Skip to content

PATTERN Cited by 1 source

Default-on security upgrade at no additional cost

Shape

A product-strategy pattern where an infrastructure provider ships a security capability as a universal, default-enabled platform behaviour — automatically applied to all customers regardless of tier, with no configuration required and no premium pricing. Security improvements layer onto the platform like OS patches rather than feature-gated add-ons.

The pattern has three load-bearing commitments:

  1. Default-on — the protection is active for all customers from day one of availability; no customer switches to flip, no CLI flags, no "enterprise edition upgrade."
  2. No additional cost — priced into the base platform across all plans, from free tier upward. Security is not a differentiator between paid tiers.
  3. Platform-side effort — the provider absorbs all the engineering cost of making the upgrade safe to deploy universally (backward compatibility, gradual rollout, monitoring, rollback paths).

Cloudflare is the canonical wiki instance; the posture explicitly frames security-by-default as a property of the Internet, not a property of premium Cloudflare tiers.

(Source: sources/2026-04-07-cloudflare-targets-2029-for-full-post-quantum-security)

Cloudflare's canonical three-instance arc

2014 — Free Universal SSL

Context: HTTPS adoption in 2014 was ~30 % of top-1M sites, gated by TLS cert cost (~$50-200/year/cert) and operational complexity (manual issuance, manual renewal, mis-configured chains).

Move: Cloudflare launches Universal SSL — free TLS certificates automatically issued and renewed for every site on the free plan, every site on paid plans, no customer action required.

Consequence: HTTPS became the default for any site proxied through Cloudflare; dramatic step-function increase in overall web HTTPS adoption percentage across the industry. Let's Encrypt (separate project, 2016) subsequently generalised the model; Cloudflare was earlier.

2022 — Post-quantum encryption for all

Context: PQ hybrid KEM (X25519Kyber768Draft00 → eventually X25519MLKEM768) becoming implementable in TLS 1.3 client libraries; historically deployed as an experiment or enterprise opt-in.

Move: Cloudflare enables PQ encryption by default for all websites and APIs proxied through its edge. No customer action required; any PQ-capable client connecting to any Cloudflare-fronted origin gets PQ-protected session keys.

Consequence: >65 % of human traffic to Cloudflare is currently post-quantum encrypted (source) — a massive chunk of overall web traffic made HNDL-resistant without any customer migration work.

2029 (targeted) — Full post-quantum security

Context: 2026 Q-Day reassessment accelerates the migration timeline; authentication becomes the dominant threat.

Move: Cloudflare publishes roadmap targeting full PQ security (encryption + authentication) across entire product suite by 2029, continuing the same default-on / no-cost posture:

For Cloudflare customers, with respect to our services, you do not need to take any mitigating action. We are following the latest advancements in quantum computing closely and taking proactive steps to protect your data. As we have done in the past, we will turn on post-quantum security by default, with no switches to flip.

Privacy and security are table stakes for the Internet. That's why every post-quantum upgrade we build will continue to be available to all customers, on every plan, at no additional cost. Making post-quantum security the default is the only way to protect the Internet at scale. (Source: sources/2026-04-07-cloudflare-targets-2029-for-full-post-quantum-security)

Closing framing: "Free TLS helped encrypt the web. Free post- quantum cryptography will help secure it for what comes next."

Why the pattern works for the provider

  • Network effects: the larger the provider's share of the relevant substrate (HTTPS proxy requests, CDN traffic, DNS resolution), the more the default-on upgrade moves an ecosystem-wide metric. Universal SSL single-handedly shifted the web-HTTPS-percentage curve; PQ encryption shifted the web- PQ-percentage curve the same way.
  • Competitive moat through posture, not features: premium competitors historically charged for security features; Cloudflare's posture systematically reframes security as a baseline, making feature-gated-security an anti-pattern. Competitors are forced to follow (Let's Encrypt, free TLS at other CDNs) or accept the market positioning gap.
  • Customer stickiness through hidden complexity: customers stop being aware of the crypto-agility plumbing. Migrating away from Cloudflare would require rebuilding that plumbing; the invisibility of the capability is the lock-in.

Why the pattern is viable for this provider

The pattern has prerequisites that don't hold universally:

  • Large homogeneous customer base — one upgrade reaches millions of deployments simultaneously. Infrastructure providers (CDNs, cloud-identity services, DNS) fit; niche vertical products typically don't.
  • Edge / proxy architecture — the provider can deploy the upgrade server-side without client coordination. On-premise software doesn't fit; behind-customer-firewall deployments don't fit.
  • Centralised operational capability — provider can execute gradual rollout, detect failures, roll back regionally. Federated / peer-to-peer systems cannot.
  • Economic model absorbing the cost — provider's revenue scales with overall traffic, not with feature-gating. Freemium SaaS fits; per-feature-licensing models don't.
  • DDoS protection — Magic Transit / the edge autonomous- mitigation stack is default-on across tiers; the 2025 7.3 Tbps attack was mitigated without human intervention or customer opt-in.
  • Automatic HTTPS Rewrites / HSTS defaults — the subsidiary upgrade path that made "just enable Universal SSL" actually produce HTTPS behaviour end-to-end.
  • Bot management signals — verification of bot identity via Web Bot Auth piped through the same edge stack at no marginal customer cost.

Contrast with alternative postures

  • Feature-gated security — premium tiers get more security primitives (classic enterprise-cloud posture). Produces a market for security-tier add-ons but leaves the free-tier Internet less protected; gives competitors room to underbid.
  • Paid security product line — security as a separate SKU (e.g. security vendors selling bolt-on WAF to applications). Optimises for per-customer revenue, not ecosystem-wide uptake.
  • Compliance-driven only — ship security upgrades only when regulators mandate them. Passive posture; ecosystem-wide improvements happen only at regulator pace.
  • Opt-in-by-default — technically available but off by default for safety / backward-compatibility reasons. Usual fate: low adoption because most customers don't know to enable.

Seen in

  • sources/2026-04-07-cloudflare-targets-2029-for-full-post-quantum-security — canonical wiki instance. Explicit articulation of the pattern across three Cloudflare milestones (2014 Universal SSL → 2022 PQ-for-all → 2029 fully PQ). "Making post-quantum security the default is the only way to protect the Internet at scale." Strategic coupling of security-as-default with no-additional- cost-for-any-plan.
Last updated · 200 distilled / 1,178 read