Cloudflare recently released the Cloudflare One stack, an open-source library of agent skills that gives AI agents the knowledge to plan, deploy, manage, and migrate Zero Trust environments without requiring practitioners to learn the full product suite first. The skills ship as two lightweight files that any agent can load: cloudflare-one for product guidance and cloudflare-one-migration for vendor-to-vendor translation, with explicit migration logic for moving from Zscaler and Palo Alto Networks. AJ Gerstenhaber and Abe Carryl from Cloudflare write:
Teams are already using agents to write code, triage alerts, and automate workflows. On their own, agents are not trained on the nuances of an organization's specific network topology or vendor configurations.
The migration capability is the most immediately valuable part for security teams. Ask an agent to migrate your Zscaler Private Access applications to Cloudflare Access, and the skill knows how to map Zscaler application definitions to Cloudflare equivalents, transform user groups and policies, create the resources via the Cloudflare API, and generate a summary of what was migrated versus what needs manual review. The migration logic is the same logic used in Cloudflare's Descaler and Deskope programs, which have moved enterprise customers from Zscaler and Netskope to Cloudflare in hours rather than months. The stack makes that capability available to any customer or partner without scheduling an engagement.
Each skill file contains structured knowledge, decision trees, and tool definitions that agents load automatically when the context matches. Moreover, the cloudflare-one skill covers the full lifecycle: VPN replacement with Cloudflare Access, user and network security with Gateway, connectivity through Tunnel, Mesh, and WAN, troubleshooting with the Digital Experience Monitoring (DEX) toolkit, and automated rule recommendations based on traffic observed in a live account. Ask an agent to replace your VPN infrastructure and the skill inventories existing applications, maps each to the appropriate Cloudflare primitive, generates a deployment sequence that minimizes disruption during cutover, and produces a configuration summary for team review before any changes are applied.
When paired with the Cloudflare code mode MCP server, the skills gain a typed interface to the Cloudflare API. Agents can query live account configurations, inspect policies, and make changes through curated workflows rather than ad-hoc API calls. Authentication credentials stay out of the model context because the MCP server handles them separately.
The practical question is whether security teams are ready to let agents touch Zero Trust configurations. The stack is designed with a review-before-apply pattern: agents propose changes and generate summaries, but practitioners review and approve before anything is committed. As one security practitioner noted on X:
Not replacing the security team, but compressing the route from intent to configured policy. The enterprise question is whether every generated change has approval, diff, owner, and rollback attached.
The right boundary for security infrastructure, where a misconfigured Gateway policy or an incorrect Access application mapping could expose internal services or lock out users.
For Cloudflare's partner network, the stack functions as packaged expertise. Partners running Cloudflare One deployments for their customers can use the skills to deploy faster, troubleshoot with greater accuracy, and reduce the hours spent on vendor-to-vendor translation work that was previously manual and error-prone.
The Cloudflare One stack is available now on GitHub. New skills for additional migration sources and advanced troubleshooting workflows are in development.