EAP CF1 Capstone — Participant Brief
Choose one scenario · Present in 15 minutes
STUDENT · DO NOT SHARE
InCloud Partner Academy · Experience Acceleration Program
Cloudflare One Capstone Exercise
You've completed the EAP training modules on Remote Access Modernisation and DNS Filtering for Web Protection. It's time to put that learning into a technical role play. Choose one scenario, design the solution, and walk the room through it in 15 minutes. This is a technical exercise only — no commercial framing required.
3
Scenario Options
15m
Present + Q&A
3
Deliverables
You
Pick the Products
Your Mission
You are the lead pre sales technical consultant on a Cloudflare partner team. The customer has agreed to a discovery workshop. Your job is to walk out with a technical design and a phased migration story that stand up to scrutiny. Keep it technical — this is a design exercise, not a sales pitch.
What You Choose
  • One of three scenarios. Pick the one that stretches you most, not the one you already know.
    • Option 1: Remote access / VPN replacement for a regulated customer
    • Option 2: Web filtering and SWG rollout for a hybrid workforce
    • Option 3: Bring your own real customer engagement (minimum 3 CF1 products)
  • Which Cloudflare One products to propose. This is the whole point of the exercise.
    • We will not tell you which products to use
    • Pick from the full CF1 portfolio based on the scenario requirements
    • Be ready to justify why each product is in (or out of) your proposal
What You Produce
  • A High Level Design (HLD). One architecture diagram showing users, CF edge, identity, private apps, and policy enforcement points.
  • A migration plan. Phased rollout with week by week milestones and a named owner per phase.
  • A presentation deck. 5 to 8 slides max. You present to the room in 15 minutes (10 pitch, 5 Q&A).
💡The Point of This Exercise
This is not a product knowledge quiz. It's a simulation of the first real technical conversation you'll have with a customer after they agree to explore Cloudflare One. The trainers will evaluate whether your solution actually solves the customer's problem, whether your design is coherent, and whether you can defend your choices under questioning. Have fun with it.
?
Pick Your Scenario
Three Options — Choose One
Scenarios · Option 1 — Remote Access Modernisation
1
Scenario Option 1 of 3 · Remote Access Modernisation
Remote Access Modernisation — VPN Exit & Contractor Onboarding
⏱ Individual prep · 15 min presentation
A regulated enterprise needs to exit a legacy VPN appliance that has become a security liability and an operational bottleneck — before a planned acquisition doubles their user count.
Customer Scenario
Regulated Enterprise, Mid Market
Industry: Regulated (finance, healthcare, legal) Profile: Mid market, multi office Regulator: Industry regulator with audit authority Users: 420 (growing to ~900 post acquisition)

The customer runs two legacy VPN concentrators at its primary HQ. The main appliance is 6 years old, out of vendor support, and has failed over twice in the last quarter. Remote employees and contractors all connect through these boxes to reach internal applications including a web based line of business application, a SharePoint on prem farm, a Windows jump host used to access production databases, and a GitLab server for the engineering team.

The firm is closing an acquisition in 90 days that will add ~480 users across two additional offices. The acquired company has its own VPN and no appetite for merging into the customer's existing appliance. The CISO has told the board she will not extend the current VPN to the acquired entity. She wants a Zero Trust model for both populations before integration.

Separately, the compliance team is unhappy. Contractors (roughly 60 people, mostly engineers engaged through a staffing partner) get the same network level access as full time staff once they are on VPN. There is no per application access control and no per user audit trail for sessions. The auditors flagged this in the last review and expect a remediation plan in writing within 60 days.

The IT team is small. 9 engineers including 2 dedicated to end user compute. They cannot absorb a large hardware project. They want something they can stand up in weeks, not a 12 month programme.

🔥
What's Actually Broken
The pain points the customer will drill you on
Flat Network Risk
Once on VPN, any user (employee or contractor) can reach any subnet. One compromised credential equals lateral movement to everything.
No Audit Trail
Industry auditors flagged: no per user, per application session log. Compliance remediation required in 60 days.
Appliance End of Life
Primary VPN is out of support and has failed over twice in the last quarter. Not an option to keep.
Acquisition in 90 Days
480 new users joining soon. Cannot be added to existing appliance. Must be ready before integration.
Contractor Over Access
60 contractors have full network VPN access. Compliance wants per app access, posture checks, time bound policies.
Non HTTP Protocols
Jump host access uses RDP. Engineering team uses SSH into GitLab runners. Solution must handle both, not just web apps.
📋
Customer Requirements
What must be true at the end of the engagement
  • Per application access for all internal apps: web LOB application, SharePoint farm, Windows jump host (RDP), GitLab (HTTPS and SSH).
  • Identity based policy integrated with the existing IdP (Azure AD), including MFA enforcement at the access layer, not just at the device level.
  • Separate access tiers for full time employees vs third party contractors. Contractors must never reach beyond their assigned applications.
  • Device health and posture must influence access decisions (managed vs unmanaged; disk encrypted; OS up to date).
  • Full session audit trail. Who accessed what, from where, on what device. Exportable for compliance audit.
  • Outbound only connection from data centre to the cloud service. No new inbound firewall rules, no public exposure of internal apps.
  • Scales to ~900 users within 6 months without adding appliances or HA complexity.
  • VPN decommission path. A written plan showing how the old appliance is retired, in phases, with rollback at each stage.
📦
What You Present (15 Minutes Total)
1
High Level Design · 1 diagram and 5 callouts
One architecture drawing showing: users (employee and contractor tiers), identity provider, the CF edge, how private apps are reached, and where policy and posture are enforced. Five short callouts naming each component and its role. Hand drawn or whiteboard photo is acceptable.
2
Phased Migration Plan · table, one page
Weekly rows covering pilot, rollout, VPN decommission, and acquisition onboarding. Each row: week number, action, owner, exit criteria. Must land before the 90 day acquisition deadline.
3
Pitch Deck · 5 to 8 slides, 10 min delivery
Suggested slide flow: title, problem recap, proposed architecture, migration timeline, Q&A. No more than 8 slides, no slide with more than 5 bullets.
Scenarios · Option 2 — DNS Filtering for Web Protection
2
Scenario Option 2 of 3 · DNS Filtering & Web Protection
DNS Filtering for Web Protection — Web Threats & AUP for a Hybrid Workforce
⏱ Individual prep · 15 min presentation
A multi site enterprise is being hit repeatedly by malware delivered through compromised websites and malicious downloads, and has no visibility or control over what their hybrid workforce browses from home or on the road.
Customer Scenario
Multi-Site Enterprise with Frontline & Office Workforce
Industry: Sector-agnostic (retail / logistics / manufacturing / healthcare) Profile: Multi-site, mid-market Footprint: 6 sites Users: 1,100 (office) + 350 (shared frontline kiosks)

The customer runs a legacy on prem web proxy at its primary data centre. Every office site backhauls internet through that data centre over MPLS. Hybrid staff (about 55% of the office workforce) VPN in from home to get filtered internet, which makes Zoom calls stutter, Teams hang, and generates a steady stream of helpdesk tickets.

In the last 4 months the SOC has investigated three incidents where finance and operations staff browsed to compromised websites and downloaded malicious content. One incident reached the accounting server before EDR caught it. The CFO signed off on two weekends of incident response billing and has made it clear he will not do it a third time.

The proxy only sees HTTP/S traffic. It does nothing about DNS level threats such as C2 beacons, DNS tunnelling, and fast flux domains. The current DNS setup is split. On prem AD DNS forwards to an ISP resolver with no filtering. The SOC has no DNS log visibility at all.

There is no written Acceptable Use Policy enforcement. HR has a policy document, but IT has nothing that actually blocks adult content, gambling, or personal cloud storage. HR flagged two internal cases last quarter of inappropriate browsing that went undetected for weeks because no one was looking.

The CIO wants a single web security story for every user, on every network, on every device, including the frontline kiosks, which today sit on a dedicated VLAN with no filtering at all. The board wants the project live within one quarter.

🔥
What's Actually Broken
The pain points the customer will drill you on
Hybrid Backhaul Latency
Remote workers VPN home, then on prem proxy, then internet. Zoom and Teams hairpin adds 200 to 400ms. Daily helpdesk tickets.
No DNS Layer Defence
Proxy sees only HTTP/S. C2 beacons, DNS tunnelling, and fast flux malware domains pass through unchecked.
Malware Incidents
3 incidents in 4 months. Period. Malicious download. One reached a server. CFO will not fund a fourth cleanup.
AUP Not Enforced
HR has a policy; IT has no control. Adult, gambling, personal cloud storage all open. Recent HR cases went undetected.
Frontline Kiosks Unfiltered
350 shared devices on a kiosk VLAN with zero web filtering. Should be locked to a vendor allow list.
No Unified Visibility
Proxy logs are siloed, home workers invisible, DNS events not collected at all. SOC cannot investigate web threats end to end.
📋
Customer Requirements
What must be true at the end of the engagement
  • DNS layer filtering covering malware, C2, and cryptomining, applied to every user, on network and off network, without backhaul.
  • Web and URL filtering over HTTPS with content categories for AUP: adult, gambling, personal cloud storage, uncategorised high risk.
  • TLS inspection for HTTPS traffic, with a do not inspect list for certificate pinned apps (banking, healthcare portals, Zoom, Teams).
  • File type and upload controls to prevent exfiltration of office documents to personal cloud storage over web.
  • Isolation for risky or uncategorised browsing. Finance and operations users should be able to open questionable links without the endpoint rendering them.
  • Frontline kiosk policy. A stricter location based policy (vendor allow list only) for the 350 kiosks.
  • Elimination of the proxy backhaul. Hybrid workers must get policy enforcement from wherever they are, not via VPN.
  • Unified log and analytics. SOC needs a single place to investigate DNS and HTTP events, with retention that meets internal audit.
  • Governance model. Named owners for DNS threat policy vs AUP policy, defined review cadence, documented exception process.
  • Phased rollout. One quarter to full deployment, including a log only pilot before enforcement.
📦
What You Present (15 Minutes Total)
1
High Level Design · 1 diagram and 5 callouts
One architecture drawing showing: user populations (office, hybrid, frontline kiosks), how each reaches the internet, where policy is evaluated, where logs land, and how TLS inspection fits. Name each component and what it enforces.
2
Phased Rollout Plan · table, one page
Weekly rows across one quarter. Must include: log only pilot, IT team block mode, broader workforce, kiosks, proxy decommission. Each row: week, action, owner, exit criteria. Call out HR and Legal sign off gate explicitly.
3
Pitch Deck · 5 to 8 slides, 10 min delivery
Suggested flow: title, threat recap (the 3 incidents), proposed architecture, rollout phases and governance, Q&A. Max 8 slides, max 5 bullets per slide.
Scenarios · Option 3 — Your Own Customer
3
Scenario Option 3 of 3 · Bring Your Own
Your Live Customer, Anonymised
⏱ Individual prep · 15 min presentation
Take a real customer you are working on right now, anonymise them, and build the same deliverables as Options 1 and 2. Your proposal should use at least three Cloudflare One products, with a clear reason for each.
Why This Option Exists
Practise on an engagement you actually care about
Option 3 can be the most rewarding of the three, because whatever you produce here is a useful first draft for a real conversation later. The trade off is that you need to define the scenario yourself. Pick it if you have a customer in mind whose pain you already understand. Otherwise, Option 1 or 2 will give you more to work with.
✍️
What You Must Define First
Before you design anything, jot these down
  • The anonymised customer profile. Industry, region, size, regulatory context. No real names, no real logos, no account identifying detail. A reasonable pseudonym is fine.
  • The actual business problem. Stated as the customer would state it, not as a Cloudflare feature list. "We have three VPN appliances out of support" is a problem. "We need Cloudflare Access" is not.
  • Three to five concrete pain points. The ones your champion would nod at if you read them out loud.
  • A hard constraint or two. Something real that shapes the design. Identity provider, regulator, existing investment that cannot be thrown away, a deadline.
  • A success criterion. One sentence on what "done" looks like for this customer.
Option 3 Guidelines
  • Aim for at least three Cloudflare One products in your proposal. It keeps the story interesting and pushes you beyond a single feature.
  • Be ready to share why each product made the cut. The fun part is defending your thinking in Q&A.
  • Keep the customer fully anonymous. No real names, no real logos, nothing that would identify them to anyone in the room.
  • Skip padding. If you're adding a product just to hit the count, swap it for one you genuinely believe in.
  • Public information (industry reports, published case studies) is welcome as colour. Anything shared with you in confidence stays out.
📦
What You Present (15 Minutes Total)
0
Scenario Brief · 1 page, before anything else
The scenario itself: anonymised customer, problem, pains, success criterion. Same shape as Option 1 and Option 2. This is what you would have been handed if this scenario were pre written.
1
High Level Design · 1 diagram and 5 callouts
One architecture drawing. Every CF1 product you proposed must appear on the diagram with a clear role. Nothing floating.
2
Migration or Rollout Plan · table, one page
Phases with week level granularity, owners, exit criteria. Realistic against your stated scenario.
3
Pitch Deck · 5 to 8 slides, 10 min delivery
Same structure as Options 1 and 2: scenario, architecture, plan, Q&A. Be ready for the "why three products and not two?" question.