Discovery questions, objection handling, and messaging for the three SHAPE selling motions. Built from the Network Protection GTM Guide (March 2026). Use these before every discovery call.
Arbor / Radware / F5 on-premise customers approaching hardware refresh.
$100K–$1M+Akamai Prolexic or other cloud scrubbing center customers with capacity and latency concerns.
$100K–$1M+Dual-vendor protection, compliance-driven resilience, or defense-in-depth strategy.
Land & Expand"Your hardware handles everyday traffic just fine. But when a modern DDoS attack hits — a 10, 20, or 30+ Tbps flood — your appliance is overwhelmed in seconds. Matching a 7.3 Tbps attack with hardware would require 292 enterprise firewalls at $7.3M+. There's a better way."
Hardware maxes out at 25–100 Gbps. Modern attacks exceed 31 Tbps — 300x the limit. No hardware vendor offers an upgrade path to terabit-scale protection. The ISP link saturates before your appliance ever fires a packet.
On-premise appliances require manual intervention to activate or tune during an attack. Cloudflare detects and mitigates in <3 seconds — automatically, 24/7. You're exposed in the window between attack start and manual activation.
Every 3–5 years your hardware forces a $250K–$500K+ refresh cycle — before power, cooling, or staffing. Cloudflare shifts that to predictable OpEx. Customers report 50% reduction in network maintenance costs.
No hardware to rack, configure, maintain, patch, or replace. Auto-patching from Cloudflare's threat intelligence — derived from 20% of all Internet traffic — means you're protected from zero-days before your hardware vendor even publishes a firmware update.
It's reliable against yesterday's attacks. The threat landscape has fundamentally changed — modern volumetric attacks are 300x your hardware's rated capacity. Your appliance doesn't fail because it's broken. It fails because it was built for a world where the largest attacks measured in gigabits, not terabits. The reliability window is closing.
"Your hardware is excellent at what it was designed for. The problem is the attacks it was designed for no longer represent the threat. Cloudflare stopped a 31.4 Tbps attack in 35 seconds. No hardware can touch that — not because of brand, but because of physics."
Don't push for full replacement. Pivot to the Network Extension / dual-vendor motion. Cloudflare can sit in front of existing hardware as Layer 1, absorbing volumetric attacks at the edge while the hardware handles protocol-level filtering. When the next refresh cycle comes, the conversation is already open.
"We're not asking you to rip anything out. Cloudflare can act as your upstream DDoS layer — stopping terabit-scale attacks before they reach your hardware. Your existing investment stays fully utilized, and you add the capacity you can't get from hardware alone."
Acknowledge the relationship. Don't attack it. Lead with what they can't give you: upstream protection before the ISP link, terabit-scale capacity, and always-on mitigation. Their vendor knows the environment but cannot change the laws of physics on link saturation.
"That relationship matters and we respect it. What Arbor can't solve — and isn't designed to solve — is what happens when the attack saturates your ISP link before your appliance sees a single packet. That's a topology problem, not a vendor problem. Cloudflare solves it upstream."
Reference Melbourne Airport: deployed in under 36 hours with zero disruption. Cloudflare's Professional Services team builds a migration blueprint. Traffic shifts via BGP — your existing infrastructure stays live until you're ready to cut over. Zero disruption is the default, not the exception.
"Melbourne Airport replaced a complex multi-vendor hardware environment with Magic Transit in under 36 hours — during live operations. Our deployment runs in parallel with your existing infrastructure. You cut over on your schedule, not ours."
Melbourne Airport deployed Cloudflare Magic Transit in under 36 hours, replacing a complex multi-vendor hardware environment. Result: 100% uptime, zero DDoS attacks reached infrastructure. The deployment ran in parallel with existing systems — zero disruption to live operations.
"Akamai Prolexic works like a life vest that sinks in deep water. It handles everyday attacks. But it has only ~22 Tbps of capacity. The largest 2025 attack was 31.4 Tbps — 43% beyond Prolexic's limit. When the real attack hits, Prolexic is overwhelmed. And it adds latency during every mitigation event — even the ones it can handle."
The largest attack in history was 31.4 Tbps. Prolexic's entire infrastructure is rated at ~22 Tbps. That attack would have exceeded Prolexic by 43%. Cloudflare stopped it in 35 seconds. There is no version of Prolexic that handles modern hyper-volumetric attacks.
Prolexic routes traffic to centralized scrubbing centers, adding latency during every mitigation event. Cloudflare mitigates inline at 335+ locations worldwide — zero backhaul, zero added latency. Your users never feel the difference.
Cloudflare operates in 11x more locations than Prolexic. In regions where Prolexic has no scrubbing center — particularly APAC and LATAM — traffic must backhaul significant distances. Cloudflare has local mitigation everywhere.
Prolexic requires complex, expensive professional services engagement — often taking weeks and significant PS spend. Cloudflare onboards in days, with a straightforward BGP configuration. Melbourne Airport: fully live in under 36 hours.
The capacity gap is structural, not a version upgrade. Prolexic's architecture is built on centralized scrubbing — which cannot scale to match distributed anycast mitigation. This isn't a feature comparison. It's a fundamental architectural difference.
"Prolexic's architecture is based on routing traffic to ~50 scrubbing centers. Cloudflare mitigates at 335+ locations simultaneously. The largest attack in 2025 was larger than Prolexic's entire network. That's not a Cloudflare marketing claim — that's publicly verified attack data."
Akamai competes hard on SOC and professional services — engage Cloudflare PS early so this is never a gap. Magic Transit is fully managed, with automatic mitigation. For customers who need SOC augmentation, Cloudflare's TAM and managed service options cover it. Don't lead with price — lead with capacity and performance.
"Cloudflare's automated mitigation means your SOC team spends less time firefighting DDoS, not more. We have TAMs, professional services, and managed support options. But the key difference is: our system doesn't need a human to turn it on during an attack — it's already blocking."
Acknowledge the contract. Explore the dual-vendor / Network Extension motion in the meantime — Cloudflare can add upstream protection on top of Prolexic today. When the renewal window opens, you're already in the account with proven value. Coordinate with Jet Ski on SPIFF timing.
"We understand — timing matters. In the meantime, we can add Cloudflare as an upstream layer above Prolexic, providing capacity that Prolexic can't. When your renewal comes up, you'll have real-world data on Cloudflare's performance rather than making a decision blind."
Cloudflare offers a side-by-side evaluation setup before any cutover. Traffic migrates via BGP in a phased approach. Prolexic stays fully active until the moment you're ready to complete the transition. Reference Melbourne Airport: zero disruption, under 36 hours.
"We run Prolexic and Cloudflare side by side during evaluation. You don't cut over until you've validated every aspect of Cloudflare's performance against your specific traffic patterns. The migration blueprint is zero-disruption by design."
In November 2025, Cloudflare autonomously detected and mitigated the largest DDoS attack ever recorded — 31.4 Tbps — in 35 seconds. Zero customer impact. Prolexic's entire rated capacity is ~22 Tbps — this attack would have exceeded it by 43%. No scrubbing center architecture can handle what Cloudflare's anycast network can absorb.
An active SPIFF program and buyout program for Akamai Prolexic customers is running in Q2 FY26. Coordinate with the Jet Ski team on all active Prolexic renewal opportunities. Jet Ski Specialists are available for all $100K+ deals.
"Smart homeowners use multiple locks — a deadbolt, a security chain, a monitored alarm. If one fails, the others hold. Your network protection works the same way. A single vendor — no matter how good — is a single point of failure. Cloudflare as your second layer doesn't replace what already works. It ensures that when your primary solution is overwhelmed, you don't go down."
If your primary DDoS vendor is overwhelmed or experiences an outage, Cloudflare automatically takes over — Active/Passive or Active/Active configuration. No manual activation. No human required. Your network stays up regardless of what happens to your primary vendor.
Regulators are increasingly requiring documented dual-vendor network resilience. Cloudflare provides the compliance documentation, architecture diagrams, and SLA evidence your auditors need. Stop treating this as a security decision — it's a regulatory obligation.
Cloudflare deploys in front of your existing stack. Your current solution stays fully in place. Active/Passive mode uses Cloudflare as the primary absorbing layer. Active/Active mode load-balances across both. No rip-and-replace. No disruption. No political risk of removing an incumbent.
Average cost of a major DDoS outage: $1M+. Revenue loss per hour: $100K–$540K. Cloudflare's dual-vendor layer costs a fraction of that. One avoided outage pays for years of protection. This is not a cost center decision — it's risk management math.
Every solution has a capacity ceiling and a failure mode. The question isn't whether your current solution is good — it's whether it's sufficient for the worst-case scenario. One vendor, no matter the quality, is a single point of failure for your most critical infrastructure.
"Smart organizations don't rely on a single firewall, a single data center, or a single ISP. Network protection is no different. Cloudflare isn't here to replace your existing solution — it's here to be the layer that catches what falls through."
Cloudflare's anycast architecture means no single data center failure impacts protection — traffic automatically routes to the next nearest of 335+ locations. In Active/Active mode with your incumbent, if Cloudflare experiences any issue, your existing solution carries full load. Neither vendor is a single point of failure.
"In an Active/Active architecture, if Cloudflare has any disruption, your existing solution immediately carries full load — and vice versa. You've eliminated the single point of failure in both directions. That's the definition of resilience."
Acknowledge the simplification goal. Counter with the operational reality of the alternative: a single vendor failure during a major attack is far more complex to manage than a pre-configured failover. Cloudflare reduces operational complexity during an attack — which is the moment that matters most.
"Adding one vendor now is simpler than the operational chaos of explaining to your board why your single-vendor protection failed during your biggest attack of the year. Complexity is the wrong frame — resilience is the right one."
Reframe around risk cost, not product cost. Average downtime event: $1M+. Revenue loss per hour: $100K–$540K. One avoided major attack pays for multiple years of dual-vendor coverage. For regulated industries, add regulatory fine exposure. The math is not close.
"The average cost of a major DDoS outage is over $1M. One event. Cloudflare's dual-vendor coverage is a fraction of that. You're not budgeting for a second vendor — you're budgeting for the insurance that means that $1M event never happens."
Melbourne Airport added Cloudflare as a second protection layer in under 36 hours without disrupting existing services. Defense-in-depth strategy fully implemented overnight — no disruption, no rip-and-replace, full resilience from day one.
During an active attack, Visma activated Magic Transit and restored all services in under 1 hour. Without a second layer, recovery would have depended entirely on the primary vendor's response time — and the attack was already underway.
Inline mitigation at every Cloudflare data center — zero backhaul, zero added latency. Hardware forces you to choose between speed and protection. Prolexic's scrubbing centers add latency during every mitigation event. "Other solutions require traffic to detour to a scrubbing center. Cloudflare mitigates at the edge — your users never feel the difference."
477 Tbps across 335+ cities. No hardware vendor comes close (25–100 Gbps max). No scrubbing center comes close (Prolexic ~22 Tbps). The largest attack ever recorded was 31.4 Tbps — Cloudflare stopped it in 35 seconds. "The largest DDoS attack in history was 31.4 Tbps. Prolexic's entire capacity is 22 Tbps. Your hardware maxes at 100 Gbps. We stopped that attack in 35 seconds. That's the math."
Protection is active 24/7 from day one. Detection and mitigation in <3 seconds. Competitors set up "on-demand" because always-on incurs latency in their architecture. Not ours. "On-demand means you're exposed in the window between attack start and activation. We're already blocking when the attack begins — automatically."
Cloudflare's threat intelligence from 20% of all Internet traffic means we identify and patch new attack vectors before they're publicly known. Hardware firmware updates take months. Cloudflare patches automatically — often before zero-days are disclosed. "Attack vectors evolve weekly. Hardware patches take months. We update our defenses from the signal of 20% of all Internet traffic."
No hardware to rack, configure, maintain, patch, or replace every 5 years. No large SOC team required for manual mitigation. Customers report 50% reduction in network maintenance costs. "One customer reduced network maintenance costs by 50%. Another recovered in under an hour during an active attack. The operational savings alone often justify the investment."