QuinStreet already runs its CDN, WAF, DDoS, Bot Management, Images and DNS on Cloudflare. These nine net-new capabilities — AI, AI crawler control, API Shield, R2, Magic Transit, Email Security and Zero Trust — fold onto the same network and the same commercial agreement. Fewer vendors, one control plane, audit-ready logging for a data- and AI-driven performance-marketing business.
Nine net-new capabilities + a conservative ~$90K–$130K/yr consolidation upside — all on the contract you already hold.
QuinStreet (NASDAQ: QNST) runs one of the web's largest "Research and Compare" performance-marketing marketplaces — matching online consumers to financial-services and home-services providers. Clients featured on its own site include Wells Fargo, Barclays, Esurance and LoanDepot. That business is API-heavy, PII-collecting and increasingly AI-driven — exactly where the nine net-new Cloudflare products below apply. Every one of them runs on the same network already serving images.quinstreet.com and can land under the existing agreement rather than a new vendor.
QuinStreet's "AI" isn't one project — it spans building, running, governing and defending against AI, each with a different owner and timeline. Here's where Cloudflare fits each, so the conversation can zero in on the one or two that are live today rather than assume.
QuinStreet's model depends on ranking "Research and Compare" content and converting the traffic. Answer engines (ChatGPT, Google AI Overviews, Perplexity) that scrape that content and answer for the consumer erode the funnel. AI Crawl Control shows which AI bots hit the content and lets QuinStreet allow, block or enforce robots.txt per crawler — free on every Cloudflare plan, no new SKU.
QuinStreet already delivers images from Cloudflare while its web tier runs on Google Cloud — every asset pulled across a cloud boundary is a recurring egress charge. R2 charges $0 egress, making it the natural origin for the Images already on Cloudflare, plus data exports feeding the AI stack.
QuinStreet bills clients on lead and call quality, so fake-lead injection and bot traffic hit the P&L directly. Advanced Rate Limiting throttles abuse on any request attribute — session, JSON body field, API token — while Turnstile (privacy-first, no CAPTCHA friction) blocks automated submissions before they become billable junk leads. Both activate on entitlements QuinStreet already holds.
A lead marketplace is a mesh of APIs — real-time lead delivery, partner integrations, ping/post. API Shield discovers every endpoint and enforces schema, auth and volumetric limits inline at the edge, on top of the WAF QuinStreet already licenses.
QuinStreet's comparison pages collect financial PII inside the browser — the exact target for Magecart and rogue third-party scripts. Page Shield monitors every client-side script and connection, alerting on unexpected data exfiltration — a control examiners in financial verticals expect.
The corporate origin resolves onto Lumen (Level 3) IP space, protected at L7 by Cloudflare but not at the network layer. Magic Transit extends Cloudflare's DDoS mitigation to whole IP ranges via BGP — covering data-center and origin infrastructure, not just HTTP.
QuinStreet's mail routes through Mimecast for gateway security today. Cloudflare Email Security delivers pre-delivery phishing, BEC and malware defense on the same platform as the rest of the stack — one vendor, one set of logs, no separate mail-security appliance.
QuinStreet runs Netskope for SSE today.* Cloudflare One collapses SWG, DNS filtering, CASB, DLP and ZTNA onto the same network already in front of QuinStreet — one agent, one policy engine, keyed off the existing Okta SSO, with unified logs for FTC/FCC/CFPB audit. Includes Shadow-AI controls — discover and DLP GenAI use — on the platform you already own.
QuinStreet acquired HomeBuddy to scale Home Services (a record segment approaching a ~$0.5B annual run-rate). HomeBuddy already runs on Cloudflare — but on its own zone. Consolidate homebuddy.com (and future acquisitions) under QuinStreet's Enterprise agreement (Q-500031): one contract, one control plane, unified billing, and QuinStreet's enterprise WAF, Bot Management, Advanced DDoS and App Security Advanced policy applied to the acquired brand — faster synergy capture with no new vendor.
| Function | Today | How it was identified | On Cloudflare |
|---|---|---|---|
| Image / asset delivery | Cloudflare on CF | images.quinstreet.com → cdn.cloudflare.net | Already on Cloudflare |
| Corporate web | WP Engine (WordPress) | x-powered-by: WP Engine; apex on Lumen | Extend existing CDN / WAF |
| AI traffic control | Ungoverned LLM calls | "Performance Drives Digital" match model | AI Gateway + Workers AI net-new |
| AI crawler / content access | Unmanaged AI crawler access | Content-driven "Research & Compare" traffic model | AI Crawl Control net-new |
| API protection | WAF rules (App Sec Advanced) | Lead marketplace is API-driven | API Shield net-new |
| Client-side / forms | Unmonitored JS on PII forms | Financial comparison forms observed | Page Shield net-new |
| Origin storage / egress | Cross-cloud (GCP web tier) | www → 35.225.243.26 (Google Cloud); NS awsdns-* | R2 (egress-free) net-new |
| Email security | Mimecast | MX us-smtp-inbound-*.mimecast.com | Email Security net-new |
| Network DDoS | Lumen origin, no L3 mitigation | apex A 173.226.108.136 (Lumen) | Magic Transit net-new |
| SSE / secure access | Netskope* | *per account-team (not public recon) | Cloudflare One net-new |
| Acquired brands (M&A) | HomeBuddy — own Cloudflare zone | homebuddy.com → Cloudflare (cf-ray; ns.cloudflare.com) | Fold into Enterprise contract |
| Incumbent consolidated | Evidence | Conservative per-seat | Annualized @ 1,041 |
|---|---|---|---|
| Netskope — SSE / SASE | *per account-team | $20–$25 / user / mo | ~$250K–$312K |
| Mimecast — email security | Observed (MX records) | $40 / user / yr | ~$41.6K |
| Gross incumbent spend addressable | ~$291K–$354K |