Cloudflare One is the first SASE offering modern post-quantum encryption across the full platform

Cloudflare One becomes the first SASE platform to support modern post-quantum encryption across its entire platform, including Secure Web Gateway, Zero Trust, and WAN use cases.

• •Cloudflare One now supports hybrid ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism) across all major on-ramps and off-ramps
• •NIST set a 2030 deadline for deprecating RSA and ECC, and "Harvest Now, Decrypt Later" attacks make PQC adoption urgent today
• •Two cryptographic primitives require migration: key agreement (ML-KEM, largely complete) and digital signatures (less urgent, still in progress)
• •Over 60% of human-generated TLS traffic to Cloudflare is already protected with hybrid ML-KEM
• •Cloudflare IPsec now supports hybrid ML-KEM per RFC 9370, replacing the problematic PSK/QKD approach from RFC 8784
• •Cloudflare One Appliance upgrade is generally available in version 2026.2.0; Cloudflare IPsec upgrade is in closed beta