Three weeks ago I had never deployed anything on Cloudflare. Today I have 15 production applications running on their platform. Security dashboards. Fleet management systems. Telemetry pipelines that stream data from a Onewheel and a heart rate monitor. An AI classification engine that can tell you where sensitive data lives on a file server nobody’s looked at in years.
My total monthly infrastructure cost for all 15 of them is under ten dollars.
I’m not writing this to brag. I’m writing this because two things happened on the same day that changed how I think about what I do for a living.
What Happened
I’m a security architect. I work with regulated institutions — credit unions, healthcare organizations, financial services companies. The kind of places where an examiner shows up once a year and asks hard questions about where member data lives and who has access to it.
I’ve watched regulated financial institutions spend months evaluating vendors for data classification. They need to know where sensitive data — Social Security numbers, account numbers, financial records — lives across their file shares and databases. Simple question. Reasonable requirement.
Every vendor says some version of the same thing: we don’t do on-prem anymore.
Some have said it in writing. Others try proof-of-value engagements that fail in real environments. The closest options run six figures a year for tools that mostly just report what they find. Most don’t even pretend to try.
These companies aren’t stupid. They moved to cloud-only because their classification engines run on AI models that need cloud infrastructure to operate, and supporting on-prem deployments costs three to five times more than cloud. Their investors want SaaS recurring revenue, not field engineering headaches. The business math doesn’t work for them.
But here’s the problem: core banking systems at these institutions are on-premises. File shares are on-premises. SQL databases are on-premises. And the regulators are going to ask where the sensitive data is on those systems regardless of what vendors think about their own business models.
Four thousand two hundred credit unions in the United States have this exact same problem. So do community banks, hospitals, and municipalities. Every single one of them.
What I Built
The morning I read the latest vendor rejection, I started building. Not because I had a grand plan. Because I was frustrated on behalf of every institution getting this answer, and I knew the architecture to solve it already existed — I’d been building on it for three weeks.
Here’s what the solution looks like:
A lightweight agent sits on a server inside the institution’s network. It connects outbound through a Cloudflare Tunnel — TLS 1.3 encrypted, no inbound firewall ports needed, no VPN, no appliance. The agent scans file shares, reads SQL database schemas, runs pattern matching to identify sensitive data. When it finds something ambiguous, it sends an anonymized sample through the tunnel to an AI classification engine for contextual analysis.
The raw data never leaves the credit union’s network. Only metadata and redacted samples transit the tunnel. Classification results come back as tags, not data. The results land in a database on Cloudflare’s edge, and the output is an examiner-ready report that maps directly to the compliance frameworks the regulator uses.
Total infrastructure cost: under two hundred dollars per engagement. The Cloudflare services that power this — Workers for compute, D1 for the database, R2 for storage, Tunnel for connectivity — cost pennies at this scale.
The same categories of capability — edge compute, encrypted tunneling, AI-assisted analysis, compliance reporting — that enterprises spend millions building internally. For pennies.
The Onboarding Cliff
Here’s the thing nobody tells you about Cloudflare: the platform is extraordinary, but the first week is a wall.
Understanding how Workers actually execute. Figuring out the difference between D1 and KV and R2 and when to use which. Getting Tunnels configured. Wrapping your head around Durable Objects. Learning wrangler and the deployment model. Setting up Zero Trust policies. Connecting Gateway for DNS and HTTP visibility.
That first week I was lost more than I was productive. By week two I was dangerous. By week three I had fifteen production applications and the architecture for a product that no enterprise vendor will build because it doesn’t fit their business model.
The onboarding cliff is the moat. Not for Cloudflare — for everyone who gets past it. Because once you’re on the other side, you can build things in hours that would take months on traditional infrastructure. And the people who haven’t gotten past it can’t compete with you on cost, speed, or architectural flexibility.
Why I’m Giving It Away
I could keep this architecture proprietary. Package it as a product. Sell licenses. Do the startup thing.
I thought about it for about thirty seconds. Then I imagined myself in a boardroom on the fourth meeting of the day, answering to investors about growth metrics, and I knew that wasn’t the play.
Here’s the play: I’m open-sourcing everything. The seed kit. The agent framework. The tunnel configuration. The Workers orchestration layer. The classification engine. The reporting templates. All of it. MIT license. Clone it, fork it, build on it. Free.
Why? Because the code was never the value.
The value is twenty years of security architecture experience that knows what to build, why, and how to make the output survive a regulatory examination. The value is knowing that Nutanix file shares use DFS referrals that break most Linux-based scanners, and designing around it. The value is understanding that an examiner who sees a clean report with zero findings trusts it less than a report that shows what was wrong and how it got fixed.
The code is the door. I’m offering it so you can open it. What you need me for is everything that happens after you walk through.
Every person who downloads the seed kit and gets stuck in week two is a future client. Every person who succeeds and tells their credit union league about it is a referral. Every institution that deploys it and needs it to be examiner-ready calls me. The open playbook doesn’t kill the business — it creates the market.
A corporation would buy this to kill it. I’m releasing it to grow it. They protect scarcity. I’m creating abundance and monetizing the expertise layer on top. They can’t acquire what I gave away. And they can’t replicate the twenty years of security architecture knowledge that makes the framework actually work for a regulated institution.
The Bigger Thing
There’s something I’ve been circling for a while that clicked today.
When a credit union runs its traffic through Cloudflare, the traffic pattern becomes the accountability record. Every DNS query. Every access decision. Every file touched, every system reached, every AI tool used. Not because someone is watching — because the architecture makes it observable by default.
Credit unions are member-owned cooperatives. The members have a right to know how their data is being handled. The traffic record is the digital equivalent of the published annual financial statement. Transparency isn’t surveillance when the people generating the data are the people who own the institution.
I’m building an opt-in network called the Wild Garden. Institutions that want to build reputation through verified behavior instead of marketing budgets. One config flag. Off by default. On by choice. Your Cloudflare traffic becomes your accountability dashboard. Other members’ AI agents find you based on shared values and verified patterns — not algorithms optimizing for engagement.
Nobody pays to join. Nobody pays for placement. The code is open. The trust is in the transparency.
If that sounds like how a credit union already works — member-owned, not shareholder-owned, transparent by charter — that’s because it is. I’m just applying the same philosophy to technology infrastructure.
The Seed Kit
The repo is live: https://github.com/NorthwoodsSentinel/wild-garden
Right now it’s the README and the license. The code is coming. The scanning modules are coming. The governance framework for the founding cohort is coming.
If you work at a credit union, a municipality, a school district, a nonprofit — or if you’re just someone who wants to learn Cloudflare with a real project to build on — this is for you.
I offer the door so you can open it.
Rob Chuvala is a security architect at AE Business Solutions and the founder of Northwoods Sentinel LLC, based in Madison, Wisconsin.