Today upgrade.com runs two CDNs (Akamai + AWS CloudFront), Akamai Bot Manager, and AWS-hosted origins with no dedicated edge WAF in the path. Cloudflare collapses edge, bot, API, DDoS, DNS and Zero Trust onto a single network — fewer vendors, one control plane, and audit-ready logging for an IPO-track lender.
Upgrade raised a $165M Series G in Oct 2025 at a reported ~$7.3B valuation and is publicly targeting an IPO in ~12–18 months. The company has delivered $40B+ in credit to 7M+ customers and now spans personal loans, Upgrade Card/OneCard, Rewards Checking, auto and home-improvement lending, plus Flex Pay (the travel BNPL business it acquired as Uplift for $100M in 2023).
That trajectory raises the bar on three things Cloudflare directly addresses: security posture & fraud controls across a fast-growing API and login surface, uptime and performance for many consumer-facing brands, and vendor/cost discipline + unified audit logging that IPO diligence rewards.
Sources: Reuters, CNBC, Bloomberg (Oct 16, 2025); Crowdfund Insider (Aug 2025); Upgrade press releases (2023–2025).
Upgrade pays for two content-delivery networks. Cloudflare serves the whole footprint from one global anycast edge in front of the existing AWS origin — one CDN bill, one cache, one set of logs.
For a lender, bots mean application fraud, credential stuffing and synthetic-identity attacks on loan, card and BNPL flows. Cloudflare's ML bot scoring runs inline on the same edge as the WAF — one policy, one log.
Recon shows requests hitting an AWS ALB → Istio/Envoy → Next.js origin with no dedicated WAF observed at the edge. Cloudflare adds managed WAF rulesets and always-on L3–L7 DDoS in front of every property.
Upgrade's web and mobile apps are API-driven — lending decisions, accounts, Flex Pay checkout, dealer & partner integrations. API Shield discovers every endpoint and enforces schema, auth and volumetric limits inline.
Move authoritative DNS onto the fastest network on the internet, with DNSSEC and one-click control of the same WAF/CDN/bot policies — no separate console from where security is managed.
Consumer credit + BNPL = a prime ATO and synthetic-identity target. Cloudflare scores logins for leaked credentials and automated abuse before they hit Upgrade's origin — folded into the same WAF/bot policy.
Upgrade is an engineering- and AI-forward shop across SF, Phoenix, a Montreal tech center, Atlanta & Irvine. Cloudflare One delivers ZTNA (Access), SWG, DNS filtering, CASB and DLP — one agent, one policy, one audit log.
As an AWS shop serving static assets and media through CloudFront, object-storage egress is a recurring tax. R2 charges $0 egress — an ideal origin for the consolidated CDN and any AI/retrieval workloads.
| Function | Today | How it was identified | On Cloudflare |
|---|---|---|---|
| CDN — marketing site | Akamai identified | www → upg-www.edgekey.net | Cloudflare CDN |
| CDN — static assets | AWS CloudFront identified | static → *.cloudfront.net | Cloudflare CDN (one edge) |
| Bot management | Akamai Bot Manager identified | _abck & bm_sz cookies | Cloudflare Bot Management |
| WAF / DDoS | None observed at edge | awselb/2.0 → istio-envoy origin | Cloudflare WAF + DDoS |
| API protection | App-tier only | Next.js + Istio/Envoy headers | API Shield |
| Authoritative DNS | AWS Route 53 | ns-*.awsdns-* nameservers | Cloudflare DNS |
| Origin / compute | AWS (ALB · EC2 · EKS/Istio) | awselb; Amazon Technologies ASN | Stays on AWS — fronted by Cloudflare |
| Object storage / media | AWS (S3 / CloudFront) | cloudfront.net asset origin | R2 (egress-free) |
| Transactional email | SendGrid | mail → *.sendgrid.net | Keep — add Email Security (inbound) |
| Remote access / SSE | VPN / SSE *per account-team | Not publicly observable | Cloudflare One (ZTNA) |