Post-Quantum, Deepfakes & Agile SASE: Cloudflare One's Biggest Week

Hello everyone and welcome to this week in net. We're back for another March edition and for another topical episode. Last week we had a chat about Claware new 2026 threat report and now we have an addition related to our sassy blog takeover. So it's full of announcements related to sassy secure access service edge. I'm your host Jean based in Lisbon Portugal as usual in the caller Lisbon office library. And before we go into this conversation, why not do a run through of our blog because other than SAS related blogs, we also had many other cool blogs that we should mention. Just to pick a few, AI security for apps is now generally available. So in this case providing a security layer to discover and protect AI powered applications regardless of the model or hosting provider. It's what is this about? We are also making AI discovery free for all plans to help teams find and secure shadow AI deployments. Uh always relevant these days. Also slashing agent co tok to token costs by 98%. It's another blog. It's all about how Clothler now returns RFC 9457 compliance structure markdown and JSON error payloads to AI agents. So it's replacing heavyweight HTML pages which machine readable instructions. This reduce um token usage by over 98% brittle parsing into efficient control flow. Really important these days of course active defense another blog post introducing a stateful vulnerability scatter for APIs called new web and API vulnerability scanner helps teams proactively find logic flaws. So another announcement on the front of hardware. If you like hardware let's just give one piece of news. In this case, it's all about Clothther partnering with Nvidia uh regarding Neotron tree super which is launched now with Cther and of course it's across now our developer platform in this case is all about having more parameters 100 billion total parameters. It's all about making models more efficient or better really. If you like developer developments per se, um we've been shipping as crazy in terms of new features, new stuff just dropping not only on agents SDK. We spoke about uh code mode in previous episodes, but also workflows integration. There's workers related novelties. For example, workers are no longer limited to 1,000 sub requests per invocation. There's many things you should look at. So for that check our blog and also uh our change log. And now without further ado, here's my conversation with Waressa Weaver, senior product manager, but also Yumna Muazam, a senior product market manager. They were the ones responsible for the SAS blog takeover. Hello and welcome. Thanks for having us. Can you explain why not Waressa? Where are you based? I think you're both based in same place, right? Yeah, I'm Vanessa. I am based in Texas. Me too. I'm in Texas. Yeah, a little north of Vanessa in Dallas here. And for those who don't know, what can we explain about having a sassy takeover week specifically, what is this week about and how it came to be? So, um you know in this year we have been really focused on our sassy platform. We want to make sure that everyone is aware that we have a very agile platform that is very composable and uh programmable for everyone. It fits organizations needs. And we also wanted to make sure we're addressing uh what companies are talking about right now, what is front of mind for them. And so we spent a lot of time coming up with our these blogs that are addressing real needs of our, you know, CISOs, CIOS. And that's what you're going to see as we dive deeper into these blogs is all their security needs, all their front of mind needs like simplicity, governance, um, being met, um, and us just going deep into our platform and trying to enhance all the features that we have. Yeah. And I also want to add to that, we also thought it was extremely important for us to showcase some of our partners and our network and talk about how they are using our Sassy platform to really help their clients modernize their Sassy architecture. And um a lot of what we learned there, you know, was was extremely eyeopening and so it was really great to be able to showcase those stories as well. I remember uh doing this show early on with John Graham He was our co at the time and editor and chief of the blog and he was mentioning all of these names sassy siso like siso different um names for different things. Do you still feel sometimes overwhelmed on the abbreviations that are around with so many names? Honestly, it's just the nor like on it's just it's just the way that the way that we we speak. Um so many I think so many of these abbreviations are just like second nature to us at this point. we don't even like really think about like you know the I guess the more spelt out terms of like what's behind these acronyms and abbreviations but ultimately you know the story behind each of them are essentially what like makes the work that we do here so important also curious about and you wrote a blog post about the blog takeover specifically what is agile sassy what can we say there for example that's one of the the principles as well right you want to answer from a GTM perspective. Yumna. Yeah. So, agile sassy, it's another term that we're using to just describe how our platform is so composable where it makes it can fit the organization's needs rather than having a rigid collection of tools that are not speaking to each other. And we see that in the market a lot of times with acquisitions going on with a lot of you know companies end up doing is just bringing in different tools and saying oh now we have a complete platform versus making sure the tools are actually speaking to each other making sure those connections um uh and visibility and logs are transferable with each other. And so that's what our platform does really well. And then it's also you know um that's one part of it. We're also talking about easy to use. We're also talking about it being programmable also how the journey starts. Every organization is different. Maybe they want to start with clientless access versus having a device client installed on every device. And so we provide all these options to make it very easy for organizations to start where it's needed and secure the most risky stuff first. So if you have a lot of third party contractors or you have a lot of partners that you're working with with um it might be easier to use our clientless access option to start off versus having device clients installed on everything. And so, you know, just having that flexibility, having that easy to use platform is what we are what we call agile plat agile sassy. What do you think, Vanessa? Anything else you want to add here? Um, I think the only other thing that I would add to that is probably just sort of like double clicking on the composable and programmable programmable piece. Um, and really talking about how Cloudflare 1 is natively built on top of Cloudflare's global network, right? So, you don't have like sometimes when we look at like more legacy sassy vendors, um, things are just bolted on uh, via through acquisition, you know, or something different. And so you don't really get the advantages that we see or that our cloud for one customers will see with um the cloud for one platform being built on top of the global network that we already have that exists and spans over 300 cities. Um so that I think that's that's one piece that I would uh add there. The global network part is a really interesting um part too because it does reduce a lot of latency in our platform and does help bring um those connections faster and those that security faster and so because we are everywhere we can provide you with better performance as well. Makes sense. Actually, there are so the week was spread out. It was not only a week, it spread out in terms of days over a week in this case. And we had and you were mentioning a bit of that this blog post called the truly programmable sassy platform. Uh very specific one in terms of what programmality programility actually means building the most programmable SAS platform. So there's a lot there. what is that specifically trying to to achieve and in this situation? Yeah, so you guys spoke a little bit about how some of our competitors are a lot more rigid in what they offer and like I just said, Cloudflare one runs on the same network as the rest of our Cloudflare offerings, including the developer platform, right? So what that means is that each of our services are all running on the same levels. they're all running on the same servers. And so we kind of, you know, we get the advantage of being able to quickly call into any of our products that are within various um sectors of what we offer at Cloudflare. So essentially what we talk about when we're saying program uh programmability or composability is that we know every customer has a different need um as far as their security architecture and the products that they're going to be deploying. And what Cloudflare 1 offers is the ability to customize that um our offering to fit what it is that you need at your company within that time. Right? So for example when we start to think about um our customers we want to enable them to actually extend policy decisions with like custom logic in real time. So instead of some of the predefined actions like if you see this I want you to block or if you see that I want you to allow or a log you can actually dynamically inject certain actions into those policies. So for example, if the if we have a gateway um policy match, instead of just being limited to those specific actions, you can invoke a Cloudflare worker directly and that will run your code at the edge in real time with full access to the request content. So we've seen some customers use this in very unique ways. um for example building out a worker to just identify if a device has been inactive for a spe a specified amount of time and if so revoking the registration and requiring the user to reoff and this was done because the way that we currently have um this tool set up it's done on like a per app basis and for this particular customer the per like the per app way is not the way they wanted to actually invoke this they cared about a time limit right so instead of having to submit the feature request, wait for it to get prioritized and actually developed and implemented. They were able to easily go in, build a worker and um and use that programmability in order to be able to quickly get the fix that they needed. Absolutely. There's a few examples in the blog specifically as well, right? Yeah, definitely. And the blog actually uh goes a little bit more into um how you'll see us like really deepen that integration and and make it more native. So, we want to get to a point to where you can actually create these custom actions directly in the Cloudflare gateway policy builder versus having to go out um directly to the worker side and and build there. Makes sense. Early on, even before that, we we had a a blog post uh that connects something that really close to heart in terms of Cloudflare, which is um postquantum encryption, but in this case uh to Cloudflare one to SAS offering. Yeah, this is something that we're really excited about. Um, we are the first world's first sassy platform to ship modern standards um compliant postquantum encryption. While the rest of the industry is starting to talk about quantum uh quantum readiness, we're delivering it in GA today. So, something interesting that's happening these days is attackers are using something called harvest now decrypt later. They're starting to steal information and then just sitting on it even though it's encrypted waiting for um um waiting for computers to um you know powerful quantum computers to become available so they can then crack that information and that's where um other um security organizations like NIST have set a deadline of 2030 um or something for every organization to address this kind of threat. We um did that right now. We are delivering this um in GA where we are saying that we have implemented you know hybrid ML key K chem or KM uh which provides quantum safe protection without sacrificing any security. And so this isn't just a feature. We provide full um access across cloudfare IPSec cloudfare one appliance and our security gateway. And um we're you know it's part of our easytouse story. It's part of our story of how we want this our organization to be ahead of threats um that other that we are seeing come into the market. Absolutely. Uh and postquantum is really one of those things that has been uh really important for CER since uh a few years now. And uh it's definitely u scary to think that encryption could be broke even with older data. So quite important to to see in a more sassy uh corporate perspective as well. Right. Where should we go next in terms of uh blogs? Anything we want to highlight more? Want to get into some of the um addressing identity? So maybe mind the gap. Yeah, let's do that. Um, that's actually a great title. Mind the gap. New tools for continuous enforcement from boot to login. Very British. Mind [laughter] the gap. Veressa, do you want to um Yeah. Um, okay. So, line the gap. I I think like one of the really like a good call out um when we were building the narrative for the Sassy blog takeover is we didn't want to just create a blog for every new feature or every new capability that we had. We really wanted to put together a story and a solution for our readers, right? And so what you see in this blog is what we're addressing from our Cloudflare one client side, but then also Cloudflare access. And um so we have two different features that this blog is is essentially addressing. And the first one is all around when you have a new employee or um and you know they receive their device in the mail and it's like until they actually set things up um they're not really being protected right because the client isn't necessarily installed. Um, and so you kind of have this like black box or black space or a gap essentially uh where anything could happen and you could you you're totally unaware to it. And the the other piece of this is it can also happen when um a session expires and the user has either just forgotten to read off or they have intentionally chosen to not read off and you know kind of bypass that restriction. And so what this offers is a new way for us to actually close that gap so that you no longer lose the visibility and your security posture remains intact until the local machine allows it. So, it's us using the firewall to come in and to block the access to the internet in order um to in order to ensure that the person who is behind the keyboard, you know, isn't doing anything malicious or sometimes even unintentionally but could be could actually be risky and eliminating that risk across the board. So, that's that's from the the Cloudflare one client side. But then we also sort of get into uh what are we doing for Cloudflare access? And so the second portion of this blog talks about closing the loop on um you know when we when we do have our your your own you you have something signed up for through like your primary security anchor whether it be OCTA or Google. um you know it may require MF MFA at the initial login but what we actually really need to do is create this secondary route of trust. So Cloudflare one um and Cloudflare access is now offering independent MFA. So it's essentially a secondary way for us to ensure that um whoever it is that is logging in um actually should be logging in. And so we can do this through a few different ways. um it could be either through biometrics, it could be a timebased, one-time uh password or even a security key. And so um this really gives the administrators the flexibility to determine how users have to um authenticate and also how often it needs to be done. So, these are, you know, two really good ways that we're helping to close this gap that um you probably don't really even think about uh because how often does it actually happen or how you know how often does it occur but um these are two of the most risky gaps that that we have um identified in the access world. It's really interesting uh even in the fact that uh we I did an episode about the the threat our threat report and definitely the ways that attackers are using to explore even multiffactor authentication is quite scary in a sense. So having many options and protections in place definitely uh it's important uh in this situation right? Yeah, definitely. And I think even that that threat report uh could probably bring us to maybe our next blog, EMA, where we talk about a partnership with name tag. Um so maybe we want to hop over to that one. Yeah, that's a good idea. That was another um blog that we, you know, where we're addressing um access and how we're improving um or addressing AIdriven fraud these days as well as deep um deep fake. Um yes, that's one. That's the one. um it with with you know AIdriven frauds we're seeing a massive rise in ghost employee operations as well as sophisticated lab laptop forms and so we're seeing a lot of attackers using AI to pass video interviews and fabricate IDs. So um what you know what we wanted to do was um make sure that we are addressing these these gaps in security. Um while zero trust is great at verifying device as well as credentials this is a new threat that we want to address um where we want to make sure that the person holding the device is is not a fraud right um and it's not AI driven um and so what we did was we partnered with name tag um where it's we're directly integrating um uh with cloudfare um uh workforce verification And so with name tags um deep fake defense engine within our access policies, organizations can now require a quick selfie as well as a government ID scan to make sure the person that's using the device is an actual person and not just um an AI or ghost employee trying to get into the system. And so um this this ensures that uh the right person and a real person is actually um getting into the system and is another deep layer of um you know making sure zero trust works for you and our platform is addressing the latest threads that are out there. Yeah, there many details in the blog in terms of the how it works even images and the layer defense specifically also uh highlighted here. Um, it's a cool one for sure. Anything we want to say more uh in terms of uh other blogs? We had so many blogs last week. Not all the blogs are related to to the SA SAS takeover, but um many are. Where should we go next? Um what was our last one? Uh what about the user risk scoring war or adaptive access? Oh, adaptive access. Yeah, let's do adaptive access. Which one is that? It's stop it's like stop breaching. Stop reacting to breaches. Yeah, stop. Yeah. Stop reacting to breaches and start preventing them. I was there. You know, we should have g they all have one uh tag that's alike. We should have given you that link. Um so then you wouldn't have had to at least dig through so many different ones. That's true. There's many last week, but here it is. Stop reacting. Stop reacting to breaches and start preventing them with user risk scoring. What is this about? So, um, user risk scoring is a a really critical feature. It's almost impossible to kind of be everywhere at all times, right? To build these policies that are going to block everything. And um, what user risk scoring does is provide you with a a more continuous view and a continuous scan of like what your users are actually doing uh, on the network. And so with user risk scoring, we are able to set up um very like kind of lightweight policies around specific detectors or triggers um and and then essentially take action based off of if a user's risk score hits that certain level, right? So um instead of having a more binary approach, it allows you to be a little bit more dynamic. And so for example, you may say um you know, you may have policies that are actually built around um various DLP detections, but user risk score allows you to say if someone hits 15 DLP detections, you know, within this certain amount of time, then they should no longer be able to access these specific tools or they should, you know, they we can kind of switch that up, right? And so um a lot of what we've done in the user risk waring was was essentially that. But what we did um and what we announced for our Sassy takeover is that we now uh we now have adaptive access. So instead of just saying, "Hey, let me know if Yuna hits 15 uh DLP detections," it's like if this person does hit 15 DLP detections, then I now want to label them as a medium risk. And if you are medium risk, then you cannot access these specific sets of applications. So it really takes it from a more um you know, just kind of visibility into like actually putting things into action. And so you're able to take these risk scores and now quickly and easily apply them into your existing access policies to you know as a as an additional piece of um data that we go and calibrate on before we make a decision on if someone is allowed to access said application. And additionally um isn't we all we we also are allowing third party signals from crowd strike or sentinel one to come into um and work with these access policies right Vanessa? Yeah. Yeah that's correct. So you can, you know, you can take some more endpoint um triggers, right? So maybe there's some device posture um insights and we can actually take those um use them along with with other um telemetry that we have uh with within our Cloudflare one network, put those together and then make decisions based on it. What is this about then? The data security vision for in Cloudflare 1. What is this about? Yeah. So, um sort of like I said earlier, we we really wanted to make sure that we were telling like full narratives and and giving you um a singular solution, right? And so, uh the from the endpoint to the prompt uh unified data security vision is is also just that. So this this blog talks about a couple of different areas across call for one where we are implementing new data security um features and capabilities. And so when you start to think about it, uh, you know, when you hear data security, you think DLP, you know, you think about CASBY, but you may not necessarily think about browserbased RDP, right? But with browserbased RDP, we want to make sure that we are continuing to like actually secure that um that entryway for you know we have a lot of like contractors and partners and and various um customers who actually kind of on-ramp through there because they can't necessarily um download like the call for one client into their device. And so with uh browserbased RDP what we just announced is actually being able to uh apply clipboard controls. So with these controls we are giving administrators the ability to enable various copy paste workflows for users um and then enforce granular controls over um the context of of which right so essentially being able to look at if the user um if is accessing a customer support portal uh which may contain like some sensitive customer information then you know we may allow them to copy and paste into the session. However, we might block copy and pasting out of the session, right? Just because we want to prevent that data from leaking onto a endpoint device that is actually being unmanaged um via the company. So, that's like one really good way that that we're doing that. Um, another key feature that we talk about here is AP AI visibility in um into Microsoft 365 copilot. So, in Q3 of last year, we had our AI week where we did a ton of new functionality around generative AI protection. And um you know, this was this uh this supported us actually going in and be able to apply DLP content and instant categorization to prompts and um and attachments from uh a group of generative AI providers. Uh and at the same time it also allowed us to enable similar protections through CASBY um in a more retroactive way, right? So being able to go through and scan all the prompts that have been sent um and then notify administrators on what we found after the fact. And so one of the things that we did uh via the Sassy takeover this year is actually going in and adding a new generative AI provider for that functionality within CASB. And so now you're able to do those same types of um scannings through Microsoft 365 Copilot. So I'm sure a lot of our customers are going to be extremely uh happy if they're, you know, kind of in a Microsoft uh a Microsoft house um within their company. And so they now uh are getting this this AI visibility that they once weren't not getting. Um and last year um when Oranessa mentioned that we did a couple of uh integrations with CASBY. Now um we're doing AI integrations with Chad GBT cloud Gemini and Copilot. So it's a it's a broad range of the most popular platforms that we're covering with our API integrations uh with CASBY which is very exciting. Makes sense. So, um, well, I think one of one of the things that I like actually enjoyed, I probably enjoyed this the most out of, uh, you know, all the things that I did with leading the Sassy takeover from, uh, the the product side for this year was being able to work hands-on with our partner network and learn from them about um, you know, the various situations that they challenges that they come across. Ross when they're helping our customers on board to cloud for one and uh the the the two people the two people that I talked with at both adapture and tact were some of literally the most favorite conversations that I've had. It's just great to hear um partners from our network be so stoked not only about what we are building but like what we have already built and what we're offering. And so this blog um you know kind of has has a couple quotes here and there where they talk about how the work that they were doing with some of the more legacy sassy vendors would take them 18 months and coming to Cloudflare 1 and deploying some of our products like Cloudflare Access uh and they actually see this decrease in where they're able to deploy it within four to six weeks and so um I think this is a fantastic like just look into what our partners see every day. Um, and you know, not only talking to like at Adapture, I spoke with Greg O' Conor who leads their strategic partnerships. Um, but then I also got to speak with a lot of their solutions architects and like the people who are literally, you know, have their boots on the ground and are actually working with um, our customers alike. And so this is a a really good um, blog into seeing what is their experience like and what are they most excited about. Um, and I think like from Kyle at Tech Tech, he talked a lot about programability. And so we talked about that blog and um, it's just really cool to see that we have people, customers and partners who have challenges and the way that Cloudflare One is structured, they're able to like quickly go in and um, and and build a solution that works just for them. You know, Kyle was able to do that for some of his clients as well. really interesting to see especially with people using more and more and companies using more and more AI having safeguards having many perspectives uh regarding public LLMs is quite important to see specifically as well right yeah most definitely um I think Greg even spoke about just um you know speed was always really important for people uh you know the longer your migration project is that's literally more money coming out just to like you know fund that. Um, so speed has always been important, but really with the way that um the way that generative AI and AI as a whole is just kind of like kind of taking over um instance speed has become just the number one uh priority for a lot of our partners and our customers. And so our AI security suite is a really good way for them to um be able to access and to control that. Uh I think we we like to say we are the fast path uh to AI. Um and so you know we have some stories and about how we offer that as well. Makes sense. Uh there's many blog posts uh in including on that regard uh the building security overview dashboard. There's there's another one I want I I saw recently. Let me see if I can fetch it. It's uh yeah here it's this one. Beyond the blanks late how caller accelerates your zero trust journey. It's also related uh right? Yeah. Um so this blog is is more of a internal tool but the good thing is that you know our customers they get to they get to reap the benefits of it. So um when it comes to like actually onboarding and deploying a new product or solution uh you know you really start from blank slate uh there's there's there are no there's no templates there's no right way to do something right and so um what our SE team at Cloudflare 1 has done they've put together just that they've put together some of the best practices and naturally not every company is the same and so you know we don't make assumptions uh but foundationally uh we want to make sure that customers are coming in and with this um they're coming in and we're able to quickly take them to to step one, right? From from that bank blank slate to step one. So, um, what that project does is, um, there are like some Terraform templates that we're able to apply to your, uh, into your tenant or into your account to get you going so that you're able to kind of come in and then customize therefore where it makes most sense for you. And I also noticed this one felt maybe is interesting uh about evolving CLER threat intelligence platform actionable scalable and ETL uh less uh also interesting one in terms of capabilities uh in terms of uh observability threat intelligence platform specifically uh related to our claw first one team that also did the threat intelligence uh blog right? Yeah, this one is on our apps side, not Cloudflare one, so I can't really speak in great detail about it. Of course. Oh, well, uh I think we're uh we have a good summary. And of course, for those that want to learn more and see more, they should see our blog and the many blog posts that we have. We'll share the link direct link for the more sassy related blogs here. anything we we want want to add specifically on what should people take from this week specifically? Yeah. Uh so you know at CloudFare we're always trying to address the needs of our customers and so what we found that uh right now the main use cases that people are worried about you know is one modernizing remote access. they are always thinking about how to implement zero trust into their environment and making sure they do it in in a way that's easy securing the risky parts first. And so we have a lot of blogs around modernizing remote access. Then we have another thing is fishing protection. Um making sure our email security product and platform is addressing those needs. And we have a very um AI powered thread platform that is addressing the latest threats that are out there which we're seeing AI threats being being very growing a lot in numbers and making it easier to penetrate into the system uh very easily and so our platform addresses and grows with those AI powered defenses that we have. Then we have our outfare um coffee shop networking as well as our DNS filtering use cases where you know the idea of just working from an office is so it's not it's not common anymore people are working from anywhere everywhere making it just easier to do their work and um but in a secure manner without reducing productivity and then the la I I saved the one that's trending the most to the last AI adoption. So as you guys were mentioning that Vanessa was mentioning spat to AI adoption is a big use case. Everyone's been talking about it. Um, everyone wants to address AI related threats e even if it's in fishing, it's in access. It's in, you know, just amount how a workforce is using AI generally. And then we're now even seeing AI agents being used all the time and agentic workflows and so we are looking at AI in a wholesome in a very comprehensive manner and trying to address all of those needs. And this is just from a sassy side. If you look at our appsack platform, our developer platform, we're doing other things to address AI security needs as well for external facing LLMs or making it easier for developers to use AI in their workflows as well with our de developer platform. So we are addressing this very comprehensively across across cloudfare in general is and then we do offer a very fast path to [music] safe AI adoption and so the idea is not to address not to slow down work and not adopt AI just because you're scared of the security risk but do it in a fast way with the sassy platform that you already have. It's interesting to see the ecosystem at work. You you can see deployments in other areas that are not zero trust actually helping than the zero trust platform and the other way around as well. So you can see the ecosystem building on the ecosystem in terms of capabilities in terms of leveraging AI without being too much scared of the risks that are around. Quite interesting to see for sure. Have a great week and rest after all of these blogs that are coming out. So have a good rest. Yeah, this was just the starting of the year. So I'm really excited to see how much more we do, you know, and how many more things are coming. So keep an eye out on our CloudFare blogs to see everything else we're doing. Yeah, definitely. And that's a wrap. It's done.