A Connectivity Cloud · For Hard Questions, Tough Challenges
Exponent runs 30+ offices, 950+ consultants, and an ISO 27001-certified evidence chain across five continents — currently stitched together with Zscaler, Fastly, Proofpoint, Cisco IronPort, and a legacy VPN appliance. Cloudflare's Connectivity Cloud collapses that into a single programmable platform.
A 30+ office footprint we're built to secure
Every one of these sites is a Cloudflare data center too. We don't add a hop — we are the hop.
Current State · The Stack You Already Own
Recon from your public DNS, security disclosures, and the published Zscaler footprint. None of this is a guess — and none of it has to stay.
j.sni.global.fastly.net. Single-vendor lock for marketing + investors traffic.pphosted.com. Layered with Cisco IronPort (iphmx.com in SPF). Two vendors for one inbox.spf.iphmx.com. Redundant with Proofpoint — paying twice for the same outcome.vpn.exponent.com → 12.47.62.20. AT&T address space — on-prem appliance still in the path for forensic consultants.The hidden cost isn't licensing. It's five sets of policies, five audit trails, five renewal calendars, five vendor SE teams, and five places a misconfiguration can lose attorney-client privilege.
Interactive · Modeled at 1,500 seats
SSE pricing is opaque on purpose. Here's a transparent 3-year TCO model using public benchmarks from Gartner, public-sector contracts, and Cloudflare One Enterprise list — toggle the assumption you want defended in your renewal meeting.
Your inputs
Defaults sized for Exponent's footprint.
≈ 950 consultants + 550 corporate staff
Public-sector ZIA + ZPA Business bundle, mid-range.
CF One Enterprise bundle (Gateway + Access + CASB + DLP + RBI).
Legacy VPN HW + maintenance + 1 FTE of operational toil.
Retire Cisco IronPort, fold into Cloudflare Email Security.
Estimated 3-Year Savings · Conservative · ZIA+ZPA mid-range
Plus what's not in this number: free DDoS protection, unmetered Pages + Workers, R2 with zero egress fees, Magic WAN at 30 offices, Cloudflare Stream for client deposition video — all on the same Enterprise contract.
Source notes: Zscaler unit price from Gartner Peer Insights ($6.50-$13.50 ZIA+ZPA range, public-sector contracts via SAM.gov). Cloudflare One Enterprise list from cloudflare.com/plans/zero-trust-services. VPN retirement based on typical mid-size enterprise on-prem ZTNA appliance + 0.5 FTE. Update with your actual contract numbers before walking this into a renewal meeting.
Live · Workers AI + Vectorize
Try a semantic search over Exponent's public case studies and alerts. Type how a client would describe their problem — not the keywords on your site. If a 200ms edge inference can RAG your public corpus, imagine it on your privileged case files, running inside your network perimeter with zero data egress.
@cf/baai/bge-base-en-v1.5@cf/meta/llama-3.1-8b-instructThis demo uses a tag-vector approximation in the browser. The production pattern is identical — but runs on Workers AI + Vectorize, all inside Cloudflare's data-sovereign EU and US regions, with full audit trail in AI Gateway. No data leaves the perimeter. Zero OpenAI roundtrips.
For your CIO + CISO + Information Security team
Five solution areas. One platform. Built for a 30-office, ISO 27001-certified consulting firm where downtime breaks attorney-client privilege.
Zero Trust · The Lead Play
Today, a forensic consultant in your Hong Kong office hitting a client SaaS goes: laptop → Zscaler ZIA → ZPA → SaaS — three hops, two consoles, opaque traffic in a SOC 2 audit. Cloudflare One collapses that to one identity-aware proxy on the world's most peered network, with DLP that understands the difference between "litigation hold material" and "lab Slack."
For Exponent specifically
Replace Zscaler ZIA+ZPA at 1,500 seats with Cloudflare One Enterprise. Apply granular DLP policies to matter-numbered SharePoint sites — block AI prompt exfil of privileged work product to ChatGPT, Claude, or Gemini. Browser Isolation for risky expert-witness research (the dark side of materials science forums). All audit-trailed to ISO 27001 and NIST SP 800-171 controls you already attest to.
App Security & Performance
www.exponent.com is on Fastly today. Consolidate edge, WAF, bot, and DDoS into a single contract with global anycast at 330+ cities. investors.exponent.com is already on Cloudflare (via Q4 Inc.) — extend that footprint across every property.
For Exponent specifically
Protect www.exponent.com, careers.exponent.com, and the alerts + case-studies verticals on one WAF. Bot Management blocks AI scrapers harvesting your public expertise content for competitor training data.
Network as a Service
Today: vpn.exponent.com → 12.47.62.20 — an AT&T-fronted box that's the only path home for consultants in Basel, Edinburgh, Shanghai. Replace with Magic WAN: every office becomes a Cloudflare PoP, every laptop a WARP endpoint, all under one routing fabric.
For Exponent specifically
Connect Menlo Park, Bowie, Natick, Basel, London, Shanghai, Singapore as one virtual fabric. Retire the on-prem VPN appliance entirely. Forensic engineers in the Natick or Phoenix testing labs get the same latency to lab instruments whether on-site or remote.
AI Security & Performance
Exponent sells AI consulting — battery thermal AI, autonomous driving AI, healthcare AI risk. Run your own AI on infrastructure that meets the bar you set for clients: AI Gateway audit trail, Firewall for AI for PII / privileged content leakage, Workers AI for private inference inside your perimeter.
For Exponent specifically
Internal RAG over 50+ years of case files without sending a byte to OpenAI. AI Audit catches every consultant prompt that contains a matter number or client name before it leaves your perimeter. Block AI scrapers training on your published expertise.
Email Security + Developer Platform
Expert witnesses get spear-phished daily — opposing counsel, "court clerks," fake retainer requests. Cloudflare Email Security (formerly Area 1) sits in front of M365 and catches the targeted, low-volume social-engineering attacks Proofpoint + IronPort miss. Plus everything else on the platform — Workers, Pages, R2, D1 — so when Information Resources needs a custom client portal, intake form, or deposition exhibit viewer, it ships in days, not quarters.
For Exponent specifically
Retire Proofpoint + Cisco IronPort. Stream secure deposition video to client counsel without Vimeo licensing. Workers + R2 host expert-witness exhibit repositories with per-matter access control. Free DDoS-protected Pages for every conference microsite Exponent's marketing team has to spin up.
Where to start · No big-bang migration
Cloudflare One runs in parallel with Zscaler during cutover — no big-bang, no rip-and-replace, no forklift. You decommission Zscaler on your renewal date, not ours.
Step 01
Stand up Cloudflare One tenant. Deploy WARP to 50 IT + Security pilot users in Menlo Park. Mirror Zscaler ZIA traffic for shadow comparison — no user impact, full visibility.
Step 02
Migrate top 25 internal apps (SharePoint, file shares, lab instrumentation, expert-witness portals) from ZPA to Cloudflare Access. Cut over vpn.exponent.com to WARP Connector. Decommission the on-prem VPN box.
Step 03
All 1,500 seats on Cloudflare One. DLP policies live for matter-numbered data. Browser Isolation for high-risk research. Cisco IronPort retired. Trigger the Zscaler non-renewal letter.
No-regret order: CF Email Sec (monitor) → WARP pilot → Access for top apps → VPN retired → full Zscaler cutover at renewal.
End-to-end Mapping
Each tile maps a current vendor or capability to a Cloudflare equivalent — sized to a 1,500-seat, 30-office, ISO 27001 environment. Replaces · Augments · Net-new badges based only on what we actually detected on your public infrastructure.
One SSE platform for all 1,500 seats: Gateway (SWG), Access (ZTNA), CASB, DLP, Browser Isolation, Tenant Control.
Move www.exponent.com off j.sni.global.fastly.net. Free DDoS, unmetered, 330+ cities.
Drop-in MX in front of M365. Detects targeted BEC + spear-phish the legacy gateways consistently miss.
12.47.62.20 is an AT&T-fronted on-prem box. Retire entirely. Identity-aware proxy with full posture checks.
Keep Route 53 if you want, or consolidate. Cloudflare DNS is the world's fastest authoritative resolver, free at any scale.
Native Entra ID SCIM. CASB scans M365 / SharePoint / OneDrive for misconfig + data exposure. No new IdP.
Every office a Cloudflare PoP. Single routing fabric. DDoS-protected origin IPs for any colocated infrastructure (Natick, Phoenix labs).
Internal RAG over 50+ years of case files. AI Gateway logs every prompt. Firewall for AI blocks privileged data exfil.
Client portals, intake forms, deposition exhibit viewers — ship in days. R2 with zero egress for case file archives, replacing S3.
Business Case · For the CIO Memo
Each number cites its source so it survives a CFO read.
Year-1 SSE savings
Conservative scenario: 1,500 seats × ($9 − $7) × 12. Aggressive (ZIA+ZPA+ZDX): 4-6× this. From the calculator above, your scenario.
Vendor consolidation
Zscaler, Fastly, Proofpoint, Cisco IronPort, on-prem VPN → one Cloudflare Enterprise contract. One console, one audit trail, one renewal cycle.
to 95% of internet users
330+ Cloudflare cities. Your Hong Kong consultant gets the same SaaS latency as your Menlo Park partner. Per Cloudflare's published Radar measurements.
Next Step
60-90 minute workshop with your Information Security + Information Resources teams. We'll plug Exponent's actual Zscaler contract into the calculator, map the 5 pillars to your ISO 27001 control set, and sketch the Week-1 WARP pilot.
Your Cloudflare contact
I cover scientific & engineering consulting accounts. I've already done the public-DNS recon — bring me your Zscaler renewal date and I'll bring you the migration plan.