SheerID × Cloudflare Value Plays Map

DNS recon → what runs where

SheerID's marketing/dev/resource/shop subdomains already resolve to Cloudflare edge IPs. But their production verification stack — where the money, the fraud, and the egress live — runs on AWS EKS in us-east-1 + AWS Global Accelerator. That's the expansion wedge.

sheerid.comCloudflare ✅

developer.sheerid.comCloudflare ✅

resource-hub.sheerid.comCloudflare ✅

shop.sheerid.comCloudflare ✅

verify.sheerid.comAWS EKS ❌

auth.sheerid.comAWS EKS ❌

services.sheerid.comAWS Global Accel ❌

DNS NS for sheerid.comCloudflare ✅

DNS NS for sheerid.netAWS Route 53 ❌

MX (email)Google Workspace

Signals from TXT records

Domain TXT records reveal active vendor relationships — each one is a value-play signal.

Anthropic domain verification

They're a Claude customer → AI Gateway play (Play #5)

SpyCloud domain verification

Already paying for credential abuse intel → Bot Management play (Play #2)

Sendgrid + DMARC reject + Postmark

Mature email posture, BEC layer fits → Email Security play (Play #10)

Atlassian + Miro + Rippling + Zendesk

SaaS sprawl in distributed workforce → CF One play (Play #11)

13 value plays — quantified and prioritized

Score = ($ Impact × Probability) ÷ Effort. Higher score = pursue first.

🥇

R2 for verification artifact storage

Score 10.0

S3-compatible, zero-egress storage for ID images, edu credentials, military DD-214s, healthcare licenses. Drop-in for boto3/aws-sdk. Demo site already deployed.

R2 $50-150K ARR Impact: 4 · Prob: 5 · Effort: 2 Meeting scheduled

🥇

Bot Management on the verification API

Score 10.0

ML bot detection on verify.sheerid.com. SpyCloud TXT record proves they already pay for credential abuse intel. Bot Mgmt at the edge gives the same signal earlier, with lower latency.

Bot Management $75-150K ARR Impact: 4 · Prob: 5 · Effort: 2 SpyCloud signal

🥇

Turnstile on verification UX flows

Score 10.0

Privacy-first CAPTCHA replacement. Drop-in JS tag. Reduces friction for legitimate students / military / educators / healthcare workers — conversion-lift narrative for SheerID's brand customers.

Turnstile $25-50K ARR Impact: 2 · Prob: 5 · Effort: 1 Free widget + Enterprise support

API Shield on verify.sheerid.com

Score 6.0

Schema validation, rate-limiting, sequence detection, abuse prevention. Stops malformed-payload attacks and protects API schema from scraping. Natural sequence after Bot Mgmt lands.

API Shield $50-100K ARR Impact: 3 · Prob: 4 · Effort: 2

Email Security layered behind Google Workspace

Score 4.5

Cloudflare Email Security via Google Workspace API — no MX cutover. Catches BEC and credential phishing aimed at exec inboxes that Google misses.

Email Security $40-80K ARR Impact: 3 · Prob: 3 · Effort: 2

Workers AI + AI Gateway + Vectorize

Score 4.0

Anthropic TXT record confirms they're a Claude customer. AI Gateway gives observability + caching + rate-limiting across self-hosted ML and provider APIs. Workers AI for edge inference.

Workers AI AI Gateway Vectorize $100-250K ARR Impact: 4 · Prob: 3 · Effort: 3

Zaraz (third-party → first-party tags)

Score 4.0

Moves Marketo, Sendgrid, analytics tags server-side. Better privacy posture, faster pages, GDPR/CCPA narrative.

Zaraz $15-30K ARR Impact: 1 · Prob: 4 · Effort: 1

Cloudflare Pages (marketing/dev portal hosting)

Score 4.0

Site already runs through Cloudflare proxy but likely sourced from Webflow/WP. Pages with git-driven deploys is the modern shape.

Pages $10-25K ARR Impact: 1 · Prob: 4 · Effort: 1

Data Localization Suite (regional residency)

Score 3.0

Pin verification artifacts to EU/NA/APAC at the edge. GDPR (EU), CCPA (CA), regional residency by configuration.

DLS $50-100K ARR Impact: 2 · Prob: 3 · Effort: 2

Hyperdrive (accelerate AWS DB from edge)

Score 3.0

Caches + pools connections to RDS/Aurora in us-east-1. Unblocks edge Workers serving verification globally without cold round-trips.

Hyperdrive $30-75K ARR Impact: 2 · Prob: 3 · Effort: 2

Workers for Platforms (multi-tenant per brand)

Score 2.0

Per-brand-customer dispatch namespaces. Lets SheerID offer "edge-deployed custom verification logic" as a brand-customer upsell. Architecture conversation; long cycle.

Workers for Platforms $75-200K ARR Impact: 4 · Prob: 2 · Effort: 4

Magic Transit + Spectrum (L3/L4 DDoS)

Score 2.0

Network-layer protection for AWS EKS in us-east-1. Replaces AWS Shield Advanced. Defensive play — pull-trigger when DDoS comes up.

Magic Transit Spectrum $100-150K ARR Impact: 3 · Prob: 2 · Effort: 3

Cloudflare One (Zero Trust suite)

Score 2.0

SWG + ZTNA + CASB + Email Security + Browser Isolation. Distributed workforce with SaaS sprawl (Atlassian/Miro/Rippling/Zendesk per TXT records). Different buyer, different timeline.

Cloudflare One $100-200K ARR Impact: 3 · Prob: 2 · Effort: 3

Persona	Plays they care about
CTO / VP Engineering	R2, Workers AI, Workers for Platforms, Hyperdrive
Head of Platform / SRE	R2, Magic Transit, API Shield, Bot Mgmt
Head of Trust & Safety / Fraud	Bot Mgmt, Turnstile, API Shield
CISO / Head of Security	Email Security, CF One, Bot Mgmt, DLS
VP Product	Turnstile (UX), Workers for Platforms (brand-customer differentiation)
CFO / VP Finance	R2 (cost reduction), CF One (consolidation), aggregate TCO

SheerID × Cloudflare Value Plays

DNS recon → what runs where

Signals from TXT records

13 value plays — quantified and prioritized

R2 for verification artifact storage

Bot Management on the verification API

Turnstile on verification UX flows

API Shield on verify.sheerid.com

Email Security layered behind Google Workspace

Workers AI + AI Gateway + Vectorize

Zaraz (third-party → first-party tags)

Cloudflare Pages (marketing/dev portal hosting)

Data Localization Suite (regional residency)

Hyperdrive (accelerate AWS DB from edge)

Workers for Platforms (multi-tenant per brand)

Magic Transit + Spectrum (L3/L4 DDoS)

Cloudflare One (Zero Trust suite)

90-day execution plan

Stakeholder × play matrix