Context & History

Secure Access Service Edge (SASE) emerged as a convergence of networking and security functions, delivering cloud‑native access control, secure web gateways, and WAN capabilities from a single platform. In February 2026, Cloudflare announced that Cloudflare One became the first SASE solution to integrate modern, standards‑compliant post‑quantum (PQ) encryption across its entire stack. This milestone follows years of industry pressure from agencies such as NIST, which set a 2030 deadline for deprecating RSA and ECC in favor of quantum‑resistant algorithms. Early adoption of hybrid ML‑KEM in TLS showed that PQ key agreement could be introduced without hardware changes, paving the way for broader rollout into IPsec‑based WAN and Zero Trust services. The move addresses three urgent drivers: looming regulatory deadlines, the historic difficulty of crypto migrations, and the harvest‑now, decrypt‑later threat that endangers long‑lived data today.

Implementation & Best Practices

Deploying Cloudflare Ones PQ capabilities follows a clear, phased roadmap. First, assess the current cryptographic posture of your network and identify traffic flows that rely on classic RSA/ECDHE. Second, enable hybrid ML‑KEM on supported Cloudflare One components-Secure Web Gateway, Zero Trust policies, and the IPsec‑based WAN-through the platforms UI or API. Third, validate performance and interoperability by testing a representative subset of sites and devices before full rollout. Fourth, establish a monitoring plan that tracks PQ negotiation success rates and fallback to classical algorithms. Finally, schedule periodic reviews to adopt emerging PQ signature schemes once they become practical for production. Following this sequence reduces risk, ensures compliance, and maintains service continuity.

Hybrid ML‑KEM Key Agreement

Cloudflare One implements hybrid ML‑KEM alongside traditional Elliptic‑Curve Diffie‑Hellman (ECDHE). The hybrid approach mixes the shared secrets from both algorithms, delivering quantum‑resistant security without sacrificing performance. Because ML‑KEM runs in parallel, latency impact is minimal, and existing client devices do not require firmware upgrades. Key takeaway: hybrid ML‑KEM provides immediate quantum resilience while preserving compatibility with legacy systems.

IPsec Integration

IPsec tunnels now support hybrid ML‑KEM within the IKEv2 exchange. The upgrade leverages Cloudflares global Anycast routing to automatically steer traffic to the nearest data center, preserving high availability. When configuring IPsec, select the Post‑Quantum cipher suite in the Cloudflare dashboard, and enable fallback to classic suites for devices that cannot negotiate ML‑KEM. Key takeaway: enable the PQ suite first, then monitor fallback rates to identify legacy endpoints that need attention.

Zero Trust & Secure Web Gateway (SWG)

Zero Trust policies and the SWG inherit the same hybrid ML‑KEM settings, ensuring that every user‑initiated connection-from a laptop on a public Wi‑Fi to a branch router-benefits from PQ protection. Policies can be scoped by user group or application to gradually introduce PQ encryption where risk is highest. Key takeaway: prioritize high‑value workloads (financial, health, intellectual property) for early PQ adoption.

Operational Checklist

• Enable hybrid ML‑KEM in the Cloudflare One UI for SWG, Zero Trust, and IPsec.
• Verify that client devices negotiate ML‑KEM in the TLS/IPsec handshake logs.
• Set up alerting for fallback to classical ciphers exceeding 5% of sessions.
• Document all changes in your change‑management system and tag the rollout with the internal project code GitHub Subissues guide.
• Review the AWS Well‑Architected Lens for additional security hardening recommendations.

For deeper technical background, see the Wikipedia entry on post‑quantum cryptography and the NIST post‑quantum standardization roadmap at NIST PQC. By following the roadmap and best‑practice checklist above, organizations can confidently transition to a quantum‑resistant SASE architecture today.