Cloudflare Empire: Internet Firewalls, Global Network Power, and the Rise of Its Founders
Matthew Prince’s basic makeup is an unusual combination of law, computing, entrepreneurship, and local resource networks. He was born in Salt Lake City and grew up in Park City, Utah. Publicly verifiable materials show that both of his parents were entrepreneurs: his father worked as a journalist, stockbroker, and restaurateur, while his mother ran gift stores. Prince has also said that growing up, he saw how hard entrepreneurship could be. His family was deeply involved in Park City’s business and civic development, which matters because it means he did not come from a purely technical background; he grew up around commerce, local influence networks, and the practical mechanics of building things in the real world.
His earliest formative influence was not just coding, but the connection between technology, rules, and institutions.
Public sources indicate that he wrote his first program at age seven, and that his mother took him to university computer science classes. He later studied English and computer science at Trinity, earned a JD from the University of Chicago, and completed an MBA at Harvard Business School. That path helps explain why Cloudflare has always sounded different from a typical security startup: Prince was trained to think across narrative, law, business, and technology at the same time.
His working life also veered away from traditional law almost immediately.
The University of Chicago Law School notes that he essentially never built a conventional paid legal career. He quickly moved into a tech startup, then taught technology law as an adjunct, and then co-founded Unspam Technologies. In other words, he entered the eventual Cloudflare domain through anti-spam, online abuse, and Internet governance problems, not through enterprise security sales or a classic engineering ladder.
Michelle Zatlyn represents the complementary founder archetype: small-city upbringing, professional middle-class family, strong operating discipline, and no original cybersecurity pedigree.
She was born in 1979 and grew up in Prince Albert, Saskatchewan. On her own site, she states that she and her sisters were raised by a father who was a lawyer and a mother who was a teacher. As a teenager, she worked in her father’s law office and also served as a counselor at a camp for children with special needs. That background matters because it suggests early exposure to rules, responsibility, organization, and care work rather than elite Silicon Valley capital or deep technical subculture.
Her education and early career explain why she became the founder who turned Cloudflare into an organization instead of just a technical idea.
She studied chemistry and business at McGill, later earned an MBA from Harvard, and official or semi-official profiles consistently place her at Google, Toshiba, and early startup environments before Cloudflare. The Computer History Museum profile says she helped launch two successful startups before co-founding Cloudflare. She has also said that she did not originally know Internet security, but wanted to build something meaningful and mission-driven. In practice, that made her the founder who could translate mission into hiring, operations, fundraising, and institutional execution.
Lee Holloway was the most “technical-core” founder, and also the least publicly documented.
What can be confirmed is that he came out of UC Santa Cruz’s computing world, worked with Prince during the anti-spam years, and became Cloudflare’s third co-founder, core architect, and early engineering leader. Cloudflare’s 2019 founders’ letter described him as the genius who architected the platform and recruited and led the early technical team. His childhood, family background, exact birthplace, and whether he completed a specific degree remain publicly limited / not confirmable.
Cloudflare’s intellectual origin was not “a CDN startup,” but Project Honey Pot.
In 2004, Prince and Holloway built a system to answer a simple question: where does spam come from? That became Project Honey Pot, a community-driven threat tracking system. Cloudflare’s official history says it grew into a network used by thousands of websites across more than 185 countries, and users kept asking for the same next step: don’t just track the bad actors, stop them. That user demand is the real origin story of Cloudflare.
The company itself emerged when a school project met a real user need and a working prototype.
In 2009, while Prince was at Harvard Business School, he met Michelle Zatlyn. They began discussing how to turn Project Honey Pot into a larger service. The first business-plan label was “Project Web Wall,” but a friend suggested that if it was effectively a firewall in the cloud, it should be called Cloudflare. Lee built the first working prototype. In April 2009, the company won the Harvard Business School business plan competition; in November 2009, it closed its Series A with Venrock and Pelion. Private beta began in June 2010 for the Project Honey Pot community, and Cloudflare officially launched at TechCrunch Disrupt on September 27, 2010.
Cloudflare’s earliest decisive choice was to make security and performance broadly accessible, not just an elite enterprise product.
Its S-1 explicitly states that the free self-serve plan was a core strategic choice. Free users were not only a potential conversion funnel; they created scale, brand distribution, talent attraction, and a live “sensor network” that improved the products. This is why Cloudflare’s growth logic differed from many traditional enterprise security companies: it used free access and self-serve onboarding to build network scale first, and then climbed into higher-value enterprise contracts later.
The company’s history can be understood in five broad phases.
First came the 2004–2009 Project Honey Pot / Unspam phase, centered on tracking abuse. Second came the 2009–2013 phase, when proxying, CDN, WAF, and DDoS protection became the core product. Third came the 2014–2019 expansion and IPO-preparation period, when Cloudflare matured from a beloved website tool into a global infrastructure platform. Fourth came the 2020–2023 phase of Zero Trust, Cloudflare One, Radar, and the developer platform. Fifth came the 2024–2026 AI era, where Cloudflare began positioning itself not only as a protector of websites but as a control and monetization layer between content owners, AI crawlers, and AI applications.
Its most important hard asset is the network itself, not any single product.
According to Cloudflare’s current network materials, the company operates in 337 cities across 125+ countries, interconnects with 13,000+ networks, and has reached 500 Tbps of capacity. Just as importantly, it emphasizes that every service runs in every data center. That architectural choice is central to its moat: it lets Cloudflare launch new products on top of the same global fabric instead of building separate stacks for each category.
Around that network, Cloudflare has built both revenue assets and influence assets.
The revenue assets include reverse proxying, CDN, WAF, DDoS, DNS, Zero Trust, Cloudflare One, Workers, 1.1.1.1, Turnstile, email security, observability, and AI tooling. The influence assets include Project Galileo, the Athenian Project, Cloudflare for Campaigns, Project Fair Shot, and Cloudflare Radar. Some of these are directly monetized, while others primarily build public trust, policy influence, and reputational capital in government, civil society, developer, and media circles.
Its capital network shows that investors understood early that Cloudflare was more than a niche security vendor.
The confirmed financing path includes Series A from Venrock and Pelion, Series B led by NEA, later disclosure around Union Square Ventures and Greenspring, the 2015 strategic round backed by Fidelity, CapitalG, Microsoft, Baidu, and Qualcomm, followed by a $150 million late private round in 2019. That mix of top-tier venture firms and strategic technology investors positioned Cloudflare as a potential infrastructure-layer company well before its IPO.
Founder control remains real, not symbolic.
Cloudflare’s dual-class structure preserved strong founder power after the IPO. As of March 31, 2025, the proxy statement shows Matthew Prince with about 41.7% of total voting power and Michelle Zatlyn with about 10.5%, for a combined voting block of roughly 52.2%. This means Cloudflare is public, but still decisively founder-controlled.
The business model is best described as “free or low-friction entry creates scale and data; enterprise platform expansion creates durable revenue.”
Cloudflare’s 10-K states that free users matter because they generate scale, brand awareness, product feedback, and product testing in real-world environments. Paying users split broadly into pay-as-you-go and contracted enterprise customers. The company’s model is not to sell one large isolated product, but to land customers onto the network and then expand the relationship across many services over time.
Its commercial evolution has been very clear: website-layer security, then enterprise networking, then developer platform, then AI infrastructure and AI-content control.
The 2019 S-1 still framed the company in terms of security, performance, and reliability for Internet properties. Cloudflare One moved it into Zero Trust and enterprise networking. Workers moved it into application execution. AI Crawl Control, pay per crawl, and the Replicate deal show that Cloudflare now wants to sit between publishers and AI bots while also powering AI application deployment itself. That is a much higher and more strategic position in the Internet stack.
Recent financial and operating scale confirm that this is no longer merely a fast-growing startup.
Fiscal 2025 revenue reached $2.1679 billion, up about 30% year over year. Q1 2026 revenue reached $639.8 million, up 34%, and cash, cash equivalents, and available-for-sale securities totaled about $4.164 billion. Investor materials also state that as of March 31, 2026, 42% of the Fortune 500 were paying customers and Cloudflare had 4,400+ large customers. It still posts GAAP operating losses, but the scale, balance-sheet strength, and market reach now place it in a very different category from its early years.
The most important strategic decisions were architectural and positional, not cosmetic.
First, Cloudflare democratized security and performance instead of reserving them for large enterprises. Second, it committed to the idea that every service should run in every data center. Third, it evolved from being “a website protection company” into a developer and enterprise network platform. Fourth, in the AI era, it began trying to reshape the economics of crawling and content access, not just defend against abuse.
Its most successful achievement is not any one product launch, but becoming embedded in the default pathways of the Internet.
Cloudflare’s current network spans 337 cities and 13,000+ interconnections, and the company says roughly one-fifth of the web or HTTP traffic touches its network. In 2025, TIME recognized Cloudflare as one of the world’s most influential companies because of its role in protecting U.S. election infrastructure, while Forrester recognized it as a leader in edge development platforms in 2026. That combination of scale, public-interest significance, and platform credibility explains why Cloudflare now matters far beyond the security sector alone.
The founders’ current positions are also very clear.
Matthew Prince is the company’s external strategist, public voice, and capital-markets leader. Michelle Zatlyn is the founder who institutionalized the company and now serves, according to the 2025 proxy, as President and Co-Chair rather than retaining the older COO title. Lee Holloway remains the foundational technical architect in the company’s historical memory; Cloudflare even used “Project Holloway” as its IPO codename. Their roles were never identical—they formed a deep complement of direction, organization, and architecture.
Cloudflare’s deepest controversy has always revolved around a single unresolved question: how much responsibility should an infrastructure company bear for content and behavior on the Internet.
The company terminated service for The Daily Stormer in 2017, for 8chan in 2019, and for Kiwi Farms in 2022, even while repeatedly stressing that it was uncomfortable acting as a content arbiter. This has created criticism from multiple sides: some say it acts too slowly; others say it should not act at all. The deeper issue is that once a company becomes essential to Internet delivery, “neutrality” stops being abstract and becomes a form of public power.
A second major problem is concentration risk.
Cloudflare has published unusually transparent post-mortems for major incidents: the July 2019 WAF rule outage, the June 2022 routing/configuration outage, the June 2025 service outage, and the significant incidents in November and December 2025. The transparency is notable, but it also highlights a structural truth: because so much of the Internet depends on Cloudflare, its internal mistakes can become Internet-wide events.
A third area of criticism is copyright and intermediary liability.
In November 2025, the Tokyo District Court ordered Cloudflare to pay ¥500 million to four major Japanese publishers in a manga piracy case. The significance is not only the money; it is the court’s willingness to treat Cloudflare’s conduct as aiding infringement. That directly challenges Cloudflare’s long-standing self-conception as a neutral infrastructure intermediary. The longer-term appellate and cross-jurisdiction consequences remain open.
A fourth pressure point is organizational restructuring in the AI era.
On May 7, 2026, Prince and Zatlyn publicly announced that Cloudflare would cut more than 1,100 jobs globally, explicitly framing the move not as a performance purge or simple cost-cutting exercise, but as a rearchitecture of the company for the “agentic AI era.” Supporters will read that as decisive founder-led adaptation; critics will see it as the use of AI strategy to justify large-scale labor contraction. Either way, it is now part of Cloudflare’s real current story.
Open questions and limits.
Lee Holloway’s childhood, family background, exact birthplace, and degree completion remain publicly limited. The exact year of his formal departure from Cloudflare is described as either 2015 or 2016 in different sources. Michelle’s title is still outdated in some third-party profiles, but the 2025 proxy should be treated as authoritative. Some early financing disclosures are also not perfectly consistent across media coverage and later corporate summaries, so the safest reading is that early round naming and disclosure timing were not fully uniform.