Applied Systems

Enterprise Contract · Business Services · appliedsystems.com · ~2,800 employees

⚠

DNS Queries Overage

Feb 2026: 2.31B queries = 115.4% of 2B cap. Trending upward.

⚠

Zero Trust Seats at 95.8%

3,258 of 3,400 seats used. Will exceed cap by ~Jun 2026 at current growth rate.

⚠

Magic Transit IP Prefixes at 100%

11 of 11 prefixes advertised. No room for additional prefix onboarding.

📈 Account Overview

Account Score

93.2

Tier A

Monthly Fee

$118.4K

Contract End

Sep 2028

Active Zones

361

360 ENT + 1 Free

Tenure

48 mo

Risk Status

Not at Risk

Contract Details

Plan	Premium A
Segment	Named
Contract Start	2022-03-29
Contract End	2028-09-28
Sales Territory	AMER US NMD CNTL HEART
Last Activity	2026-03-04

Financials

Monthly Fee	$118,399.12
Balance Total	$364,033.16
Balance >90d	-$9,478 (credit)
PayGo Revenue	$0
Variable Billing	No
Predicted Spend	$106,958

Propensity Signals

App Service Mix	Active
Cloudflare One	Active
App Performance	Inactive
App Security	Inactive
Developer Platform	Inactive
Network Services	Inactive

👥 Account Team

Jon Harris

Account Owner (AE)

jharris@cloudflare.com

Michelle Rodriguez

CSM

mrodriguez@cloudflare.com

Pat Blair

pblair@cloudflare.com

Sergio Bentim

CSE

sbentim@cloudflare.com

Nicole Clemens

RAM

nclemens@cloudflare.com

Zach Taylor

BDR

ztaylor@cloudflare.com

📦 Product Portfolio (17 Products)

Advanced Browser Isolation

Advanced DDoS

Advanced Magic Firewall

App Security Advanced

App Security Core

BYO IPs

CDN

Cloudflare Enterprise

Data Localization Suite

Dedicated IPs for CDN Egress

Domains Primary

Domains Secondary

Foundation DNS

Gateway Dedicated Egress IPs

Magic Transit: Always On GRE

Premium Success

Zero Trust Enterprise

📊 Cap Utilization (Current Month)

HTTP Requests

~9.9Bof 18B cap

55%OK

Data Transfer

~54 TBof 76 TB cap

71%Watch

DNS Queries

2.31Bof 2B cap — OVERAGE

115.4%Overage

Zero Trust Seats

3,258of 3,400 cap

95.8%Warning

Magic Transit Ingress

1,536 Mbpsof 2,560 Mbps cap

60%OK

MT IP Prefixes

11of 11 cap

100%At Cap

🌐 CDN Traffic Usage

HTTP Requests (Billions)

Data Transfer (TB)

Threats Blocked (Millions)

Content Mix by Request Type (Avg)

🔎 DNS Usage

DNS Queries (Billions) — Cap: 2B

DNS Records Growth

🔒 Zero Trust

Access Seats Used

3,263

of 3,400

Gateway MAU

27.3K

+60% since Dec

WARP Active Users

3,104

From 11 in Dec!

Access Apps Used

of 13 configured

IDP

Okta

ZT Access — Seat Utilization Trend

WARP Active Users — The Big Rollout

Gateway DNS Filtering MAU

Gateway DNS Queries (Billions)

⚡ Magic Transit

Ingress Bandwidth by Region (Mbps)

Magic Transit Details

Service Type	Always On (GRE)
Ingress Cap	2,560 Mbps
Current Ingress	1,536 Mbps (60%)
IP Prefixes	11 / 11 (100%)
Onboarded Prefixes	11
Leased Prefixes	0
Traffic Split	~92% NA, ~14% EU
Egress	Not applicable (Always On)

🛡 WAF / Firewall

Firewall Blocks by Source (Millions)

Firewall Activity Summary

Source	Action	Monthly Range
Custom Rules	Skip	196M – 370M req
Managed Rules	Skip	25M – 75M req
Managed Rules	Block	375K – 15.5M req
Custom Rules	Block	223K – 5.7M req
L7 DDoS	Block	16K – 7.7M req
BIC	Block	43K – 2.6M req
Rate Limiting	Challenge	17K – 148K req
DLP	Log	100 – 1K req

🎫 Support Tickets

Total (Jan 2025–Mar 2026)

Open

Closed

Avg / Month

3.9

Top Category

WARP (14)

Tickets Created vs Closed per Month

Tickets by Category

Currently Open Ticket

Date	Priority	Category	Subject	Age
2025-12-12	Normal	WARP	Reconnect setting is not being honored on macOS client	94+ days

Recent Tickets (Last 3 Months)

Date	Status	Priority	Category	Subject
2026-03-03	Resolved	Normal	CF1 Client	AWS EKS clusters fail with SSL inspection
2026-02-20	Closed	Urgent	Network Flow	Multiple subnets being shown as withdrawn
2026-02-09	Closed	Normal	Gateway	msn.com certificate error on WARP
2026-01-27	Closed	Urgent	Network	Chicago datacenter is degraded
2026-01-23	Closed	High	CF Tunnel	High CPU with cloudflared + CrowdStrike Falcon Sensor
2026-01-07	Closed	Urgent	AppSec	DDoS protection enabled at zone level unexpectedly
2026-01-02	Closed	High	HTTP Errors	Cloudflare overriding keep-alive value
2025-12-17	Closed	Urgent	SSL/TLS	Ghost TXT records preventing certificate validation
2025-12-17	Closed	High	DNS	Google certificate manager not working on domain

Ticket Themes & Patterns

WARP / Zero Trust (14 tickets)

Connectivity issues, macOS/Windows platform bugs, SSL inspection conflicts. Correlates with Jan 2026 mass rollout.

Network / Magic Transit (7 tickets)

Subnet withdrawal, datacenter degradation, routing issues. Typical for Always On MT deployment.

WAF / AppSec (3 tickets)

Managed rule updates causing false positives (Oct 2025 cluster). Cloudflare-side issues.

💰 Pipeline & Opportunities

Open Pipeline

Opportunity	Type	Stage	ACV
Applied_Dev_NW	Upsell IO	Discovery	$150,000
Renewal 2028	Renew	Expected	$1,420,789

Recent Closed Won

Opportunity	Date	ACV
Renewal 2025	Sep 2025	$92,808
Extension 2024	Dec 2024	$1,263,474
Bots/CDN/API Shield Right Size	Sep 2024	$318,402
BYOIP IO	Apr 2023	$36,460
Magic Transit	Apr 2022	$360,000
ZT / Core / API / DLS	Mar 2022	$457,913

Recent Closed Lost

Opportunity	Type	Date	ACV
M-WAN Growth	Upsell IO	Aug 2025	$0
CloudforceOne TAM	Consulting	Jul 2025	$0
Load Balancing ZT	Upsell IO	Dec 2024	$18,978
MWAN 150 Mbps	Upsell IO	Sep 2024	$78,369
Acquisition (ZT expansion)	Upsell IO	Aug 2024	$26,278
Load Balancing	Upsell IO	Aug 2024	$27,000

CSM Insights

Adoption, Value, Expansion & Risk Analysis for Account Team

📈 Adoption Scorecard

🎉

The Big Story: WARP Rollout Is a Landmark Moment

In January 2026, Applied Systems went from 11 active WARP devices to 3,259 in a single month. This wasn't gradual — it was a coordinated, org-wide deployment. They had ~3,700 users configured for months but only ~10 active. In Jan, they flipped the switch.

Downstream impact: Gateway DNS filtering MAU jumped 63% (16,761 → 27,287). Gateway query volume grew from 2.5B to 3.6B/mo. The platform is working as designed: WARP drives Gateway value.

CDNHigh

9-10B requests/mo consistently. 86% API traffic — deeply integrated into their application architecture. Core infrastructure dependency.

Foundation DNSHigh

1.5-2.3B queries/mo, 22K+ records across 361 zones. Growing ~270 records/month. Already in overage — sign of heavy organic use.

Magic TransitHigh

Always On, 1.5 Gbps steady ingress, 11/11 prefixes advertised. Core infrastructure dependency protecting their entire network 24/7.

WARPHigh (New)

3,100+ MAU since Jan 2026. Desktop-only. 8,295 configured devices but 3,247 active (39% device utilization) — room for further rollout.

Gateway (DNS Filtering)High

27K MAU, 34 DNS rules, 3.6B queries/mo. Massive jump post-WARP rollout. Actively filtering across the workforce.

WAF (AppSec Core/Advanced)High

Heavy rule usage with 28M+ managed blocks in 6 months. However, very high volume of custom skip rules (200-370M req/mo) raises tuning questions.

Bot ManagementModerate

9 rules active (2 block, 1 log, 6-8 skip). Identifies 1.1-1.5B bad requests/mo (~15% of traffic). Skip rules outnumber blocks — may not be fully tuned.

Zero Trust AccessLow-Moderate

95.8% seat utilization (good), but only 5 of 13 apps used (38% app utilization). Low SSO activity (~50 logins/30d vs 3,263 users). Not a primary auth gateway.

Browser Isolation (BISO)Shelfware Risk

3,400 BISO seats purchased, ~0 active usage. 1 BISO app configured in Access. With WARP deployed, the hard part (endpoint deployment) is done. Activation is a config exercise.

DLPNegligible

100-1,000 log events/month. Either not configured or not matching. For an insurance tech company processing policyholder data, this should be a bigger part of their stack.

Data Localization SuiteUnknown

Purchased but no usage metrics available in Lighthouse. Validate in QBR whether actively using DLS or if it's shelfware.

Adoption Maturity by Product

Bot Management: Traffic Classification

💪 Value Received

72M+

Threats Blocked

CDN-layer threats blocked
in last 6 months

8.2B

Bad Bot Requests Identified

~15% of all traffic classified
as unwanted automation

9.0M

L7 DDoS Attacks Blocked

Including 7.7M in Nov 2025
single event

3,100+

Employees Protected by WARP

Deployed in Jan 2026
from near-zero

1.5 Gbps

Always-On DDoS Protection

Magic Transit protecting
11 IP prefixes 24/7

28M+

WAF Managed Rule Blocks

Malicious requests stopped
at the edge in 6 months

3.6B/mo

Gateway DNS Queries Filtered

Workforce DNS traffic
inspected & filtered

QBR Value Statement

In the last 6 months, Cloudflare has protected Applied Systems' infrastructure from 72M+ threats, blocked 9M L7 DDoS attacks, identified 8.2B malicious bot requests, and provided always-on DDoS protection for your core network at 1.5 Gbps. In January 2026, you successfully rolled out WARP to 3,100+ employees, bringing your entire workforce under Cloudflare One protection with DNS filtering processing 3.6B queries per month. Your platform serves 9-10B HTTP requests monthly with 99%+ SSL coverage. Bot Management protects your insurance industry clients by blocking 15% of all traffic identified as unwanted automation.

Threats Blocked Over Time (Millions)

Bad Bot Requests Identified (Billions)

🚀 Expansion Opportunities

Tier 1: Immediate / Organic Growth (Next 90 Days)

Zero Trust Seat Expansion

$26K – $39K ACV

Data: 3,263 configured users / 3,400 cap = 95.8%. Growing ~25 users/month. Will hit cap by ~June 2026. 2,800 employees total. BISO seats (3,400) should increase in tandem.

"You're at 95.8% seat utilization and growing. Let's get ahead of this before it impacts onboarding new employees. A move to 3,800–4,000 seats gives you 18 months of headroom."

Capacity planning conversation, not upsell

DNS Cap Increase

$15K – $30K ACV

Data: Feb 2026 = 2.31B queries vs 2B cap (115.4%). DNS records growing 270/month. DNS-only zones: 177 → 185 in 6 months. Proxied records also growing.

"You're already in overage on DNS queries. Rather than incurring overage charges, let's right-size the cap for your growth. A 3B cap gives you 18 months of runway."

Bundle with $150K open pipeline deal

Magic Transit IP Prefix Expansion

$10K – $20K ACV

Data: 11/11 prefixes at 100%. All onboarded prefixes now advertised. 0 leased prefixes.

"All your allocated prefixes are advertised. If your network team needs to onboard additional prefixes for new infrastructure, we'll need a cap increase."

Raise during network review

Tier 2: Value-Driven Expansion (Next 6 Months)

Browser Isolation Activation

No new sale — Enablement

Data: 3,400 BISO seats purchased, ~0 active usage. WARP deployed to 3,100+ users. Technical prerequisites are met. The hard part (endpoint deployment) is done.

Not revenue expansion — but activating BISO strengthens stickiness, creates a richer security posture, and protects against the seat being cut at 2028 renewal.

CSM: Propose BISO enablement session. Start with high-risk use case: isolate risky web categories or unmanaged device access.

DLP Enablement

Likely upsell required

Data: Negligible DLP activity (100–1,000 log events/mo). Insurance technology company processing sensitive policyholder data. WARP + Gateway infrastructure now deployed.

"You've built the foundation with WARP and Gateway. The next step is protecting sensitive data in transit. Given your industry's regulatory requirements, DLP can help detect and prevent data exfiltration."

Requires understanding their data classification posture

WARP Mobile + Expanded Device Coverage

Included in seat count

Data: 8,295 configured devices, 3,247 active = 39% device utilization. 0 mobile devices. 100% desktop deployment. 5,000+ gap between configured and active.

Ask about mobile device management strategy and field staff access needs

Tier 3: Strategic / New Product (6–12 Months)

Magic WAN

$78K – $150K ACV

Data: 3x closed-lost attempts ($78K Sep 2024, $0 Aug 2025, $70K undated). Active $150K "Applied_Dev_NW" deal in Discovery may include network services.

Risk: This has been tried and rejected multiple times. Don't re-pitch the same way. Understand why it was rejected — pricing? Technical fit? Timing? Competitive?

Investigate closed-lost reasons before re-approaching

Workers / Developer Platform

Greenfield

Data: No Workers/KV/D1/DO usage. workersEntitled: false across all zones. But 86% API traffic + workers.dev subdomain configured. CF1 and App Service Mix propensity active. Active Fly-Fishing trials: Bot Management + Images (since Jun 2025).

Requires understanding their development stack and API-first architecture

Email Security

Greenfield

Data: 2,800 employees, no email security product. Insurance industry = high phishing target.

Only raise if natural conversation about phishing/BEC arises

⚠ Risks & Watch Items

Outstanding Balance: $364K

Total balance is $364K for a customer paying $118K/month. The >90-day balance is a credit (-$9.4K), so no aged receivable issue. But the total suggests recent invoices are unpaid — could be billing dispute, AP processing delays, or contract extension billing catching up. Action: Check with Finance.

Long-Open WARP Ticket (94+ Days)

Dec 12, 2025: "Reconnect setting is not being honored on macOS client" (CUSTESC-59863). Routed to engineering. For a customer that just deployed WARP to 3,100+ users, an unresolved macOS bug is a bad look for Premium Success. Action: CSE Sergio Bentim should be tracking this. Escalate if needed.

Oct 2025 WAF Incident Cluster — Were These Properly Addressed?

Three urgent tickets in Oct 2025 related to Cloudflare-side WAF rule changes breaking their traffic: managed rule update false positives, beta rule blocking despite disabled, ASN misclassification. These were Cloudflare's fault. If not properly post-mortem'd, they erode trust. Action: Verify addressed in QBR or dedicated follow-up.

Multiple Closed Lost Deals + Termination Attempt

Magic WAN (3x lost), Load Balancing (2x lost), ZT expansion (lost), CASB (lost). Plus a termination attempt in Nov 2024 (-$187K) followed by a $161K termination amendment that closed in Dec 2024. Something caused them to want to reduce spend. Understanding what was terminated and why is critical context for future expansion conversations.

Browser Isolation Is Shelfware

3,400 BISO seats purchased, ~0 active usage. If they don't start using BISO before the 2028 renewal, this is the first line item to get cut. This is both a value realization risk and a revenue risk. Action: Enablement session to activate BISO now that WARP is deployed.

Low Access SSO Activity

Only ~50 SSO logins per 30-day period across 3,263 configured users. Access is not a primary authentication gateway. Most users access apps directly or through other SSO flows. If perceived value is lower than cost, it becomes a renewal risk.

Fly-Fishing Trials Not Converting

Active trials since Jun 2025: Bot Management on ivansinsurance.ca (they already own BotMgmt — may be testing new zone) and Images (no visible usage). If stale, these represent disengagement with new products. Action: Check trial status and engagement.

📋 Recommended QBR Agenda

Celebrate the WARP Rollout

Lead with this. Ask about their experience, what drove the decision, and employee feedback. This builds rapport and opens the door to mobile expansion, BISO activation, and DLP conversations.

Review Cap Utilization

Present the DNS overage (115.4%), ZT seat trajectory (95.8% → cap by Jun 2026), and MT prefix usage (100%). Position seat and DNS increases as capacity planning, not upsell.

BISO Enablement Proposal

"You're paying for 3,400 BISO seats. With WARP deployed, activating BISO is now a configuration step. Here's a proposal to start with high-risk category isolation." Prevent shelfware from becoming a renewal cut.

Access App Audit

Walk through the 13 configured apps. Identify the 8 that aren't generating traffic. Are they needed? Can we drive adoption? Understanding this also informs the SSO utilization gap.

Address the Open WARP Ticket

Proactively update on CUSTESC-59863 status (94+ days open, macOS reconnect bug). Shows Premium Success is working and the team is on top of issues.

Explore the $150K Pipeline Deal

Understand customer priorities for the next 12 months. How does the "Applied_Dev_NW" deal map to their needs? Investigate Magic WAN closed-lost history before re-approaching network services.

💡 Priority Actions

🔴

DNS Cap Increase Required

Feb 2026 hit 115.4% of 2B query cap. Queries trending upward with growing record count (+270/mo). Bundle cap increase discussion with the $150K open pipeline deal.

High Priority

🔴

Zero Trust Seat Expansion

95.8% utilization, growing ~25 users/month. Will exceed 3,400 cap by ~June 2026. Proactive seat upsell conversation needed before they hit the wall.

High Priority

🟡

Capitalize on WARP Rollout Success

Massive WARP deployment (0 to 3,100+ users in Jan 2026) is a success story. Opportunity to extend to mobile (currently desktop-only, 8.3K configured devices but only 3.3K active). Use as proof point for deeper CF1 adoption.

Medium Priority

🟡

Drive Access App Adoption

Only 5 of 13 configured Access apps are actively used. CSM-led enablement session could drive adoption of remaining 8 apps and increase overall platform stickiness.

Medium Priority

🟡

Resolve Long-Open WARP Ticket

macOS reconnect setting ticket (CUSTESC-59863) has been open 94+ days. Follow up on engineering resolution status to demonstrate Premium Success value.

Medium Priority

🔵

Explore Developer Platform / Workers

CF1 and App Service Mix propensity signals are active. No Workers/KV/D1 usage today. With 2,800 employees and heavy API traffic (86% of requests), developer platform could be a greenfield opportunity.

Explore

🔵

Email Security Opportunity

2,800 employees with no email security product. Potential new product addition to the existing security stack.

Explore

Applied Systems Account Dashboard · Generated from Cloudflare Lighthouse Insights API · March 16, 2026
Salesforce ID: 001o000000M6KOyAAN · 5 Sub-Accounts · 361 Active Zones