McKinsey
& Company
AI innovation | citizen development | Zero Trust platform

AI innovation depends on a secure application publishing model

This decision is not only about CDN and WAF renewal. It is about how the Firm enables citizen development with Zero Trust, compliance, and governance built in.

Problem statement

The Firm's application model is changing faster than its security model

1
AI is increasing application creation

More Firm members can now build useful applications with AI assistants, even without deep engineering support.

2
Legacy security creates friction

Perimeter-based controls, manual approvals, and network-dependent access patterns slow down launch and adoption.

3
Fragmentation weakens control

Multiple platforms and inconsistent onboarding paths create uneven protection, governance, and lifecycle management.

The challenge is to let application creation accelerate without allowing risk, inconsistency, and control gaps to accelerate with it.

User requirements

What builders need and what Cloud Network platform must provide

What app builders need
  • A secure Firm-managed environment to build and deploy applications.
  • A shareable URL with CDN and WAF protection included by default.
  • Authentication and Zero Trust access without bespoke setup.
  • A workflow that does not require platform engineering expertise.
What platform must ensure
  • Security and compliance that scale with AI-enabled development.
  • Clear ownership, governance, and lifecycle controls.
  • Consistent standards across application onboarding and publishing.
  • A strategic platform that supports the Firm's long-term innovation agenda.
Strategic proposal

What a standardized Cloud Network platform would enable

1
Standard platform

Standardize CDN, WAF, DNS productization, and Access-led publishing on a single Cloud Network platform to simplify operations and policy enforcement.

2
Secure onboarding

Bundle URL creation, protection, authentication, and policy into one guided workflow.

3
Governance model

Use the same platform to enforce ownership, policy inheritance, observability, and lifecycle controls.

4
Immediate action

Expand Cloudflare Access capacity now so platform growth is not constrained by the access layer.

Expected impact

What this enables strategically for the Firm

Lead in AI innovation

Give builders a secure runway for citizen development and AI-enabled application development.

Strengthen trust and compliance

Apply Zero Trust, auditability, and policy consistency by default.

Improve governance and lifecycle

Create stronger ownership, observability, and retirement discipline across application portfolios.

Faster time to publish

More self-serve, less ticketing, fewer manual reviews.

Better platform economics

Less duplication and stronger platform leverage as consolidation progresses.

Products clients and colleagues trust

Security is embedded from the start rather than added later.

Current state

Today's platform landscape is fragmented across vendors and operating models

The current state distributes application delivery, security, and access controls across multiple vendors, which increases complexity and makes standardization harder.

Akamai
Cloudflare
AWS / Azure CDN/WAF
Palo Alto
F5
Primary use today
mckinsey.com, Wave, solutions, external DNS
Platform McKinsey, API Gateway, GM&S, Lilliv3
Lilli, SHaPE
On-prem locations and users for VPN
On-prem apps, sunset planned
Global caching
Yes
Yes
Yes
No
No
DDoS / bot / crawler
Yes
Yes
No
No
No
WAF
Yes
Yes
Yes
No
Yes
User remote access
No
No
No
Yes
No
User egress / DLP
No
No
No
Yes
No
Operational integration
Yes
Yes
No
Yes
Yes
Vendor context

Each vendor remains valuable, but not for the same strategic role

Akamai
  • Strong incumbent for enterprise-grade CDN and WAF needs.
  • Best retained where product-specific requirements justify it.
  • Valuable for continuity, but less aligned to self-serve platform automation.
Cloudflare
  • Best fit for a modern, developer-friendly, Zero Trust-led publishing platform.
  • Strongest candidate for Cloud Network Platform standardization across publishing and protection.
  • Most aligned to the Firm's target operating model for AI-enabled app delivery.
Palo Alto
  • Critical in complementary security domains such as egress and office protection.
  • Important retained capability, but not the primary center of gravity for app publishing.
  • Best positioned as complementary rather than central to the target journey.
Evaluation outcome

Cloud Network platform evaluation indicates Cloudflare is the most complete fit against the target requirements

Capability
Akamai
Cloudflare
Palo Alto
Global content caching
Yes
Yes
No
DDoS, bot, crawler protection
Yes
Yes
No
Publish app to clients and McKinsey
Yes
Yes
Re-architecture required
WAF
Yes
Yes
No
Remote access
Yes
Yes
Yes
Egress controls / DLP
Re-architecture required
Re-architecture required
Yes
Developer / automation readiness
Low
High
Low
Enterprise readiness
High
Medium, improving
High

Cloudflare appears to align most closely to the target state: secure app publishing, Zero Trust delivery, and platform automation.

Palo Alto remains important in complementary domains such as office, egress, and non-publishing controls.

Akamai remains credible where product-specific needs persist, but appears less aligned to the self-serve Cloud Network platform direction.

Investment evidence

Significant Cloudflare investment already underpins secure publishing at scale

1
man-year invested
~400
apps on Zero Trust
$100K
annual savings from runner migration
Live
Citizen Development in production
~1 man-year of engineering effort already sunk

Cloudflare is fully embedded in the Tech Ecosystem operating model, with the Zero Trust control plane built and running.

Not a greenfield decision

The question is not whether to adopt Cloudflare — it is whether to continue investing in a platform where the foundation already exists.

$100K saved annually

Cloudflare Zero Trust enabled the move from AWS/self-hosted runners to GitHub-hosted runners, eliminating associated infrastructure costs across the Tech Ecosystem.

Firm priority delivered — Citizen Development at Firm scale

Deployer PaaS, built on this Cloudflare Zero Trust foundation, has already onboarded close to 400 applications. Secure, self-serve publishing is a live, production-grade Firm capability today — not a future aspiration.

Commercial lens

Renewal timing clarifies when platform decisions must be sequenced

Akamai
Sep 2028
Renewal due for incumbent CDN and WAF estate.
Cloudflare
Sep 2026
Renewal due for existing Cloudflare scope.
Implication
Now
Strategic decision should be made in 2026, using the Cloudflare renewal as the target.

The business case should not rely only on near-term savings. The stronger case is that consolidation reduces duplicated operating models, improves platform leverage, and supports the Firm's strategy to scale AI-enabled application delivery securely.

Leadership decision

Decision requested

Approve

Begin RFX process to converge/consolidate our AI-enabled secure network publishing using standardized CDN & WAF platform, to simplify operations and improve commercial terms.

1 / 11