QuinStreet × Cloudflare
Talk to Cloudflare →
Executive Brief · Net-New Platform Expansion

The Cloudflare you're not using yet — on the contract you already hold.

QuinStreet already runs its CDN, WAF, DDoS, Bot Management, Images and DNS on Cloudflare. These nine net-new capabilities — AI, AI crawler control, API Shield, R2, Magic Transit, Email Security and Zero Trust — fold onto the same network and the same commercial agreement. Fewer vendors, one control plane, audit-ready logging for a data- and AI-driven performance-marketing business.

Nine net-new capabilities + a conservative ~$90K–$130K/yr consolidation upside — all on the contract you already hold.

Already on your Cloudflare contract (Q-500031)
CDN + Argo App Security (WAF) Core + Advanced Advanced DDoS Bot Management Load Balancing Managed DNS Images Workers
$346.1M
Q3 FY26 revenue · +28% YoY
$29.6M
Adj. EBITDA · +53% YoY
~$0.5B
Home Services segment annual run-rate (record)
1,041
employees — the seat basis for consolidation ROI
Sources: QuinStreet Q3 FY2026 results, reported 5/7/2026 (quarter ended 3/31/2026); headcount ~1,041 per account team (latest), superseding the FY2025 10-K count of 938 — confirm before quoting.

Why these, and why now

QuinStreet (NASDAQ: QNST) runs one of the web's largest "Research and Compare" performance-marketing marketplaces — matching online consumers to financial-services and home-services providers. Clients featured on its own site include Wells Fargo, Barclays, Esurance and LoanDepot. That business is API-heavy, PII-collecting and increasingly AI-driven — exactly where the nine net-new Cloudflare products below apply. Every one of them runs on the same network already serving images.quinstreet.com and can land under the existing agreement rather than a new vendor.

Sources: quinstreet.com homepage meta + client logos; Cloudflare quote Q-500031 (9/24/2025); DNS/header recon 2026-07-07.

From point tools to one network

Functions running outside Cloudflare today — collapsed onto the network QuinStreet already pays for. Items marked * are per account-team input, not public recon.
add net-new → one platform
Cloudflareedge · today
WP Enginecorporate web
Mimecastemail security
GCP · AWScloud origins
Lumenorigin network
Ungoverned AILLM calls
NetskopeSSE / SASE*
Cloudflare one network · one bill · one control plane
Expand on the agreement you already hold
The consolidation payoff
~$90K–$130K / year
Conservative net run-rate savings from folding Netskope SSE + Mimecast onto the contract QuinStreet already holds — before unquantified GCP→R2 egress upside. See the math →
Seat basis
1,041 employees
latest · per account team

Ten ways to expand — grouped by outcome

Nine are net-new (none in QuinStreet's current contract, Q-500031); the tenth folds an acquisition already on Cloudflare into that same contract. Grouped by what they do for the business.
Grow

AI & data

Turn QuinStreet's match model and owned content into an advantage.
01

The AI conversation — four separate fronts

A discovery map to open the AI discussion

QuinStreet's "AI" isn't one project — it spans building, running, governing and defending against AI, each with a different owner and timeline. Here's where Cloudflare fits each, so the conversation can zero in on the one or two that are live today rather than assume.

  • Build AI appsAI Gateway caches, rate-limits, spend-caps and logs every model-provider call. Discovery: do you run first-party LLM features today?
  • Run inference at the edgeWorkers AI + Vectorize / AutoRAG for the match model and retrieval over first-party data.
  • Govern employee AI use — discover & DLP ChatGPT / Gemini exposure. → Shadow-AI in Cloudflare One (play 09).
  • Defend your content from AI — see, control and monetize answer-engine crawlers. → AI Crawl Control (play 02).
02

AI Crawl Control

Defend — and monetize — content vs AI answer engines

QuinStreet's model depends on ranking "Research and Compare" content and converting the traffic. Answer engines (ChatGPT, Google AI Overviews, Perplexity) that scrape that content and answer for the consumer erode the funnel. AI Crawl Control shows which AI bots hit the content and lets QuinStreet allow, block or enforce robots.txt per crawler — free on every Cloudflare plan, no new SKU.

  • See / allow / block individual AI crawlers; enforce robots.txt
  • Free on all plans — Bot Management (already in contract) adds bot-score enforcement
  • Pay-per-crawl (private beta) to monetize AI access to comparison content
  • AI Labyrinth traps crawlers that ignore your directives
03

R2 — egress-free storage

Egress-free origin for the AI + Images layer

QuinStreet already delivers images from Cloudflare while its web tier runs on Google Cloud — every asset pulled across a cloud boundary is a recurring egress charge. R2 charges $0 egress, making it the natural origin for the Images already on Cloudflare, plus data exports feeding the AI stack.

  • Zero egress fees; S3-compatible API
  • On-network origin for Images & AI Gateway
  • Web tier identified on Google Cloud (WP Engine)
Protect

revenue & PII

Defend lead quality, APIs, PII forms and the origin network.
04

Advanced Rate Limiting + Turnstile

Lead Integrity — protect revenue, not just infra

QuinStreet bills clients on lead and call quality, so fake-lead injection and bot traffic hit the P&L directly. Advanced Rate Limiting throttles abuse on any request attribute — session, JSON body field, API token — while Turnstile (privacy-first, no CAPTCHA friction) blocks automated submissions before they become billable junk leads. Both activate on entitlements QuinStreet already holds.

  • Rate-limit on headers, cookies, or JSON body fields
  • Turnstile on quote/apply forms — kill fake-lead bots, keep real consumers
  • Bundles with Bot Management already in contract into one revenue-integrity layer
05

API Shield

↳ extends App Security Advanced

A lead marketplace is a mesh of APIs — real-time lead delivery, partner integrations, ping/post. API Shield discovers every endpoint and enforces schema, auth and volumetric limits inline at the edge, on top of the WAF QuinStreet already licenses.

  • Automatic API discovery + schema validation
  • mTLS & JWT validation; block BOLA / abuse
  • Protect ping/post lead-delivery endpoints
  • Discovery: any native mobile apps or partner-consumed APIs? → extend with mTLS / app attestation.
06

Page Shield

Client-side protection for PII forms

QuinStreet's comparison pages collect financial PII inside the browser — the exact target for Magecart and rogue third-party scripts. Page Shield monitors every client-side script and connection, alerting on unexpected data exfiltration — a control examiners in financial verticals expect.

  • Inventory + monitor all client-side scripts
  • Detect script tampering & data skimming
  • Supports PCI DSS 4.0 client-side requirements
07

Magic Transit

Network-layer DDoS for the origin

The corporate origin resolves onto Lumen (Level 3) IP space, protected at L7 by Cloudflare but not at the network layer. Magic Transit extends Cloudflare's DDoS mitigation to whole IP ranges via BGP — covering data-center and origin infrastructure, not just HTTP.

  • Identified: apex A 173.226.108.136 (Lumen)
  • L3/L4 DDoS mitigation for owned IP space*
  • Owned prefixes are an account-team discovery item
Consolidate

vendors & cost

Collapse standalone tools onto the contract already in place.
08

Cloudflare Email Security

↳ replaces Mimecast

QuinStreet's mail routes through Mimecast for gateway security today. Cloudflare Email Security delivers pre-delivery phishing, BEC and malware defense on the same platform as the rest of the stack — one vendor, one set of logs, no separate mail-security appliance.

  • Identified: MX us-smtp-inbound-*.mimecast.com
  • Anti-phishing / BEC / brand-impersonation defense
  • Integrates with Microsoft 365 (SPF: outlook.com)
09

Cloudflare One — consolidate your SSE

↳ displaces Netskope (SWG · CASB · DLP · ZTNA)*

QuinStreet runs Netskope for SSE today.* Cloudflare One collapses SWG, DNS filtering, CASB, DLP and ZTNA onto the same network already in front of QuinStreet — one agent, one policy engine, keyed off the existing Okta SSO, with unified logs for FTC/FCC/CFPB audit. Includes Shadow-AI controls — discover and DLP GenAI use — on the platform you already own.

  • Displaces a standalone SSE vendor — one control plane, fewer bills
  • Access (ZTNA) + Gateway (SWG/DNS/CASB/DLP) via Okta SSO
  • Shadow-AI: govern ChatGPT/Gemini data exposure inline
  • Also secures self-hosted AI apps & MCP servers — coverage SSE lacks
  • Netskope is *per account-team input
10

Fold HomeBuddy into your Enterprise contract

M&A consolidation · already on Cloudflare

QuinStreet acquired HomeBuddy to scale Home Services (a record segment approaching a ~$0.5B annual run-rate). HomeBuddy already runs on Cloudflare — but on its own zone. Consolidate homebuddy.com (and future acquisitions) under QuinStreet's Enterprise agreement (Q-500031): one contract, one control plane, unified billing, and QuinStreet's enterprise WAF, Bot Management, Advanced DDoS and App Security Advanced policy applied to the acquired brand — faster synergy capture with no new vendor.

  • Identified: homebuddy.com → Cloudflare (cf-ray; NS rick/sydney.ns.cloudflare.com)
  • Acquisition per Q3 FY2026 earnings (~$105M cash, goodwill +$137M)
  • Apply enterprise WAF / Bot / DDoS / Advanced policy to the acquired brand
  • Every future acquisition folds onto the same commitment & discounts

Expansion roadmap

Land the entitlements QuinStreet already owns first, then build the AI + storage layer, then consolidate network & security spend.
0–3 months

Activate on the current contract

  • Advanced Rate Limiting + Turnstile on quote/apply forms
  • AI Crawl Control over "Research & Compare" content (free, all plans)
  • Page Shield on PII-collecting comparison pages
  • API Shield discovery on lead-delivery APIs
  • Extend existing CDN/WAF to the WP Engine-fronted quinstreet.com properties
  • Consolidate HomeBuddy's Cloudflare zone under the Enterprise contract
3–9 months

Build the AI + storage layer

  • AI Gateway in front of every LLM call
  • Workers AI + Vectorize for match/RAG
  • Stand up R2; move egress-heavy origins off S3
  • Point Images & data exports at R2
9–24 months

Consolidate network & security

  • Email Security — retire Mimecast
  • Cloudflare One (Access + Gateway) on Okta SSO
  • Magic Transit for origin IP protection
  • One control plane + unified logging for audit

How we know — evidence observed on quinstreet.com

No assumptions: every current-state function below was identified from public DNS records, HTTP response headers, and the live quinstreet.com page on 2026-07-07 — except items marked *, which are per account-team input, not public recon. "On Cloudflare" items marked net-new are outside the current contract.
FunctionTodayHow it was identifiedOn Cloudflare
Image / asset delivery Cloudflare on CF images.quinstreet.com → cdn.cloudflare.net Already on Cloudflare
Corporate web WP Engine (WordPress) x-powered-by: WP Engine; apex on Lumen Extend existing CDN / WAF
AI traffic control Ungoverned LLM calls "Performance Drives Digital" match model AI Gateway + Workers AI net-new
AI crawler / content access Unmanaged AI crawler access Content-driven "Research & Compare" traffic model AI Crawl Control net-new
API protection WAF rules (App Sec Advanced) Lead marketplace is API-driven API Shield net-new
Client-side / forms Unmonitored JS on PII forms Financial comparison forms observed Page Shield net-new
Origin storage / egress Cross-cloud (GCP web tier) www → 35.225.243.26 (Google Cloud); NS awsdns-* R2 (egress-free) net-new
Email security Mimecast MX us-smtp-inbound-*.mimecast.com Email Security net-new
Network DDoS Lumen origin, no L3 mitigation apex A 173.226.108.136 (Lumen) Magic Transit net-new
SSE / secure access Netskope* *per account-team (not public recon) Cloudflare One net-new
Acquired brands (M&A) HomeBuddy — own Cloudflare zone homebuddy.com → Cloudflare (cf-ray; ns.cloudflare.com) Fold into Enterprise contract
Cloudflare images.quinstreet.com → cdn.cloudflare.net WP Engine x-powered-by header Google Cloud www → 35.225.243.26 Mimecast MX records Okta SPF include Microsoft 365 SPF outlook.com Salesforce SPF include AWS Route 53 awsdns nameservers Lumen apex origin network Netskope SSE — *per account-team
LIVE Checking the Cloudflare edge serving this page…

The consolidation math — conservative

A deliberately conservative, seat-based estimate built on QuinStreet's public headcount and the low end of third-party pricing benchmarks. Incumbent costs are intentionally not inflated.
Conservative net run-rate savings
$90K–$130K / year
from folding Netskope SSE + Mimecast onto the Cloudflare contract QuinStreet already holds — before unquantified GCP→R2 egress upside.
Seat basis
1,041 employees
latest · per account team
Incumbent consolidatedEvidenceConservative per-seatAnnualized @ 1,041
Netskope — SSE / SASE *per account-team $20–$25 / user / mo ~$250K–$312K
Mimecast — email security Observed (MX records) $40 / user / yr ~$41.6K
Gross incumbent spend addressable ~$291K–$354K
How the net number is derived: Vendr's published head-to-head puts Cloudflare SSE at $25–$50/user/mo vs Netskope $40–$75 (~30% lower TCO). Applying only that ~30% efficiency to the SSE line and folding Mimecast into Cloudflare Email Security yields the conservative $90K–$130K/yr net. GCP→R2 egress elimination is real (web tier observed on Google Cloud) but not quantified — no traffic-volume data, so it is excluded rather than estimated.

Caveats — no exaggeration: Per-seat figures are third-party benchmark estimates (Vendr marketplace, Feb 2026), not QuinStreet's actual contracts, and use the low end of published ranges. Netskope is account-team input (*), not observed via recon. Headcount is a seat proxy; the 1,041 figure is the latest per the account team (superseding the FY2025 10-K count of 938). Confirm actual contracts and licensed seat counts with QuinStreet before quoting.