Cloudflare PQC (Zero Trust / SASE / CDN)

Cloudflare has achieved something remarkable: it has made post-quantum cryptography the default for the majority of its global TLS traffic, covering over six million internet-facing domains, without requiring customers to do anything. As of early 2026, more than 60 percent of TLS connections terminating at Cloudflare's global network use hybrid X25519 + ML-KEM-768 key exchange, making Cloudflare the operator of the world's largest deployed PQC-protected network by connection volume. The mechanism is straightforward. Cloudflare's edge infrastructure negotiates hybrid ML-KEM with any client that supports it — Chrome 124 and later, Firefox, and modern versions of Safari all do — while falling back gracefully to classical X25519 for older clients. This means that for any organization with their DNS and TLS termination running through Cloudflare, post-quantum protection on the client-to-edge leg of every HTTPS connection is already active. Zero configuration required. Cloudflare's Zero Trust and SASE offerings extend this protection further. Cloudflare Access, Gateway, and WARP (the enterprise VPN replacement) all support hybrid PQC tunnels, meaning enterprise employees accessing internal applications through Cloudflare's network are protected against HNDL attacks on their session traffic. Cloudflare claims to be the first vendor to deliver a complete SASE stack with end-to-end PQC support — a significant milestone for enterprises replacing legacy VPN infrastructure. For the edge-to-origin leg (Cloudflare to the customer's own servers), Cloudflare supports PQC via its Argo Smart Routing and Tunnels products when the origin server supports ML-KEM. This requires updating origin-side TLS configuration, which Cloudflare provides documentation and tooling to support. The company also publishes detailed cryptographic telemetry showing cipher suite distribution across its network, giving security researchers and enterprise customers visibility into real-world PQC adoption rates at scale.