Post by Sharon Goldberg

NEW: Cloudflare One becomes the first SASE to support modern post-quantum encryption across the platform. From IPsec to MASQUE, we’re using hybrid ML-KEM to stop "Harvest Now, Decrypt Later" attacks on enterprise network traffic. What’s new? Cloudflare IPsec now supports hybrid ML-KEM to protect site-to-site and WAN traffic:  🔌Cloudflare One Appliance, our plug-and-play branch connector, has been upgraded via a simple software update (version 2026.2.0). 🛡️Cloudflare IPsec supports new IETF draft-ietf-ipsecme-ikev2-mlkem in closed beta. We'll be validating interoperability with other vendor's branch connectors as they add support for this new draft. Customers: reach out if there's a specific vendor you'd like us to get started on! What's not new? Post-quantum encryption across the rest of the SASE platform: 🚇Cloudflare Tunnel, our server-agent based off-ramp, uses TLS 1.3 with hybrid ML-KEM since 2022. 🎭Cloudflare One Client (aka WARP, our end-user device client) uses MASQUE with hybrid ML-KEM since late 2025. ⛩️Cloudflare Gateway, our secure web gateway, supports TLS 1.3 with hybrid ML-KEM since early 2025. 🌐 Clientless Cloudflare One supports TLS 1.3 with hybrid ML-KEM since early 2025. Definitely not a science experiment any more! In fact, more than 60% of the browser-generated traffic to Cloudflare's network uses post-quantum encryption today. 🧪💥