare scraping defense, and AI-powered disruption recovery.
The problem
When storms, ATC stops, or system failures hit, millions rebook simultaneously while threat actors target the same infrastructure. Delta's CrowdStrike outage: $500M+ losses, 7,000+ cancelled flights. 89% of DDoS attacks end in <10 minutes — too fast for on-demand scrubbing. Airlines cannot scale origin infrastructure for peak-of-peak scenarios that combine attack + IRROPS traffic.
How Cloudflare solves it
Cloudflare's always-on DDoS absorbs attacks before they reach origin. Waiting Room manages rebooking queues with estimated wait times, preventing origin overload. Load Balancing with health checks provides automatic failover. The combination handles both attack traffic and legitimate IRROPS surges without requiring airline infrastructure to scale for worst-case scenarios.
Products
DDoS Protection (L3/L4/L7), WAF, Waiting Room, Load Balancing, Argo Smart Routing, CDN, DNS, SSL/TLS, Health Checks
Customer KPIs
100% booking engine availability during DDoS + IRROPS; Rebooking wait time reduced via queue management; Origin cost reduction by absorbing 10-100x spikes at edge; Sub-second autonomous mitigation vs. minutes for on-demand; Eliminated revenue loss from downtime during peak disruption
The problem
A NY-London flight generates data subject to TSA, EASA Part-IS, NIS2, UK CAA, GDPR, and PCI DSS simultaneously. TSA mandates 24-hour incident reporting. EASA requires ISMS by Feb 2026. NIS2 imposes 2% turnover penalties. No other industry routinely has a single transaction governed by this many frameworks. British Airways' Magecart attack: GBP 20M GDPR fine from client-side payment page compromise.
How Cloudflare solves it
Data Localization Suite ensures PII is processed in required jurisdictions (Regional Services for EU-only, Geo Key Manager for key sovereignty). Logpush streams to SIEM in near-real-time for TSA reporting. PQC protects in-transit data against quantum decryption. Keyless SSL maintains key sovereignty for PCI DSS. Page Shield detects Magecart-style payment skimming.
Products
Data Localization Suite (Regional Services, Customer Metadata Boundary, Geo Key Manager), Logpush, PQC, SSL/TLS (Keyless SSL), Page Shield, DMARC Management
Customer KPIs
Simultaneous compliance across TSA, EASA Part-IS, NIS2, GDPR, PCI DSS; Near-real-time log delivery for TSA 24-hour reporting; PII processing restricted to required jurisdictions; Audit prep time reduced from weeks to hours; Zero client-side payment exposure via Page Shield; Brand impersonation blocked via DMARC
The problem
Airlines share CUTE/CUPPS terminals where one compromised terminal accesses multiple carriers' systems. MRO vendors connect to maintenance databases. Ground handlers access operational systems via broad VPN tunnels. The SITA breach exposed records across multiple Star Alliance carriers from a single compromise point. Air India reported 4.5M records compromised. Traditional VPNs grant overly broad network access once connected.
How Cloudflare solves it
ZTNA replaces VPN with identity-verified, least-privileged access — MRO vendor reaches only the specific maintenance system, not the network. RBI provides sandboxed access from shared CUTE terminals without airline-managed endpoints. API Shield with mTLS secures GDS, NDC, and alliance partner API connections. Email Security blocks supply chain phishing impersonating known vendors. DLP prevents data flow to unauthorized third-party systems.
Products
Cloudflare Access (ZTNA), Remote Browser Isolation, API Shield (mTLS), Email Security, DLP, Secure Web Gateway, Device Posture, DMARC Management
Customer KPIs
Third-party VPN tunnels replaced with least-privileged ZTNA; Shared CUTE terminal access secured via agentless RBI; Partner APIs authenticated via mTLS; Supply chain phishing blocked; Passenger data exfiltration prevented at third-party boundaries; Reduction in third-party security incidents
The problem
When disruptions hit, call centers are overwhelmed in minutes, hold times stretch to hours, and airport agent lines snake through terminals. No other industry requires autonomous agents to handle millions of simultaneous stateful conversations where each involves real-time inventory, fare recalculation, and regulatory compliance. Traditional infrastructure cannot elastically scale from idle to full disruption capacity.
How Cloudflare solves it
Workers and Agents SDK build rebooking agents across 330+ cities that scale elastically. Durable Objects maintain stateful multi-turn rebooking conversations at the edge. Workers AI provides sub-50ms inference regardless of passenger location. Waiting Room manages the queue. Code Mode executes rebooking scripts instead of thousands of API calls, cutting token costs 99%. R2 stores itinerary data with zero egress.
Products
Workers, Agents SDK, Durable Objects, Workers AI, Waiting Room, R2, D1, Queues, Workflows, Code Mode, AI Gateway
Customer KPIs
Rebooking resolution: hours (call center) to minutes (AI agent); 99% token cost reduction via Code Mode; Millions of simultaneous stateful rebooking conversations; Reduced EU261/DOT compensation payouts; Call center overflow reduced during IRROPS; Passenger NPS improvement during disruption recovery
The problem
Airlines deploy AI across revenue management (pricing data), customer service (PII in itineraries), personalization (loyalty profiles), crew scheduling (employee PII). Each processes data subject to GDPR, PCI DSS. Shadow AI accelerates: revenue analysts paste pricing into ChatGPT, service agents use unapproved chatbots with PNR data, ops staff feed schedules into external tools without understanding data residency implications.
How Cloudflare solves it
AI Gateway provides unified logging, caching, and rate limiting across all inference providers — single pane for every AI interaction. DLP prevents PNR data, passport numbers, payment details from reaching external models. CASB discovers every AI tool employees access. Caching reduces redundant inference calls for common queries. Prompt logging creates GDPR audit trails when AI processes passenger data.
Products
AI Gateway, AI Firewall, DLP, CASB, Cloudflare One, Remote Browser Isolation
Customer KPIs
100% shadow AI visibility; PNR/payment leakage to external AI models reduced to zero; AI inference cost reduction via caching; GDPR audit trail coverage for all AI interactions; Shadow AI discovery time: months to real-time
The problem
Airlines have 25,000-130,000+ employees connecting from locations that change daily. VPN architectures designed for fixed offices fail: they add latency to time-critical operational tools, provide overly broad access, and create single points of failure. CrowdStrike showed VPN-dependent airlines suffered cascading failures from a single agent update. Crew scheduling, flight ops, and dispatch require low-latency, always-available access.
How Cloudflare solves it
Cloudflare Access verifies identity, device posture, and location — works identically whether a pilot is at JFK, Heathrow, or Narita. DEX gives IT real-time visibility into operations tool performance at every airport. SWG filters traffic at the edge without backhaul latency. Device Posture applies different policies for managed corporate devices vs. BYOD crew tablets. Email Security blocks phishing targeting crew and ground staff.
Products
Cloudflare Access (ZTNA), Digital Experience Monitoring (DEX), Secure Web Gateway, WARP Client, Device Posture, PQC, Email Security
Customer KPIs
VPN decommissioned across airports, offices, crew hotels; Operations portal latency reduced (no VPN backhaul); Device posture compliance across managed/BYOD; Operational tool availability during endpoint failures (agentless RBI fallback); IT visibility at every airport via DEX; Phishing credential compromise reduced
The problem
NDC creates greenfield API surface exposed to the internet for the first time. Travel agencies, OTAs, meta-search engines each implement NDC differently. Airlines must secure APIs from partners with weak practices, bots probing undocumented endpoints, and attackers exploiting schema differences between NDC versions. GDS previously shielded this data by being a closed network — that protection is gone.
How Cloudflare solves it
API Shield auto-discovers every endpoint including shadow APIs from rapid development. Schema validation enforces positive security — only requests conforming to the airline's NDC spec pass. Rate limiting prevents any partner from overwhelming capacity. Per-partner mTLS certificates authenticate distribution partners. Sequence detection identifies automated booking at machine speed. Ricochet caching: 7x speedup on airline flight status APIs, applicable to NDC offer responses.
Products
API Shield (Auto-Discovery, Schema Validation), API Gateway (Ricochet Caching), Rate Limiting (Advanced), mTLS, Sequence Rules, WAF
Customer KPIs
100% NDC endpoints discovered including shadow APIs; 7x latency improvement on cacheable offer responses; Unauthorized access blocked via schema validation + mTLS; Automated booking abuse detected via sequence rules; NDC partner onboarding: weeks to days; Origin API costs reduced via edge caching
The problem
Fare scraping: 50-90% of booking traffic is bots querying pricing millions of times daily. Damage is economic — each bot query is a false demand signal that causes revenue management to mis-price inventory. Inventory hoarding holds seats in carts without purchasing. Loyalty programs (SkyMiles, AAdvantage, TrueBlue) are valued in billions — credential stuffing steals points and sells access on dark web. British Airways Magecart: 380K cards stolen, GBP 20M fine.
How Cloudflare solves it
Bot Management uses ML, fingerprinting, and behavioral analysis to identify fare scraping without CAPTCHAs or friction. Turnstile provides invisible challenges preserving conversion. Leaked Credentials Detection checks loyalty logins against compromised databases. Page Shield detects Magecart-style skimming on payment forms. Waiting Room manages flash sale and award release stampedes.
Products
Bot Management, Turnstile, Leaked Credentials Detection, Page Shield, WAF, Rate Limiting, Waiting Room
Customer KPIs
50-90% bot traffic reduction restoring clean revenue management signals; Booking conversion increase from eliminating false demand/inventory hoarding; Loyalty takeover incidents near-zero; Zero payment exposure via Page Shield; Infrastructure cost savings from eliminating bot compute; Revenue management pricing accuracy improved
The problem
Centralized booking architectures route all traffic through a few data centers — a passenger in São Paulo booking Tokyo via a US airline makes multiple trans-oceanic round trips per interaction. 100ms latency increase = 7% conversion loss (Google), compounded across 5-10 booking steps. Airline pricing is uniquely complex: fare rules + taxes vary by origin/destination/nationality/currency. China's Great Firewall degrades performance for external booking engines.
How Cloudflare solves it
Workers executes pricing rules, tax calculations, currency conversion, and offer personalization at the nearest edge location. China Network (JD Cloud partnership) provides in-country performance for Chinese routes. Zaraz replaces 1-3 seconds of client-side marketing tag load time with server-side execution. Argo Smart Routing optimizes dynamic booking paths. R2 stores flight data and media with zero egress fees.
Products
CDN, Argo Smart Routing, Workers, China Network, Zaraz, D1, R2, Pages, Load Balancing
Customer KPIs
Sub-second page load globally (TTFB, LCP); 7% conversion improvement per 100ms reduction; Origin offload via edge pricing/personalization; Chinese route booking improvement via China Network; Tag load time reduction via Zaraz; Zero egress on content via R2