QuinStreet × Cloudflare
Talk to Cloudflare →
Executive Brief · Net-New Platform Expansion

The Cloudflare you're not using yet — on the contract you already hold.

QuinStreet already runs its CDN, WAF, DDoS, Bot Management, Images and DNS on Cloudflare. These eight net-new capabilities — AI, API Shield, R2, Magic Transit, Email Security and Zero Trust — fold onto the same network and the same commercial agreement. Fewer vendors, one control plane, audit-ready logging for a data- and AI-driven performance-marketing business.

Already on your Cloudflare contract (Q-500031)
CDN + Argo App Security (WAF) Core + Advanced Advanced DDoS Bot Management Load Balancing Managed DNS Images Workers

Why these, and why now

QuinStreet (NASDAQ: QNST) runs one of the web's largest "Research and Compare" performance-marketing marketplaces — matching online consumers to financial-services and home-services providers. Clients featured on its own site include Wells Fargo, Barclays, Esurance and LoanDepot. That business is API-heavy, PII-collecting and increasingly AI-driven — exactly where the eight net-new Cloudflare products below apply. Every one of them runs on the same network already serving images.quinstreet.com and can land under the existing agreement rather than a new vendor.

Sources: quinstreet.com homepage meta + client logos; Cloudflare quote Q-500031 (9/24/2025); DNS/header recon 2026-07-07.

From point tools to one network

Functions running outside Cloudflare today — collapsed onto the network QuinStreet already pays for. Items marked * are per account-team input, not public recon.
add net-new → one platform
Cloudflareedge · today
WP Enginecorporate web
Mimecastemail security
GCP · AWScloud origins
Lumenorigin network
Ungoverned AILLM calls
NetskopeSSE / SASE*
Cloudflare one network · one bill · one control plane
Expand on the agreement you already hold

Eight net-new plays — plus a consolidation win

Plays 1–8 are net-new: none are in QuinStreet's current Cloudflare contract (Q-500031), and each maps to something QuinStreet runs today. Play 9 folds an acquisition already on Cloudflare into that same contract.
01

AI Gateway + Workers AI + Vectorize

Govern the AI behind the match

QuinStreet's edge is matching the right consumer to the right offer. AI Gateway puts a governed front door on every LLM call — caching, rate-limiting, spend caps and full request logging. Workers AI runs inference at the edge; Vectorize + AutoRAG do retrieval over QuinStreet's own data.

  • One pane of glass + logs across any model provider
  • Cache & rate-limit to cut token spend
  • Retrieval on first-party data via R2 + Vectorize
02

API Shield

↳ extends App Security Advanced

A lead marketplace is a mesh of APIs — real-time lead delivery, partner integrations, ping/post. API Shield discovers every endpoint and enforces schema, auth and volumetric limits inline at the edge, on top of the WAF QuinStreet already licenses.

  • Automatic API discovery + schema validation
  • mTLS & JWT validation; block BOLA / abuse
  • Protect ping/post lead-delivery endpoints
03

Advanced Rate Limiting

Lead-gen integrity & anti-fraud

High-value comparison forms invite scraping, fake-lead injection and credential abuse. Advanced Rate Limiting counts on any request attribute — session, JSON body field, API token — to throttle abuse without touching real consumers. Activatable on QuinStreet's existing App Security Advanced entitlement.

  • Rate on headers, cookies, or JSON body fields
  • Protect quote/apply forms from fake-lead bots
  • Pairs with Bot Management already in contract
04

Page Shield

Client-side protection for PII forms

QuinStreet's comparison pages collect financial PII inside the browser — the exact target for Magecart and rogue third-party scripts. Page Shield monitors every client-side script and connection, alerting on unexpected data exfiltration — a control examiners in financial verticals expect.

  • Inventory + monitor all client-side scripts
  • Detect script tampering & data skimming
  • Supports PCI DSS 4.0 client-side requirements
05

R2 — egress-free storage

Egress-free origin for Cloudflare assets

QuinStreet already delivers images from Cloudflare while its web tier runs on Google Cloud — every asset pulled across a cloud boundary is a recurring egress charge. R2 charges $0 egress, making it the natural origin for the Images already on Cloudflare, plus data exports feeding the AI stack.

  • Zero egress fees; S3-compatible API
  • On-network origin for Images & AI Gateway
  • Web tier identified on Google Cloud (WP Engine)
06

Magic Transit

Network-layer DDoS for the origin

The corporate origin resolves onto Lumen (Level 3) IP space, protected at L7 by Cloudflare but not at the network layer. Magic Transit extends Cloudflare's DDoS mitigation to whole IP ranges via BGP — covering data-center and origin infrastructure, not just HTTP.

  • Identified: apex A 173.226.108.136 (Lumen)
  • L3/L4 DDoS mitigation for owned IP space*
  • Owned prefixes are an account-team discovery item
07

Cloudflare Email Security

↳ replaces Mimecast

QuinStreet's mail routes through Mimecast for gateway security today. Cloudflare Email Security delivers pre-delivery phishing, BEC and malware defense on the same platform as the rest of the stack — one vendor, one set of logs, no separate mail-security appliance.

  • Identified: MX us-smtp-inbound-*.mimecast.com
  • Anti-phishing / BEC / brand-impersonation defense
  • Integrates with Microsoft 365 (SPF: outlook.com)
08

Cloudflare One — consolidate your SSE

↳ displaces Netskope (SWG · CASB · DLP · ZTNA)*

QuinStreet runs Netskope for SSE today.* Cloudflare One collapses SWG, DNS filtering, CASB, DLP and ZTNA onto the same network already in front of QuinStreet — one agent, one policy engine, keyed off the existing Okta SSO, with unified logs for FTC/FCC/CFPB audit. Includes Shadow-AI controls — discover and DLP GenAI use — on the platform you already own.

  • Displaces a standalone SSE vendor — one control plane, fewer bills
  • Access (ZTNA) + Gateway (SWG/DNS/CASB/DLP) via Okta SSO
  • Shadow-AI: govern ChatGPT/Gemini data exposure inline
  • Also secures self-hosted AI apps & MCP servers — coverage SSE lacks
  • Netskope is *per account-team input
09

Fold HomeBuddy into your Enterprise contract

M&A consolidation · already on Cloudflare

QuinStreet acquired HomeBuddy to scale Home Services (a record segment approaching a ~$0.5B annual run-rate). HomeBuddy already runs on Cloudflare — but on its own zone. Consolidate homebuddy.com (and future acquisitions) under QuinStreet's Enterprise agreement (Q-500031): one contract, one control plane, unified billing, and QuinStreet's enterprise WAF, Bot Management, Advanced DDoS and App Security Advanced policy applied to the acquired brand — faster synergy capture with no new vendor.

  • Identified: homebuddy.com → Cloudflare (cf-ray; NS rick/sydney.ns.cloudflare.com)
  • Acquisition per Q3 FY2026 earnings (~$105M cash, goodwill +$137M)
  • Apply enterprise WAF / Bot / DDoS / Advanced policy to the acquired brand
  • Every future acquisition folds onto the same commitment & discounts

Expansion roadmap

Land the entitlements QuinStreet already owns first, then build the AI + storage layer, then consolidate network & security spend.
0–3 months

Activate on the current contract

  • Advanced Rate Limiting on quote/apply forms
  • Page Shield on PII-collecting comparison pages
  • API Shield discovery on lead-delivery APIs
  • Extend existing CDN/WAF to the WP Engine-fronted quinstreet.com properties
  • Consolidate HomeBuddy's Cloudflare zone under the Enterprise contract
3–9 months

Build the AI + storage layer

  • AI Gateway in front of every LLM call
  • Workers AI + Vectorize for match/RAG
  • Stand up R2; move egress-heavy origins off S3
  • Point Images & data exports at R2
9–24 months

Consolidate network & security

  • Email Security — retire Mimecast
  • Cloudflare One (Access + Gateway) on Okta SSO
  • Magic Transit for origin IP protection
  • One control plane + unified logging for audit

Expansion snapshot

Current-state functions are evidence-based; nothing here is assumed. "On Cloudflare" items marked net-new are outside the current contract.
FunctionTodayHow it was identifiedOn Cloudflare
Image / asset delivery Cloudflare on CF images.quinstreet.com → cdn.cloudflare.net Already on Cloudflare
Corporate web WP Engine (WordPress) x-powered-by: WP Engine; apex on Lumen Extend existing CDN / WAF
AI traffic control Ungoverned LLM calls "Performance Drives Digital" match model AI Gateway + Workers AI net-new
API protection WAF rules (App Sec Advanced) Lead marketplace is API-driven API Shield net-new
Client-side / forms Unmonitored JS on PII forms Financial comparison forms observed Page Shield net-new
Origin storage / egress Cross-cloud (GCP web tier) www → 35.225.243.26 (Google Cloud); NS awsdns-* R2 (egress-free) net-new
Email security Mimecast MX us-smtp-inbound-*.mimecast.com Email Security net-new
Network DDoS Lumen origin, no L3 mitigation apex A 173.226.108.136 (Lumen) Magic Transit net-new
SSE / secure access Netskope* *per account-team (not public recon) Cloudflare One net-new
Acquired brands (M&A) HomeBuddy — own Cloudflare zone homebuddy.com → Cloudflare (cf-ray; ns.cloudflare.com) Fold into Enterprise contract

How we know — observed on quinstreet.com

No assumptions: every current-state vendor below was identified from public DNS records, HTTP response headers, and the live quinstreet.com page on 2026-07-07 — except items marked *, which are per account-team input, not public recon.
Cloudflare images.quinstreet.com → cdn.cloudflare.net WP Engine x-powered-by header Google Cloud www → 35.225.243.26 Mimecast MX records Okta SPF include Microsoft 365 SPF outlook.com Salesforce SPF include AWS Route 53 awsdns nameservers Lumen apex origin network Netskope SSE — *per account-team
LIVE Checking the Cloudflare edge serving this page…