I use Cloudflare.

I want to say that before anything else. I use their Argo tunnel. Their reverse proxy. Their DNS. And now authentication. I didn’t decide to build on them — I just kept running into problems and they kept being the answer. In less than five years, Cloudflare became load-bearing for everything I run, including this Substack. I didn’t notice until I looked at it whole.

What Most People Think Cloudflare Is

Ask someone who uses the internet the way most Americans use electricity — constantly and without thinking about it — if they’ve heard of Cloudflare.

A few will squint and say: “Is that the thing with the squares? Where you click all the traffic lights to prove you’re human?” Yes. That’s the one.

That CAPTCHA screen is what most Americans know about a company that sits in front of one in five websites on the entire internet. Cloudflare handles approximately 21% of all global web traffic.1 Banks. Hospitals. Government portals. Payment processors. 375 of the top 1,000 websites by traffic run through their network before they reach you.2

When Cloudflare had a major outage on November 18, 2025, a single misconfigured file crashed proxy servers across three continents. E-commerce, banking, government services — offline simultaneously for nearly four hours across New York, London, and Singapore. The people who couldn’t access their bank accounts that day could not name the company that failed them.3

That gap is not a technology problem. It is not a PR problem. It is not even a Cloudflare problem. If that sounds like a stretch, it won’t by the end.

There’s a scene in Scarface where Tony goes on a rant about needing to exist so others know who the bad guy is. Then he drops the line: “I always tell the truth, even when I lie.”

Tony Montana didn’t take Miami by force first. He made himself necessary first. He absorbed the risk the established players didn’t want to touch. He was cheap, he was useful, and people let him in—into the house, into the kitchen, into the wiring. By the time anyone thought to ask how much of Miami Tony actually owned, the answer was most of it.

Most of you know Tony’s story. This is a story about Cloudflare.

The Refugee Arrives

Matthew Prince and Michelle Zatlyn met at Harvard Business School in 2009. Prince had spent years running Project Honey Pot — a network that tracked how malicious internet traffic moved. Unglamorous work. The internet’s plumbing. But it generated something rare: a real-time map of every botnet, every spam campaign, every bad actor on the web.4

Zatlyn saw it clearly. The data wasn’t just diagnostic. You could stand in front of the traffic. You could be the wall.

They launched in 2010 with a simple offer: change two lines in your DNS settings and point your domain through us. We sit between your site and the entire internet. We absorb DDoS attacks. We cache your content globally. We make you faster. We filter the bots. Free.

However, “Free” didn’t mean charitable. It meant: let us become load-bearing. In exchange, we see your traffic — every request, every IP address, every pattern — flowing through our infrastructure in both directions.

By 2011, 250 million people were passing through Cloudflare’s network monthly.5 The network effect was self-accelerating: more traffic meant better intelligence, better intelligence meant better protection, better protection meant more sites joined. The more sites joined, the more dangerous it became to not be on Cloudflare.

Frank Lopez didn’t invite Tony in because he was naive. He invited him because the price was right. The mistake wasn’t the invitation. The mistake was never asking what Tony was learning while he was inside.

The Quiet Years (2012–2017)

Between 2012 and 2017, Cloudflare scaled from 1% of global web traffic to nearly 10%. Nobody wrote about it.

Not because nothing was happening. Because everything was happening at a layer the press didn’t have a frame for. Tech journalism was consumed by the Cloud Wars — AWS versus Azure versus Google Cloud. Wired, TechCrunch, and The Verge all treated “infrastructure” as synonymous with “storage and compute.” Nobody was watching the connectivity and security layer where Cloudflare was quietly becoming the front door for those very same cloud services. The journalists covered the fight over what was behind the wall. Nobody asked who built the wall.

A New York Times archive search between 2012 and 2016 returns hundreds of pieces on Google’s monopoly, hundreds on Amazon, and almost nothing on Cloudflare’s concentration.

• The rare exception was a 2013 Wired profile headlined "The Most Important Tech Company You've Never Heard Of" — which framed Cloudflare as a scrappy protector of the internet rather than asking the obvious follow-up: what happens when the protector becomes the concentration?

• In February 2014, Cloudflare mitigated a 400 Gigabit-per-second DDoS attack — the largest ever recorded at the time. The BBC and CNET covered it as a hero story. Cloudflare saving the internet. Nobody asked the obvious question sitting right underneath it: what happens if the company that is the only one capable of stopping a 400 Gigabit attack goes down itself?

Matthew Prince actually answered that question unprompted, in a 2014 interview, when he said:

The room heard progress. It was concentration. At the same time, Cloudflare launched Project Galileo6 — free protection for journalists, activists, and human rights organizations. By 2025 it covered thousands of organizations, including U.S. electoral infrastructure.

It was genuinely good work. It also meant many of the people best positioned to question Cloudflare’s power were running on top of it.

The Brookings Institution later noted that Cloudflare’s role in internet infrastructure had “not received enough attention.”7 A think tank had to say out loud what the system itself had made easy to ignore.

The World is Cloudflare’s

• 2014: Universal SSL. Free HTTPS for every site on the network. Cloudflare made encrypted web traffic the default for millions of sites overnight — genuinely good for the internet. It also placed them inside the encryption layer, with visibility into traffic flowing through their nodes in both directions. My own reverse proxy runs through them right now.

• 2017: Cloudflare Workers. Serverless computing at their edge — 330 data centers across 120+ countries. They stopped being a protection layer and became a computing platform. You could now build entire applications running inside their infrastructure. This is the moment Tony stops working for Frank Lopez and goes directly to the Colombians. He is no longer a middleman. He is the operation.

• 2018: 1.1.1.1, a public DNS resolver. DNS is the internet's phone book — every URL you type gets translated before your browser can go anywhere. Cloudflare offered a faster, more private alternative to ISP resolver. Millions switched. Cloudflare was now upstream of the page load, seeing intent before action at planetary scale.

I lived this expansion in miniature. Each problem had a Cloudflare solution. Each solution was better than the alternative. Each one embedded me deeper. Nobody decides to hand Cloudflare the keys. They just keep solving problems until Cloudflare has them.

By 2025, 35% of the Fortune 1,000 were paying Cloudflare customers. The company crossed $2 billion in revenue. The regulatory record showed zero dedicated congressional hearings into their infrastructure concentration. Not one. While the House Judiciary Subcommittee published landmark reports on Amazon, Apple, Facebook, and Google, Cloudflare was not in the document.8

Tony was running Miami. Frank was still hosting parties. The press was covering the parties.

The Nuclear Option

On August 16, 2017, Matthew Prince terminated Cloudflare's service to The Daily Stormer following the violence in Charlottesville9. Then he sent his employees a memo, obtained and published in full by Gizmodo10:

And then, in the line that should have been on the front page of every newspaper in America:

He called his own power arbitrary. He said no one should have it. Voluntarily. In a memo to his own staff.

• In 2019, after El Paso, he terminated 8chan — "a cesspool of hate" that had "proven themselves to be lawless and that lawlessness has caused multiple tragic deaths.11

• In 2022 he terminated Kiwi Farms, citing "an unprecedented emergency and immediate threat to human life."12

Three decisions. Three different justifications. No judicial oversight. No appeals process. No democratic mandate. A private CEO determining whether something existed on the internet — and each time acknowledging afterward that he was uncomfortable with the power but used it because nobody else was positioned to act.

This is not a story about whether those sites deserved to be removed. Most reasonable people would say they did. This is a story about the fact that one man made those calls with no framework, no process, and no accountability and that the same power could, under different leadership or different pressure, point somewhere else entirely.

Matthew Prince said so himself. Repeatedly. In writing. We just were not paying attention.

The CAPTCHA

The CAPTCHA — the checkbox, the fire hydrant grid, the ritual of proving your humanity to a machine — is Cloudflare’s most visible consumer product. The only thing most Americans consciously associate with a company handling one in five of their internet requests.

They are known for the inconvenience. Not the protection. Not the encryption layer. Not the decade-long project of becoming the wall between the hostile open internet and everything we do online. The inconvenience.

In Scarface, Tony’s wife Elvira is beautiful, visible, and entirely decorative relative to the actual operation. She is the face people see when they look at Tony’s empire. The real architecture — the networks, the money flows, the relationships — operates entirely out of frame.

The CAPTCHA is Elvira. The face of the thing, not the thing.

We notice Cloudflare when it asks us to click a bus. We do not notice it absorbing the attack that would have crashed the site before the page loaded. We do not notice the DNS resolution in under 7 milliseconds, the edge cache, the tunnel, the proxy, the authentication layer. We notice the friction. We do not notice the load-bearing.

This is the depth of American engagement with the infrastructure we depend on. We see the face. We live inside the operation. We never examined the architecture.

The Globe

At the end of Scarface, Tony is dead and the mansion is gone, but the globe — THE WORLD IS YOURS — is still spinning.

The world is always available to whoever is willing to do the un-glamorous work of positioning themselves inside it while everyone else watches something else.

Cloudflare did the un-glamorous work. While the press covered the Cloud Wars, they built the wall. While journalists used their free protection, they expanded into the encryption layer. While regulators built frameworks for platforms and ISPs, Cloudflare operated in the space between both categories and technically belonged to neither.

They told us what they were building. They described the centralization. They acknowledged the power. And we heard it—and kept clicking the fire hydrants.

The world is yours when everyone needs to move through you and nobody stops to ask who you are.

Cloudflare understood that in 2010. We are still catching up.

Citations