Cloudflare One Stack: AI Agent Skills to Automate SASE Migration, Targeting Zscaler Lock-in
Summary
Key Takeaways
Cloudflare released the Cloudflare One Stack, a set of lightweight skill files (cloudflare-one and cloudflare-one-migration) for AI agents, built on thousands of hours of customer migration expertise. It automates the full lifecycle of Zero Trust evaluation, deployment, and management.
Key capabilities:
- Automatic mapping of existing VPN apps, Zscaler Private Access, or Netskope configs to Cloudflare primitives (Access, Gateway, Tunnel, Mesh).
- Network diagram parsing and generation for team visualization.
- Vendor concept translation between Zscaler, Palo Alto, and Cloudflare.
- Integration with the MCP server for typed API access, enabling agents to query live accounts and execute recommended workflows.
- Reuses migration logic from Cloudflare's Descaler and Deskope programs, which previously moved enterprises in hours.
Includes Digital Experience Monitoring (DEX) toolkit and automated rule recommendations. Partners can also leverage the stack for faster deployments.
Why It Matters
On the surface, the Cloudflare One Stack is a helpful automation tool, but it's a calculated ecosystem siege against Zscaler, Netskope, and Palo Alto Networks.
Defense & encirclement: By commoditizing migration logic into agent skills, Cloudflare lowers the switching cost for rival customers, directly poaching Zscaler's base. The 'hours not months' narrative is a weapon to break incumbent lock-in.
Hidden lock-in: Once configured via the stack, the entire Zero Trust topology is encoded in Cloudflare API and MCP server dependencies. While the skills are 'agent-agnostic', the typed interface and recommended workflows are Cloudflare-specific. Reverse-migration tooling will never be provided—a new form of vendor lock-in.
Concealed limitations: The migration logic may miss nuanced security policies (e.g., granular SSL inspection, custom DLP rules), forcing users to accept lower security or higher tail latency. The MCP server creates a single point of failure: any Cloudflare outage cripples Zero Trust operations.
PRO Decision
[Vendors (Zscaler, Netskope, Palo Alto Networks)]: Immediately launch counter-agent skill files for reverse migration from Cloudflare, highlighting the engineering shortcomings of Cloudflare One Stack (e.g., missing advanced DLP rules, WAN optimization gaps). Open your APIs to prevent Cloudflare from defining agent workflow standards.
[Enterprises (CIOs/Architects)]: Conduct zero-trust technical audit of Cloudflare One Stack: mandate PoC testing of tail latency increase and security policy fidelity after migration. Beware of single point of failure from the MCP server; demand offline fallback. Include data portability clauses in contracts to ensure future reverse export of all policy definitions.
[Investors]: Recognize this as a defensive move reflecting Zscaler's strong customer stickiness. If Zscaler fails to quickly counter, Cloudflare may gain short-term customer wins, but the agent skill approach will likely trigger price wars, compressing margins for all SASE vendors.
Get 3-5 key AI infrastructure signals weekly →
💬 Comments (0)