Oportun already runs Cloudflare Enterprise — CDN, WAF, Advanced DDoS, Bot Management, Load Balancing, and Zero Trust are on contract today. The expansion is the other half of Cloudflare: ship AI — MCP & AI Gateway — in 90 days, bank R2 + Images savings by month six, and complete the Zero Trust cutover (plus add Email Security) within two years.
On contract today · Cloudflare Enterprise
The expansion isn't more security — it's the Developer Platform, AI, and storage half of Cloudflare that Oportun hasn't switched on yet.
ROI · Expansion whitespace
Oportun already owns Cloudflare's security suite — CDN, WAF, DDoS, Bot Management, Zero Trust. So this ROI is pure whitespace: storage, images, and retiring a parallel SSE onto the Zero Trust they already license. Modeled for ~2,800 employees; final numbers depend on actual contracts.
3-Year Total Cost Avoidance
Zscaler → Zero Trust · already owned
Oportun already licenses Cloudflare Zero Trust. Finish the cutover off any parallel Zscaler SSE — one WARP agent — and retire that line at ~$0 incremental Cloudflare cost. Up to $420K/yr. Zscaler spend assumed — confirm.
AWS CloudFront/S3 → R2
Statement archives, disclosures, app assets & marketing media off CloudFront. $0 egress on R2, cheaper storage — served from the CDN Oportun already runs. Save $210K/yr.
Cloudinary → Cloudflare Images
All site & app imagery (today res.cloudinary.com/oportun) served + optimized at the same edge that already terminates oportun.com. Save $84K/yr.
| Vendor / workload | Today | Cloudflare | Annual | 3-Year |
|---|---|---|---|---|
| Zscaler SSE — retire (ZT already owned) | $420K | incl. | $420K | $1.26M |
| AWS CloudFront/S3 egress | $300K | $90K | $210K | $630K |
| Cloudinary — images | $120K | $36K | $84K | $252K |
| TOTAL — 3 expansions | $840K | $126K | $714K | $2.14M |
Oportun already runs Cloudflare's security products on an Enterprise contract — these figures cover only the expansion workloads (R2, Images) plus retiring a parallel Zscaler SSE that overlaps the Zero Trust already licensed. Modeled estimates, not committed quotes; the Zscaler line depends on whether it's still in the stack. The account team can produce an NDA-protected per-line TCO within two business days.
New Capabilities · Built on what you already run
Oportun already owns the security suite — so these are the net-new wins: AI, developer platform, and storage, plus deeper use of products (like Bot Management) already on contract.
Oportun already licenses Bot Management — extend it (plus Turnstile) across apply.oportun.com and account flows to stop credential stuffing, synthetic-identity applications, and fraud-ring automation before they hit underwriting — the #1 abuse vector for any digital lender.
Workers AI powers smarter "intelligent savings" nudges in the app, and AutoRAG over the Help Center + financial-education library gives an "Ask Oportun" copilot — bilingual (EN/ES) — without a separate AI platform contract.
Schema validation, mTLS, and abuse-sequence detection on the loan-decisioning APIs and the Pathward / WebBank partner integrations — discovering shadow endpoints before they become a breach.
Replacing Cloudinary with Cloudflare Images + Argo Smart Routing trims render-blocking third-party origins and speeds the mobile-first apply flow — fewer hops, one vendor, better Lighthouse.
Real-time JavaScript supply-chain monitoring on make-a-payment and application pages — catches Magecart-class skimmers (the BA / Ticketmaster attack) before they touch member financial data.
Move the WordPress marketing tier to Pages/Workers and the statement/disclosure archive to R2 — zero-egress, S3-compatible, served from the same 330+ cities as the rest of Oportun.
Roadmap · Three horizons
Sequenced for fastest value first — net-new AI capability up front, infrastructure savings next, and the big vendor consolidation timed to contract renewals, not forced.
AI quick wins
Put AI Gateway in front of every LLM call Oportun makes (OpenAI, Anthropic, Bedrock) — instant cost analytics, caching, rate limits, and PII redaction. Stand up Enterprise MCP to expose internal tools and the Help Center safely to Claude / ChatGPT and internal agents. Ship an "Ask Oportun" AutoRAG copilot.
Infrastructure savings
Migrate the statement / disclosure archive and new media to R2 — S3-compatible, zero egress, cancelling CloudFront egress on new content. Replace Cloudinary with Cloudflare Images for a faster, mobile-first apply flow.
Vendor consolidation
Oportun already owns Cloudflare Zero Trust — finish migrating off any parallel Zscaler SSE (one WARP agent on every endpoint), then add Cloudflare Email Security in front of Microsoft 365, building on the Cloudflare DMARC already in place.
Sequencing logic: AI Gateway + MCP deliver new capability and cut LLM spend in weeks. R2 + Images bank infrastructure savings at the half-year mark. The email-security and SSE replacements — the largest TCO line — land as their renewals come up, on Oportun's contract calendar, not forced.
Let's build it together
Andrew Geiser leads the Cloudflare account team for Oportun. Let's spend 30 minutes mapping the highest-leverage 30-day quick wins.