Cloudflare for Oportun — Vendor Consolidation Executive Brief

Eight consolidation plays

Each maps to something Oportun is running today — or is already marketing.

Magic WAN for retail stores

Retail + branch + contact center

Connect every Oportun store, office and contact center over tunnel-based WAN — no per-site MPLS or SD-WAN appliances — with security applied at the edge.

IPsec/GRE tunnels; no customer IP space required
Built-in on-ramp to Zero Trust (Access & Gateway)
They already hold an IPv6 /36; IPv4 /24 is a discovery item

Cloudflare Images

↳ replaces Cloudinary

Same URL-based resize, crop and format-shifting — delivered from the very CDN already serving oportun.com. One bill instead of a separate media SaaS.

Identified: res.cloudinary.com in their CSP
Per-image / per-delivery pricing, no egress surprises
Auto AVIF/WebP for faster store & web pages

Cloudflare Stream

↳ replaces Vimeo

Encode, host and deliver financial-education and marketing video natively on Cloudflare — no per-seat Vimeo plan, no third-party player domain.

Identified: player.vimeo.com + i.vimeocdn.com
Adaptive streaming + signed URLs for gated content
Storage + delivery + player billed as one usage line

R2 — egress-free storage

↳ offloads Microsoft / Azure storage

As a Microsoft shop, object-storage egress is a recurring tax. R2 charges $0 egress — ideal for media origins, backups and data exports feeding the web and AI stack.

S3-compatible API; zero egress fees
Natural origin for Images, Stream & AI Gateway
Microsoft platform per account-team input

API Protection

↳ Cloudflare API Shield

Oportun’s web and mobile apps run on APIs — lending decisions, accounts, partner integrations. API Shield discovers every endpoint and enforces schema, auth and volumetric limits inline at the edge.

Automatic API discovery + schema validation
mTLS & JWT validation; block BOLA / abuse
Stop credential stuffing & scraping before origin

Mobile App Security

↳ secure the mobile lending app

Issue per-app credentials to Oportun’s mobile app so only the genuine app can call your APIs — backed by bot, automation and account-takeover defenses tuned for consumer finance.

API Shield mobile SDK → mTLS client attestation
Bot Management blocks emulators & scripted abuse
Account-takeover & fraud signals at login

AI Gateway + MCP — govern the AI Oportun already markets

Cost control · compliance · safe agent access

Oportun positions itself around “A.I.-driven” lending. AI Gateway puts a governed front door on every LLM call — caching, rate-limiting, spend caps, and full request logging that a regulated lender needs for audit. MCP lets internal systems be exposed to AI agents safely, behind Cloudflare Access.

One pane of glass + logs across any model provider
Cache & rate-limit to cut token spend
MCP servers fronted by Zero Trust — no open data paths
Pairs with R2 + Vectorize for retrieval on your own data

Cloudflare One — consolidate your SSE / retire Zscaler

↳ replaces Zscaler (ZIA + ZPA)

Collapse Secure Web Gateway, DNS filtering, CASB, DLP and ZTNA onto Cloudflare One — one agent, one policy engine, on the same network already in front of oportun.com. No separate SSE vendor, no per-module licensing, and a single set of logs for examiners.

SWG + DNS filtering + CASB + DLP under one policy
Access (ZTNA) replaces Zscaler Private Access for app access
Runs on the same edge as your WAN, API & web security
Integrates with Microsoft Entra ID for SSO & device posture

Consolidation roadmap

A staged path — land quick wins first, expand into security & network, then displace the big SSE spend.

First 6 months

Land & quick wins

Cloudinary → Cloudflare Images
Vimeo → Cloudflare Stream
Stand up R2; move egress-heavy origins off Azure
API Shield discovery + schema on top APIs
Optimize existing Cloudflare CDN / WAF

By 12 months

Expand & secure

Magic WAN pilot across retail stores + contact center
Mobile App Security (mobile SDK mTLS + Bot Mgmt)
AI Gateway in front of LLM calls; first MCP servers
Zero Trust (Access) for key internal apps
Retire AWS CloudFront → single CDN

Within 2 years

Consolidate & displace

Full Cloudflare One — retire Zscaler (SWG/CASB/DLP/ZTNA)
Magic WAN org-wide; decommission legacy SD-WAN / MPLS
One control plane + unified logging for audit
AI governance + retrieval on R2/Vectorize at scale
Single vendor relationship & commercial agreement

Consolidation snapshot

Current-state vendors are evidence-based; nothing here is assumed.

Function	Today	How it was identified	On Cloudflare
Image delivery	Cloudinary identified	res.cloudinary.com in CSP	Cloudflare Images
Video	Vimeo identified	player.vimeo.com / i.vimeocdn.com	Cloudflare Stream
Object storage	Microsoft / Azure	Account-team input (MSFT shop)	R2 (egress-free)
Branch & store WAN	Existing WAN / SD-WAN	Retail footprint observed	Magic WAN + Zero Trust
AI traffic control	Ungoverned LLM calls	“A.I.-driven” positioning	AI Gateway + MCP
API protection	App proxies / manual rules	Web + mobile apps are API-driven	API Shield
Mobile app security	In-app / 3rd-party SDKs	Consumer mobile lending app	API Shield mobile SDK + Bot Mgmt
SSE / Zero Trust	Zscaler (ZIA + ZPA)	Account-team input	Cloudflare One
CDN / edge	Cloudflare + AWS CloudFront	server: cloudflare; cloudfront.net	Consolidate on Cloudflare

One network for Oportun’s edge, security, media, storage & AI.

From vendor sprawl to one network