Telecommunications
AI application delivery, unified API security, network DDoS protection, Zero Trust for 100K+ workforces, and edge compute for converged platforms.
The problem
Operators lack a unified platform for edge inference across multiple AI providers. Centralized GPU clusters add latency for subscriber-facing AI applications. AI costs are growing at 35%+ CAGR (IDC) without visibility into per-provider spending. Each AI provider requires separate integration, monitoring, and governance. Agentic AI workflows require persistent state management unavailable in traditional serverless environments.
How Cloudflare solves it
Workers AI runs 50+ open-source models on serverless GPUs across 330+ cities, enabling edge inference without centralized GPU clusters. AI Gateway provides a single control plane across OpenAI, Anthropic, and Google with caching (up to 90% latency reduction for repeated queries), rate limiting, dynamic routing, and cost observability. The Agents SDK enables autonomous AI agents with persistent conversation state via Durable Objects for multi-step customer issue resolution workflows.
Products
Workers AI, AI Gateway, Agents SDK, Workers, Durable Objects, Vectorize, D1
Customer KPIs
AI inference cost reduction through caching and provider optimization; Reduction in AI application deployment time (minutes, not weeks); Subscriber self-service resolution rate improvement; AI provider cost visibility and budget adherence; Edge inference latency vs. centralized GPU alternatives
The problem
Legacy signature-based WAF rules miss zero-day exploits targeting subscriber APIs and portals. Static DDoS thresholds cause false positives during traffic spikes from device launches and live events. Operators lack threat intelligence specific to telecom infrastructure (SS7, SIM-swap, BGP hijacking). Manual threat mitigation cannot scale against automated, AI-powered attack tools.
How Cloudflare solves it
Bot Management uses supervised ML trained on billions of daily requests to assign bot scores (1-99) for granular policy enforcement. WAF Attack Score identifies zero-day patterns before signatures exist. Adaptive DDoS Protection learns operator traffic patterns and auto-adjusts thresholds. JA3/JA4 TLS fingerprinting identifies malicious clients by SSL/TLS signatures. Cloudforce One delivers 70% unique IOCs from 1T+ daily request telemetry.
Products
Bot Management, WAF (Attack Score, Managed Rules), Adaptive DDoS Protection, Cloudforce One, JA3/JA4 Fingerprinting
Customer KPIs
Reduction in credential stuffing and account takeover attempts; Zero-day detection time improvement (signature-less); False positive rate reduction through ML scoring; Unique threat IOCs consumed per quarter; Automated vs. manual threat mitigation ratio
The problem
Operators manage 50-100+ point security vendors with fragmented visibility. Shadow APIs proliferate as digital services expand rapidly. GSMA Open Gateway endpoints require positive security models that legacy WAFs cannot enforce. DDoS attacks cause unplanned downtime for subscriber-facing services. Bot-driven credential stuffing targets account portals and device upgrade flows.
How Cloudflare solves it
WAF deploys managed rulesets (Cloudflare Managed, OWASP Core, Exposed Credentials Check) with single-click protection. API Shield discovers all endpoints including shadow APIs using ML, validates against OpenAPI schemas, enforces JWT auth, and applies per-endpoint rate limiting. DDoS Protection provides unmetered L3/4 and L7 mitigation with autonomous detection. HTHK deployed this combination, eliminating unplanned downtime and discovering shadow APIs with zero-downtime migration.
Products
WAF, API Shield, Bot Management, DDoS Protection, Rate Limiting, Turnstile
Customer KPIs
90% reduction in malicious traffic and costs; Shadow API discovery (target: 100% catalogued); Unplanned downtime eliminated from DDoS; Security vendor consolidation (50-100+ to platform); Time to protect new API endpoints; FCC and UK TSA compliance
The problem
On-premise DDoS scrubbing appliances from Arbor (Netscout) and Radware have finite capacity limits that hyper-volumetric attacks exceed. Standard DDoS rulesets cannot protect proprietary UDP-based protocols used in VoIP, video streaming, and gaming. BGP route management between operators and DDoS mitigation providers is manual and slow. DNS infrastructure is vulnerable to fully randomized query floods.
How Cloudflare solves it
Magic Transit accepts packets for telco IP prefixes, inspects for attacks, and forwards clean traffic via anycast GRE/IPsec or CNI. Advanced TCP Protection uses stateful inspection for randomized ACK floods. Advanced DNS Protection mitigates randomized DNS attacks. Programmable Flow Protection (March 2026) deploys custom eBPF logic for proprietary telco protocols. BGP peering over Direct CNI enables automated route exchange. 500 Tbps network capacity exceeds any scrubbing center.
Products
Magic Transit, Network Firewall, Advanced TCP Protection, Advanced DNS Protection, Programmable Flow Protection, CNI, BYOIP
Customer KPIs
DDoS capacity (500 Tbps vs. on-premise limits); Sub-second autonomous attack detection; On-premise scrubbing appliances decommissioned; Network uptime for VoIP/video/gaming; Custom protocol protection via Programmable Flow
The problem
VPN concentrators create single points of failure and performance bottlenecks for distributed workforces. Broad network access from VPN connections enables lateral movement after compromise, as demonstrated by Salt Typhoon. 200+ SaaS vendor relationships create shadow IT and data leakage risk. AI tool adoption (ChatGPT, Copilot) by employees creates new data exfiltration vectors. FCC CPNI rules require strict controls on customer proprietary network information.
How Cloudflare solves it
Access (ZTNA) verifies identity, device posture, and context before granting least-privileged access to BSS/OSS, network management, and CRM. Secure Web Gateway blocks malicious domains and enforces acceptable use. Browser Isolation sandboxes AI tool access to prevent data leakage. CASB discovers shadow SaaS across 200+ vendor relationships. DLP scans for subscriber PII and network configuration data. Email Security blocks AI-enhanced phishing targeting operations staff. Enforced at 330+ cities, not centralized gateways.
Products
Cloudflare Access (ZTNA), Secure Web Gateway, WARP, Browser Isolation, CASB, DLP, Email Security, DEX, Device Posture
Customer KPIs
VPN concentrators retired; Contractor onboarding time reduction; Shadow SaaS discovered and governed; DLP incidents detected and blocked; Access latency improvement vs. VPN; CPNI compliance
The problem
Subscriber portals, device upgrade flows, and loyalty platforms serve tens of millions of concurrent users with traffic spikes during device launches and promotions. Origin infrastructure cannot handle peak loads without expensive over-provisioning. High page load times directly impact subscriber satisfaction and digital self-service adoption rates. Distributed subscriber bases across large geographies require edge delivery.
How Cloudflare solves it
CDN caches content across 330+ cities for fast page renders. Argo Smart Routing optimizes paths around congestion. Load Balancing provides multi-origin failover with health checks. Waiting Room manages device launch and promotional traffic peaks. Embedded cache program places CDN hardware inside operator networks at aggregation points. TELUS achieved 65% page load reduction and saved C$11.8M over 3 years. HTHK achieved substantial origin offload and page load improvements.
Products
CDN, Argo Smart Routing, Load Balancing, Waiting Room, DNS, SSL/TLS, Cloudflare for SaaS
Customer KPIs
Page load time reduction (TELUS: 65%); Origin offload (target: 80%+); Peak event availability (device launches); Digital self-service completion rate; CDN egress cost reduction; Vendor consolidation savings (TELUS: C$11.8M/3yr)
The problem
Centralized cloud infrastructure adds latency for real-time subscriber interactions and IoT device coordination. Building and managing edge compute infrastructure at scale requires significant capital and operational investment. Each converged service (wireless, FWA, fiber, IoT) requires different provisioning and state management. GSMA Open Gateway API exposure requires both compute and security at the edge.
How Cloudflare solves it
Workers runs application logic at 330+ locations for geographic personalization, A/B testing, eligibility checks, and token validation. Durable Objects provide consistent state management for session handling, IoT device coordination, and converged billing counters. D1 provides edge SQL for subscriber profiles and device inventory. R2 stores firmware images, config files, and subscriber media with zero egress. Workers for Platforms enables multi-tenant developer platforms for GSMA Open Gateway partners.
Products
Workers, Durable Objects, D1, R2, Workers for Platforms, Queues, Workflows
Customer KPIs
Edge compute latency vs. centralized cloud; Developer infrastructure management time saved; Converged service features deployed per quarter; API monetization revenue (Open Gateway); IoT operations at the edge; Zero egress on firmware distribution via R2