Cloudflare Overview for Vodacom

Securing Africa's Digital Future — App Security, Cloudflare One (SASE), Network Services & Developer Platform
Ozzie Khawaja
Senior Partner Solutions Engineer, Sub-Saharan Africa · okhawaja@cloudflare.com
AGENDA

Today's Agenda

Six focused areas covering Vodacom's security and platform needs across 7 markets.

SECTION 01
Vodacom in Africa
OpCo footprint · regional threat landscape · digital transformation across 7 markets.
SECTION 02
Threat Landscape
DDoS · ransomware · API attacks · phishing · Africa threat stats · POPIA compliance.
SECTION 03
Application Services
WAF · DDoS Protection · Bot Management · API Security · CDN & Performance.
SECTION 04
Cloudflare One
SASE · Access (ZTNA) · Gateway (SWG) · CASB · DLP · Email Security.
SECTION 05
Network Services
Magic Transit · Cloudflare Network Firewall · BGP Anycast · CNI at JINX.
SECTION 06
Developer Platform
Workers · Pages · Workers AI · R2 · D1 · KV · Durable Objects.
VODACOM IN AFRICA

Vodacom Group — Operating Companies in Africa

7 OpCos across sub-Saharan Africa · 97M+ combined subscribers · unique per-market regulation.

JOHANNESBURG · HQ
South Africa
Headquarters, JSE-listed. POPIA-regulated home market.
DAR ES SALAAM
Tanzania
OpCo · DSE-listed operating company.
MAPUTO
Mozambique
OpCo serving the Mozambique market.
MASERU
Lesotho
OpCo serving the Lesotho market.
KINSHASA
DR Congo
OpCo serving the DRC market.
Group footprint: 130M+ customers across Africa · business services in 32+ countries · majority-owned by Vodafone Group.
THREAT LANDSCAPE

The Current Threat Landscape

Africa is one of the fastest-growing targets for cybercrime — financial services and telcos most at risk.

234B
threats blocked daily by Cloudflare (Q1 2026) — phishing, DDoS, bots and exploits combined.
1,178%
surge in DDoS attacks in sub-Saharan Africa in 2023 — telcos and financial services first.
57%
of all web traffic is automated — malicious bots hit VodaPay and M-Pesa portals.
400%
year-on-year API attack growth — exposed APIs are critical attack vectors.
91%
of cyberattacks begin with a phishing email — BEC targets finance executives.
R10M
POPIA maximum fine plus criminal liability for data breaches in South Africa.
KEY CHALLENGES

Key Challenges for Vodacom — and How Cloudflare Solves Them

From digital transformation to multi-market compliance — the technical challenges Cloudflare solves.

CHALLENGE
Expanding Attack Surface
VodaPay, M-Pesa and partner APIs expose new vectors. Fix: unified WAF, API Shield and DDoS from one control plane.
CHALLENGE
Mobile-First Networks
Millions on variable mobile links. Fix: HTTP/3 + QUIC, Argo Smart Routing and 14+ Africa PoPs for sub-20ms gains.
CHALLENGE
Distributed Workforce
Staff across 7 OpCos need secure access. Fix: Cloudflare One replaces slow VPN with identity-aware Zero Trust.
CHALLENGE
Data Sovereignty / POPIA
SA personal data must be protected. Fix: CASB + DLP with POPIA detection and R2 jurisdiction controls.
CHALLENGE
Core IP Infrastructure
Telco IP is a direct DDoS target. Fix: Magic Transit with BGP Anycast and direct CNI at JINX.
ABOUT CLOUDFLARE

One of the World’s Largest Networks

A connectivity cloud that sits within 50ms of every person on earth — security, performance and reliability in one platform.

335+
cities · 100+ countries
500 Tbps
network capacity
~13,000
networks peered
8.4T
DNS queries / day
20%+
of all websites
ABOUT CLOUDFLARE

Cloudflare in Africa — 14+ PoPs Serving Vodacom OpCos

14+ Points of Presence across sub-Saharan Africa — low latency to every Vodacom OpCo market.

SOUTH AFRICA
Johannesburg & Cape Town
Serving SA HQ. JINX-peered, CNI available.
TANZANIA
Dar es Salaam
Serving the Tanzania OpCo.
MOZAMBIQUE
Maputo
Serving the Mozambique OpCo.
ETHIOPIA
Addis Ababa
Serving the Ethiopia OpCo.
EAST AFRICA
Nairobi & Kampala
East Africa hub coverage.
Single control plane for all 7 OpCos — traffic stays in-region for POPIA data-sovereignty compliance.
3
Section 03
Application Services
Protect and accelerate every web property, API and application — from DDoS to bots to app vulnerabilities.
APPLICATION SERVICES

Web Application Firewall (WAF)

Protect VodaPay, customer portals and APIs from OWASP Top 10, zero-days and custom threats.

FEATURE 01
Managed Rulesets
ALWAYS CURRENT
Cloudflare-maintained rules for OWASP Top 10, known CVEs and emerging threats — updated in real time. During Log4Shell, rules shipped within 6 hours of disclosure.
FEATURE 02
Custom Rules Engine
1,000+ FIELDS
Precise rules in Wireshark-like syntax: match HTTP method, headers, body, URI, IP, ASN, country, bot score, JA3. Manage via API and Terraform.
FEATURE 03
WAF Attack Score (ML)
DETECTS ZERO-DAYS
ML scores every request 0-99 for SQLi, XSS and RCE — catching zero-day patterns before signatures exist. Trained on Cloudflare's global traffic.
APPLICATION SERVICES

DDoS Protection

Unmetered, always-on protection absorbing attacks of any size — critical for a major telco and fintech target.

FEATURE 01
Unmetered & Always-On
500 TBPS CAPACITY
Absorbs DDoS of any size at no extra cost. Sub-3-second L7 time-to-mitigate. Protects web apps (L7) and IP infrastructure (L3/L4) via Magic Transit.
FEATURE 02
Adaptive DDoS Protection
SELF-LEARNING
Learns your traffic baseline over 2 weeks and auto-creates mitigation rules on deviation — no manual tuning, no support ticket.
FEATURE 03
Advanced Analytics
SIEM-READY
Real-time attack analytics plus GraphQL API for SIEM. Full visibility into vectors, source ASNs, packet details and mitigations.
APPLICATION SERVICES

Bot Management

Stop credential stuffing on VodaPay, scraping and fake accounts — without impacting genuine users.

FEATURE 01
ML Bot Scoring
1,000+ SIGNALS
Every request gets a Bot Score (1-99) from IP reputation, JA3/JA4, browser behaviour, timing and header ordering — refreshed every 24 hours.
FEATURE 02
Turnstile
NO CAPTCHA FRICTION
Invisible JS challenges distinguish real browsers from headless bots. Device fingerprinting detects Puppeteer and Selenium — zero user friction.
FEATURE 03
Verified Bots & Analytics
GOOD-BOT ALLOWLIST
Allowlist verified bots (Google, Bing, monitoring) while blocking scrapers. Full analytics on automated vs human traffic over time.
APPLICATION SERVICES

API Security

Discover, validate and protect every API endpoint — including shadow APIs in VodaPay and partner integrations.

FEATURE 01
API Discovery
ZERO CONFIG
Automatically catalogs every endpoint from traffic — including undocumented shadow APIs and deprecated versions. No code changes or agents.
FEATURE 02
Schema Validation
POSITIVE SECURITY
Validates requests against OpenAPI/GraphQL schema, blocking unexpected params or methods before your backend — stops BOLA and mass assignment.
FEATURE 03
Sequence Analytics
PER-ENDPOINT LIMITS
Detects abuse via multi-request sequence analysis. Per-endpoint rate limiting protects high-value operations like payments.
APPLICATION SERVICES

CDN & Performance

Faster experiences across all 7 markets — on mobile-first networks, performance is security.

FEATURE 01
Argo Smart Routing
30%+ FASTER
Routes each request via the fastest real-time internet path, avoiding congestion — critical for variable African mobile networks.
FEATURE 02
Edge Cache + Rules
95% ORIGIN OFFLOAD
Cache static and dynamic content at 330+ locations. Tiered caching cuts origin load up to 95%. Real-time purge via API.
FEATURE 03
HTTP/3 & QUIC
MOBILE-OPTIMISED
Full HTTP/3 reduces latency on lossy mobile networks. 0-RTT resumption cuts load times 15-30% vs HTTP/2 on 4G/LTE.
4
Section 04
Cloudflare One
The world's first SASE platform on a single global network — replacing VPN, SWG, CASB, DLP, email gateway and SD-WAN.
CLOUDFLARE ONE

SASE Architecture — One Unified Service

Connect all employees, branches and data centres through one secure network.

ZERO TRUST
Access (ZTNA)
Identity-aware access to every internal app — no network-level trust.
DNS + HTTP/S
Gateway (SWG)
DNS filtering and full web inspection for every user, every OpCo.
CLOUD APP SECURITY
CASB
Discover sanctioned and shadow SaaS; find misconfigurations.
DATA PROTECTION
DLP
POPIA-aligned detection of SA IDs, cards and credentials.
RBI
Browser Isolation
Render risky pages remotely — zero code reaches the endpoint.
ANTI-PHISH / BEC
Email Security
Stop phishing and BEC via API — no MX changes required.
+ Magic WAN (SD-WAN): GRE/IPSec, BGP and MPLS replacement for branch connectivity.
CLOUDFLARE ONE

Cloudflare Access — Zero Trust Network Access

Replace VPN with identity-aware access for every internal app — no network trust, full session audit.

FEATURE 01
Identity-Aware Proxy
PER-REQUEST AUTH
Every request authenticates against your IdP (Azure AD, Okta, Google, SAML) before reaching the app. Never trust, always verify.
FEATURE 02
Clientless Access
SESSION RECORDING
Reach internal web apps from any browser — no VPN. SSH, RDP and kubectl via WARP. Full session recording and keystroke logging for POPIA.
FEATURE 03
Cloudflare Tunnel
NO OPEN PORTS
Expose apps without opening inbound ports. Outbound-only tunnel, no public IP. Deploy on-prem or any cloud in minutes.
CLOUDFLARE ONE

Cloudflare Gateway — Secure Web Gateway

Inspect, filter and log all web traffic from every user across all 7 OpCos — DNS, HTTP and HTTPS.

FEATURE 01
DNS Filtering
8.4T QUERIES/DAY
Blocks malicious domains using intelligence from 8.4T daily DNS queries. Category, domain or risk-score policies deploy instantly — no agent.
FEATURE 02
HTTPS Inspection
80+ CATEGORIES
Full TLS decryption without performance penalty. URL filtering, malware scanning, DLP and category blocking on all encrypted traffic.
FEATURE 03
Split Tunnelling / WARP
CROSS-PLATFORM
WARP client routes corporate traffic through Gateway. Split tunnelling reduces latency for personal browsing. MDM-deployable everywhere.
CLOUDFLARE ONE

Cloud Access Security Broker (CASB)

Discover every SaaS app employees use — sanctioned or not — and enforce policy across your cloud footprint.

FEATURE 01
Agentless Discovery
30-MIN DEPLOY
Connects to M365, Google, Salesforce, Slack and GitHub via OAuth. Finds users, permissions, files and misconfigurations — no traffic proxying.
FEATURE 02
Shadow IT Detection
PER-USER VISIBILITY
Cross-references Gateway logs with CASB data to find unauthorised SaaS. Risk-scores each app across 20+ factors, per user and per OpCo.
FEATURE 03
Misconfig & DLP Alerts
POPIA-ALIGNED
Flags public files, disabled MFA, overprivileged OAuth and excess admins. DLP flags SA IDs and cards stored in cloud apps.
CLOUDFLARE ONE

Data Loss Prevention (DLP)

Prevent sensitive data leaving the organisation — SA IDs, cards, PII — aligned with POPIA.

FEATURE 01
Predefined & Custom
40+ DETECTORS
Built-in detectors for SA IDs, cards, passports, financial and medical data and credentials. Aligned to POPIA, GDPR and PCI-DSS. Custom regex.
FEATURE 02
Exact Data Match
ZERO FALSE POSITIVES
Upload encrypted lists of specific values — employee IDs, account numbers, MSISDNs. Byte-for-byte matching catches genuine exfiltration.
FEATURE 03
OCR
IMAGE LEAK PREVENTION
Detects sensitive data inside images and scans — catching exfiltration via screenshot uploads to WhatsApp Web, Slack or Drive.
CLOUDFLARE ONE

Email Security

Stop phishing and BEC before the inbox — API-deployed, no MX or mail-routing changes.

FEATURE 01
AI Behavioural Detection
NO SIGNATURES
Behavioural AI on metadata, sender relationships and communication graphs detects novel phishing, BEC and vendor compromise — unseen attacks.
FEATURE 02
API Deployment
30-MIN DEPLOY
Integrates with M365 and Google via API — no MX, DNS or mail-routing changes. Retroactively scans historical mailbox email.
FEATURE 03
Retraction & Isolation
POST-DELIVERY
Removes malicious email already delivered to any mailbox. Malicious links rewritten to open in Browser Isolation with a warning.
5
Section 05
Network Services
Protect and optimise Vodacom's core IP infrastructure — Magic Transit for DDoS and Network Firewall for L3/L4 policy.
NETWORK SERVICES

Magic Transit

Protect Vodacom's IP space from volumetric DDoS — BGP Anycast attracts attack traffic for inline scrubbing.

FEATURE 01
BGP Anycast Mitigation
CNI AT JINX
Advertise IP prefixes via BGP; all inbound routes through the 500 Tbps network for line-rate scrubbing. Clean traffic returns via GRE/IPSec.
FEATURE 02
Always-On or On-Demand
FLEXIBLE
Choose always-on (all traffic through Cloudflare) or on-demand (auto-triggered on attack detection) to match cost and security posture.
FEATURE 03
Unmetered + IP Firewall
SINGLE CONTRACT
Unlimited DDoS mitigation with no per-Gbps cost. Combine with Network Firewall ACLs — L3/L4/L7 protection in one service.
NETWORK SERVICES

Cloudflare Network Firewall

Global stateful firewall at the edge — enforce network policy without hardware capacity constraints.

FEATURE 01
Stateful at Global Scale
NO CAPACITY LIMITS
Stateful policies enforced across all 330+ PoPs simultaneously. Filter by IP, port and protocol at terabit scale with no bottleneck.
FEATURE 02
Wireshark-like Syntax
GITOPS-READY
Expressive rule language familiar to network engineers. CIDR, port ranges, protocol flags and boolean logic via dashboard, API or Terraform.
FEATURE 03
Real-Time Logging
SIEM INTEGRATION
Every allowed and denied flow logged with packet metadata. Logpush to Splunk, Sentinel or S3; query in real time via GraphQL.
6
Section 06
Developer Platform
Build and deploy at the edge — closer to users, with zero cold starts, AI inference and serverless storage.
DEVELOPER PLATFORM

Cloudflare Workers & Pages

Serverless compute at the edge — run Vodacom digital services within 50ms of every customer across Africa.

FEATURE 01
V8 Isolates
ZERO COLD STARTS
JS, TypeScript and Wasm run within 50ms of every user across 330+ locations. Isolates start in <1ms — no cold starts, no provisioning.
FEATURE 02
Workers AI
40+ MODELS
On-edge AI inference without GPU cloud round-trips. Llama 3, Mistral, Whisper and Stable Diffusion. Pay per inference — no GPU.
FEATURE 03
Pages
GIT CI/CD
Deploy static and full-stack apps from GitHub/GitLab with CI/CD. Preview environments per PR. Edge-rendered pages with Workers backends.
DEVELOPER PLATFORM

R2 Object Storage, D1 Database & KV Store

Serverless storage at the edge — zero egress fees, data residency controls and globally distributed state.

FEATURE 01
R2 Object Storage
NO EGRESS FEES
S3-compatible object storage with zero egress fees. Jurisdiction controls enforce POPIA residency — data stays in South Africa.
FEATURE 02
D1 Serverless SQLite
NEAR-ZERO READS
SQLite at the edge with automatic read replicas near your users. Standard SQL — no ORM or new query language required.
FEATURE 03
KV Store
SUB-10MS GLOBAL
Eventually-consistent KV across 330+ nodes. Sub-10ms reads, 100M+ req/day — ideal for VodaPay session and config state.
SUMMARY

Why Cloudflare for Vodacom

One platform, one control plane — securing and connecting all 7 OpCos across sub-Saharan Africa.

PROTECT & ACCELERATE
Application Services
ML WAF blocks zero-days; unmetered DDoS; Bot Mgmt stops stuffing on VodaPay/M-Pesa; API Shield finds shadow APIs; +30% via HTTP/3 + Argo.
ZERO TRUST
Cloudflare One (SASE)
Replace VPN across 7 OpCos with Access; Gateway DNS on 8.4T queries/day; CASB shadow-IT; DLP with SA-ID for POPIA; API Email Security.
IP PROTECTION
Network Services
Magic Transit + BGP Anycast; direct CNI at JINX; global L3/L4 firewall; unmetered DDoS — no per-Gbps cost.
BUILD AT THE EDGE
Developer Platform
Workers + Pages within 50ms of customers; Workers AI without GPU cost; R2 jurisdiction controls; D1 + KV global replication.
SUMMARY

What Makes Cloudflare Different

The network advantage — security AND performance from a single platform for all 7 OpCos.

NO ADDED LATENCY
One Global Network
335+ cities, ~13,000 networks. Every service runs on the same infrastructure — security and performance co-located at every PoP.
NETWORK EFFECT
Intelligence Advantage
20%+ of all websites globally. A threat on one customer is blocked for all within seconds. 8.4T DNS queries/day feed Africa intel.
ONE DASHBOARD
Single Control Plane
One console for WAF, DDoS, Bot, Access, Gateway, CASB, DLP, Email, Magic Transit and Workers. One API, one Terraform provider.
CONSOLIDATION
Total Cost of Ownership
Replace 10+ point solutions. Unmetered DDoS means no surprise bills. Workers replaces cloud functions; R2 eliminates egress fees.
COMPLIANCE & TRUST

Regulatory & Compliance Frameworks

One of the industry's most comprehensive compliance portfolios — supporting Vodacom across all 7 OpCo markets.

AUDITED
Security Standards
ISO 27001, SOC 2 Type II, PCI DSS Level 1, ISO 27701, ISO 27018.
AUTHORIZED
Government & Cloud
FedRAMP, StateRAMP, IRAP, DoD IL2, CSA STAR Level 2.
COMPLIANT
Privacy & Data
GDPR, HIPAA, CCPA, EU-US Data Privacy Framework, EU SCCs.
REGIONAL
Africa & SA Specific
POPIA-aligned, jurisdiction controls, ECOWAS-aligned, AfricaCERT, regional BGP control.
Full documentation, third-party audit reports and certifications at cloudflare.com/trust-hub.
USE CASES

African Success Stories — Telco & Financial Services

Representative outcomes from Cloudflare deployments across African telco, fintech and financial services.

SUBSCRIBER PORTAL
Pan-African Telco
Unmetered DDoS across 6 countries; ML WAF blocked zero-days; Bot Mgmt stopped 94% of wallet credential stuffing; 43 shadow APIs secured; 99.99% uptime.
FINTECH API
East African Payments
API Shield schema validation on all payment endpoints; per-endpoint limits on 50M+ daily txns; Workers fraud pre-screen at JHB; 94% fewer ATO attempts.
ZERO TRUST
SA Financial Services
Access replaced VPN for 8,000 staff in 5 countries; Gateway DNS via MDM in 48h; CASB found 1,200+ public files; DLP SA-ID; VPN gone in 90 days.
PARTNER ENABLEMENT

The Vodacom Technical Champion Journey

Certification alone isn't enough — a champion is someone Cloudflare trusts in front of a customer, creating pipeline independently.

1
Identify & Map
Find the right SA for the opportunity and align to a Vodacom customer use case across Enterprise, Public Sector and SME.
2
Enable with Purpose
Targeted Cloudflare University training — not broad certification — plus a full-access Enterprise trial tenant and demo lab.
3
Shadow Cloudflare
Watch how Cloudflare PSEs run customer calls, demos and architecture reviews before presenting solo.
4
Stand & Deliver
Present Cloudflare to Vodacom customers independently, using battle cards, positioning and co-branded proposals.
5
Co-Sell & Lead
Joint engagements with MDF support; then Vodacom leads while Cloudflare coaches from behind — the purpose is pipeline.
SUMMARY

Cloudflare for Telecommunications

WHAT WE PROTECT
Telco + FinTech Use Cases
Digital portals
WAF + Bot Management protect VodaPay — stopping credential stuffing at scale.
Workforce
Cloudflare One secures 7 OpCos, replacing legacy VPN with Zero Trust.
IP infrastructure
Magic Transit + BGP Anycast absorb unlimited volumetric DDoS.
Compliance
DLP, CASB and R2 jurisdiction controls enforce POPIA everywhere.
WHY IT WINS
Key Technical Differentiators
CNI at JINX
Private high-bandwidth connectivity at the Johannesburg Internet Exchange.
One control plane
Per-OpCo policy isolation from a single dashboard and API.
Magic WAN
BGP, SD-WAN and MPLS replacement for branch connectivity.
Edge AI + SOC
Workers AI fraud inference in-region; Logpush to Splunk, Sentinel, Chronicle.
NEXT STEPS

Your Technical Champion Journey Starts Now

Register every opportunity in the Cloudflare Partner Portal as Technical Contact — it protects your deal and unlocks support.

1
Technical Workshop
Weeks 1-2: deep-dive with a Cloudflare PSE — architecture review, use-case mapping and PoC scoping.
2
Enable & Certify
Month 1: complete Cloudflare University modules, earn accreditation and qualify for the AMPED incentive.
3
CF One Test Drive
Month 1-2: run a Cloudflare One Test Drive Workshop with a priority customer before a full PoC.
4
Co-Sell & Scale
Month 2+: joint engagements with MDF support and deal registration protecting every opportunity.
Cloudflare · Vodacom South Africa

Thank You.

We look forward to building this partnership — and to seeing the Vodacom SA team become certified Cloudflare Technical Champions.
Demo WalkthroughTechnical Q&Aokhawaja@cloudflare.com
PPowerPoint (.pptx)Pixel-perfect, editable in PowerPoint & Keynote
Slides render as high-res images — nothing reflows. Animated slides show a single frame.