ChatGPT
Perplexity
Claude
We have implemented Cloudflare for businesses across the UK, UAE, and Saudi Arabia. We have also inherited Cloudflare setups built by other partners - and what we find inside those accounts tells us everything about how those partners work. Misconfigured WAF rules that were never tuned. DNS TTLs set to 24 hours. No failover. No documentation. A Cloudflare dashboard that only the previous partner can interpret. And a client paying a monthly retainer for the privilege.
Choosing the wrong Cloudflare implementation partner does not announce itself at the start. It announces itself when Cloudflare has an outage, or when you try to leave, or when the partner’s lead engineer moves on and the institutional knowledge vanishes with them.
This is our honest view on what to look for - and what to run from.
What is a Cloudflare implementation partner?
A Cloudflare implementation partner deploys, configures, and manages Cloudflare on your behalf. The scope varies: some partners do the initial setup and walk away, others manage the account ongoing - monitoring, WAF rule updates, DDoS tuning, incident response.
What that ongoing management actually looks like in practice is the question most buyers never ask clearly enough. Managing Cloudflare is not clicking through a dashboard once a month. It is watching your traffic patterns, adjusting rules when attack vectors shift, maintaining a failover path for when Cloudflare itself fails, and being reachable when something goes wrong at 2am. Most partners do the first two. Almost none do the last two.
What the partner tiers actually mean - and what they hide
Cloudflare has a formal partner programme with tiers: ASDP (Authorized Service Delivery Partner) at the top, then PowerUP MSP partners, then agency and channel partners, then independents.
The tier tells you one thing: whether the partner has passed Cloudflare’s accreditation process. It tells you nothing about whether they will act in your interest.
ASDP partners have gone through a technical validation process covering deployment capability. They have certified engineers and a direct escalation path to Cloudflare. Sounds impressive. Here is the catch: an ASDP earns revenue from your Cloudflare subscription. Every product you add, every renewal you sign, puts margin in their pocket. That is the incentive structure underneath the badge. When an ASDP recommends expanding your Cloudflare footprint, you should ask whether that recommendation would look the same if they earned nothing from the outcome.
PowerUP and MSP partners resell and manage Cloudflare under Cloudflare’s broader programme. Same structural conflict, slightly less rigorous technical validation at entry.
Agency and channel partners typically treat Cloudflare as one product among dozens. Technical depth is inconsistent. Some have strong Cloudflare engineers. Most do not.
Independents have no commercial relationship with Cloudflare. No reseller margin, no renewal commission, no partnership revenue to protect. When an independent recommends something, the recommendation has no financial motive behind it. That independence is exactly why we have chosen not to pursue ASDP or MSP status ourselves - it would compromise the one thing that makes our advice worth having.
The conflict of interest the industry does not talk about
Any partner earning Cloudflare renewal margin will not proactively tell you to add a secondary CDN as a failover layer. They will not build you an exit-friendly architecture. They will not suggest reducing your Cloudflare spend even when it makes sense. Their business model runs directly against those conversations.
We have those conversations with every client, because we have nothing to lose by having them. If Cloudflare is the right tool for a use case, we implement it. If a different configuration would serve the client better, we say so. We do not earn a different amount either way.
That is not a minor distinction. Over a multi-year managed services engagement, the compounding effect of a partner whose interests are misaligned with yours can be significant - not through deliberate bad faith, but through a thousand small decisions where the path of least resistance also happens to be the path that benefits the partner.
Ask any prospective partner directly: do you earn revenue from Cloudflare renewals? If yes, that is not automatically disqualifying - but it should be a lens through which you evaluate every recommendation they make.
What the November 2025 Cloudflare outage revealed
On 18 November 2025, a permission change in one of Cloudflare’s internal database systems corrupted the feature file used by Cloudflare’s Bot Management system. The result: ChatGPT, X (formerly Twitter), Spotify, Shopify, Canva, Dropbox, and Coinbase all went dark or severely degraded for up to six hours. Cloudflare’s stock lost roughly $1.8 billion in market cap that day. A second outage on 5 December 2025 took down 28% of Cloudflare’s HTTP traffic for 25 minutes. A third in February 2026 disrupted Uber Eats and Bet365.
Cloudflare carries approximately 20% of global web traffic. When it fails, the impact is systemic.
Every Cloudflare customer whose implementation partner had no failover plan went down and stayed down. ChatGPT users stared at error pages. Shopify merchants could not process orders. Spotify returned silence. The companies behind those platforms had no choice but to wait - wait for Cloudflare’s engineering team to diagnose the issue, wait for the fix to propagate, wait for the network to stabilise. Nearly six hours of that waiting.
Our clients were back online within four minutes of the incident starting.
Not because we got lucky. Because we had built automated DNS failover into every deployment - a system that detects Cloudflare-specific errors, confirms the issue against Cloudflare’s own status page, verifies the origin server is healthy, and switches DNS to bypass Cloudflare entirely, all without a human having to wake up and make a decision at 11am on a Tuesday. By the time most people realised Cloudflare was down, our clients’ users had already been quietly rerouted to origin and were getting on with their day.
That architecture requires deliberate planning at deployment time. It is not something you retrofit during an active outage. And it is not something a partner with a financial incentive to keep you fully committed to Cloudflare is likely to suggest proactively.
We wrote up exactly how the automation works and what happened minute-by-minute on 18 November 2025 - if you want the technical detail of the detection logic, the DNS switch sequence, and the trade-offs involved.
If your current Cloudflare implementation partner has not had this conversation with you, that is the most important question on this list.
9 questions to ask any Cloudflare implementation partner
We use these questions when we audit existing Cloudflare setups. Most inherited accounts fail at least four of them.
1. Do you earn revenue from Cloudflare renewals or product sales?
The most important question and the one least likely to appear on a vendor’s website. Know the incentive structure before you trust the recommendations that come from it.
2. What is your backup strategy if Cloudflare experiences a major outage?
This is the question that reveals whether a partner thinks about your resilience or just your Cloudflare configuration. Our answer: automated DNS failover, secondary CDN on hot standby, sub-five-minute recovery. If the answer you receive is silence, a vague process description, or “we would escalate to Cloudflare” - you have your answer.
3. Have any of your clients experienced downtime during a Cloudflare-wide outage?
Ask this about November 2025 specifically. A partner with proper failover architecture can answer this directly. Our clients did not go down. We are comfortable saying that plainly.
4. Will our implementation make it easy or hard to reduce Cloudflare dependency in future?
A partner who designs for your flexibility structures DNS for fast switching, keeps TTLs low, documents rules in version control, and does not build configurations that only they can interpret. A partner who designs for retention does the opposite. Ask to see how they structure DNS records and firewall rule documentation.
5. Do you hand over full account access and documentation at the end of the engagement?
We hand over everything: full super-administrator access, documented WAF rules, firewall logic, DNS architecture notes, runbooks for common incident scenarios. Some partners structure accounts in ways that make self-management difficult after they leave. That is not an accident.
6. What happens to our account if a key engineer leaves your team?
The answer should reference documented processes, shared access, team-based knowledge rather than individual expertise. We maintain runbooks for every client account specifically so that account health is never dependent on a single person being available.
7. Can you work alongside our existing security stack, or do you expect to replace it?
The best Cloudflare implementation complements what you already have rather than demanding to replace it. When a partner insists on consolidating everything onto Cloudflare, ask whether that serves your architecture or their margin.
8. What do you do when Cloudflare is not the right tool for a specific problem?
We have told clients not to use Cloudflare features where a better-fit solution existed. We can name specific cases. A partner commercially tied to Cloudflare will struggle to give you an honest answer here.
9. How do you tune WAF rules over time as attack patterns change?
Initial configuration is not management. Real management is watching your traffic logs, identifying false positives, tightening rules when new attack vectors emerge, and adjusting rate limiting thresholds as your legitimate traffic patterns shift. Ask how often they review WAF rules actively and what triggers a review between scheduled check-ins.
How we build Cloudflare implementations
Every Cloudflare deployment we deliver is built on the same principles, regardless of client size.
DNS TTLs are set low - 60 seconds on records that matter - so that a failover switch propagates within a minute rather than a day. Firewall and WAF rules are documented outside the Cloudflare dashboard, in version control, so that the logic is readable by the client and portable if the relationship ends. A secondary CDN sits on standby with health-check-driven automated failover - not a manual runbook that requires someone to act under pressure, but an automated system that switches before most users notice anything is wrong.
We do not structure client accounts in ways that create dependency on us. Clients have full administrative access from day one. The documentation we produce is written so the client team could act on it independently if they needed to.
For businesses in Saudi Arabia and the Gulf operating under NCA and PDPL requirements, this architecture supports data residency compliance cleanly because the controls are separated from the CDN layer rather than embedded in it.
Cloudflare is a powerful tool. We use it extensively. We also believe that using it well means building around it intelligently - not treating it as an unquestioned single source of truth for your entire edge.
The bottom line on partner tiers
The tier matters less than the incentive structure. An ASDP with Cloudflare renewal margin has structural reasons to keep you dependent. An independent partner with deep technical capability and no commercial relationship with Cloudflare does not.
We are not an ASDP. We chose that deliberately. The independence is the point.
Work with a Cloudflare team that is not on Cloudflare’s payroll
Tasrie IT Services implements and manages Cloudflare for businesses across the UK, UAE, and Saudi Arabia. We do not earn Cloudflare renewal commission. Every recommendation we make is based on what your infrastructure needs, not what our margin prefers.
Our Cloudflare managed services include WAF configuration, DDoS protection tuning, Zero Trust implementation, automated failover architecture, and ongoing rule management. Our clients did not go down in November 2025. That is the standard we hold ourselves to.
If you want an independent review of your current Cloudflare setup - whether it is properly configured, whether you have a viable failover path, and whether your current partner is working in your interest - our Cloudflare professional services team can give you a straight answer.
For businesses with NCA or PDPL requirements, our Cloudflare managed services for Saudi Arabia covers the compliance layer alongside the implementation.