The hardest part of running a company like Eastman right now probably isn't deciding whether to invest in AI, automation, or the next generation of specialty materials. It's something quieter than that: knowing, decision by decision, which parts of the business are allowed to move faster and absorb more risk, and which parts can’t afford that luxury.
Get that judgment wrong in one direction, and the business moves too cautiously to keep up with where the market is headed. Get it wrong in the other direction, and eventually something breaks that can't be fixed after the fact. Most companies don't notice they've drifted toward one side until it costs them something.
Every large company has to decide which bets can be wrong for a while, and which ones can't be wrong even once. Eastman is running three real experiments right now, and each one puts that exact question to the test.
Molecular recycling only works if Eastman keeps pushing into unproven territory: expanding capacity, questioning old assumptions about what plastic waste is worth, doing it now that some of the government support the bet once counted on is less certain than it was. That is squarely "keep moving and find out" territory.
But plenty of what makes that bet valuable can't afford that same room for error. A batch of material with only a few hours to prove it's good before it becomes unusable. A shipment that leaves the plant carrying a certificate promising it already passed every check. A brand relationship that only holds if the recycled material really is what Eastman says it is, every single time. None of that gets a second attempt.
Climbing away from commodity chemicals toward specialty products tells the same story from another angle. The reason customers pay more for Eastman's materials instead of someone else's is trust built over years, not just chemistry. Trust like that is patient capital: easy to spend quickly, slow to rebuild. Keeping brands paying full price for it only works if what Eastman shows a customer today still matches what happens at the plant tomorrow, without gaps.
Some parts of a business can move fast and recover from a mistake. Other parts can't. The companies that navigate that tension well over the next decade won't be the ones who pick a side, caution or speed, and apply it everywhere. They'll be the ones who can push hard where the cost of being wrong is recoverable, and get things exactly right where it isn't, without ever confusing which is which.
That's a harder discipline than it sounds. The instinct under pressure is to pick one mode and use it on everything. Fast everywhere feels like momentum, until something expensive breaks. Careful everywhere feels responsible, until a competitor moves past while the checklist is still being worked through.
Here's a pattern I've watched repeat, account after account, across companies that have nothing else in common: the mistake almost never happens where everyone's watching. The most scrutiny tends to go to the newest, highest-profile bet, the thing with a name and a budget and executive attention, precisely because it's new and everyone's watching it.
Meanwhile the oldest, least visible systems, the ones nobody remembers investing in, sit quietly in the background because nothing about them asks for attention. And it's usually the old, unwatched thing that turns out to be the one that couldn't afford to be wrong.
Knowing which parts of the business can take risk and which can't is already hard. Despite what popular marketing says, AI makes it harder, not easier. It's tempting to treat AI as one more tool that makes everything faster, uniformly. But speed without a clear sense of where it's safe to be fast is just a more efficient way to make mistakes.
The organizations getting real value out of AI right now aren't the ones running it everywhere at once. They're the ones being deliberate about where they let it move loose and where they don't, and building enough underneath that distinction to make it hold up under pressure, not just on a good day.
Right now, more of Eastman's foundation is being asked to carry both kinds of weight at once than at any point in its history: the speed of new bets, and the precision the oldest and most sensitive parts of the business have always required, including, often, the parts nobody's looked at closely in years.
That's really where Cloudflare's role starts to make sense. Not another tool bolted onto the business, but the layer that makes it possible to draw that line cleanly, and keep drawing it correctly even in the parts of the business that stopped getting attention a long time ago. One place to decide what's allowed to move fast. One place to make sure what can't afford to be wrong, isn't, whether it's a new initiative everyone's watching or an old system nobody's thought about since it was built. Not a constraint on speed. The thing that makes speed anywhere safe to have at all.
None of this is a claim that anyone knows exactly how much of the next decade will be shaped by AI, or how permanent any of it turns out to be. Nobody does yet. But that uncertainty is exactly why the parts of Eastman that can't afford to be wrong deserve more attention now, not less, and why the parts that can move fast deserve the room to actually do it.
That's the conversation worth having, whenever it's useful.
Built Differently, Ready for What Nobody Saw Coming
For decades, security companies treated the Internet as something enterprises had to defend themselves from.
They protected infrastructure and applications by stacking boxes, appliances, gateways, and inspection tools around them.
The assumption was simple.
→Build the infrastructure first.
→Layer security on top of it after.
→Traffic has to reach the edge of that infrastructure before anything even looks at it.
→Which means the attacker is already close by the time anything gets stopped.
Cloudflare asked a different question: what if the Internet itself could be that security layer?
That question is the origin story.
And it is the reason the company matters more than ever.
The story starts in 2004 with Project Honey Pot.
The founders wanted to understand where email spam actually came from, so they built a way for website owners to plant traps for spammers and malicious bots. Over five years, thousands of websites across 185 countries joined.
The data grew quickly.
But customers kept asking for something more useful. Do not just tell us where the bad traffic is coming from. Stop it.
That is the turn in the story.
This did not begin as another security vendor trying to sell a better box.
It began with a different belief about where security should live.
→Not layered on top of the infrastructure.
→Not bolted onto the network.
→Not after the threat has already reached the customer.
→Security should live in the path of the interaction itself.
Roughly a quarter of the world’s Internet traffic runs through this network today. It’s built to sit within 50 milliseconds of nearly every connected person on Earth, running out of more than 337 cities in over 125 countries — with AI inference alone running from over 210 of those locations, offering access to more than 350 different models, and 80% of the top 50 generative AI companies use Cloudflare.
Which means wherever your users are, wherever your employees are, wherever your AI agents are operating, none of them are ever far from this network.
But the numbers are not the real story. The architecture is.
Lee Holloway didn’t build just another standard proxy.
He built something else entirely: a global reverse proxy layer where the same software runs on every machine, in every location, at the same time.
The physical equipment was not exotic. It was commodity x86 servers in colocation facilities around the world. The radical part was what the software made possible.
Lee did not just write code that moves traffic from one place to another. He wrote the code that lets a request get received, understood, and decided on — then blocked, challenged, routed, cached, accelerated, or passed safely through. All inside the same flow of handling that request.
That is the important part. A request does not need to bounce from one security tool to another, then to another routing layer, then to another performance product before a decision gets made. It gets evaluated as it moves through the network path it is already taking.
The software looks at what the request is, where it came from, what it is trying to reach, whether it matches customer policy, whether it looks automated or malicious, whether it should be served from cache, and where it should go next.
That is what makes the architecture different. The network is not just carrying traffic. It is understanding traffic.
And because the same software runs everywhere, the same kind of decision can happen close to the user, close to the application, and before the request reaches the customer’s infrastructure. For a customer, that is not a technical detail. That is the difference between managing five tools that each see part of the problem, and having one system that sees all of it, at the moment it matters.
That is why so many use cases can run from the same foundation. Not because every product was bolted on later. Because the original architecture already put this company in the right place: directly in the path of the interaction, with the ability to understand and act on a request before it reaches something important.
Once you understand that, the rest makes more sense. Zero Trust makes sense because it already sits between users and applications. API security makes sense because it already sits between API traffic and the services behind it. Bot management makes sense because it sees automated traffic before it reaches the customer. AI security makes sense because it sits in the path between agents, models, tools, APIs, and data. This is why it can support so many use cases without feeling like a pile of separate products.
The original bet was never just to build a faster website service. The bet was to put intelligence in the path of Internet traffic, make it fast enough that customers would actually use it, and make it global enough that location stopped being the limiting factor.
That is easy to say now. It was brutally hard to build. It required high-performance networking code so security would not slow everything down. It required the ability to push policy changes across the world quickly. It required keeping every location aligned. It required making every location capable of handling every customer. And it required walking away from the business model most networking companies were built on: selling expensive hardware appliances.
That conviction is exactly what a customer is buying into today — not just a product, but a company that bet its entire business on being architected right, instead of selling more boxes.
The bet was simple. If you own the network path, you do not need to sell boxes.
That bet now matters more than ever. Because the enterprise problem has changed. For a long time, the question was: how do we protect the application? That question is no longer enough. Now the question is: how do we protect every interaction before it reaches something important?
That is the AI problem. AI agents do not behave like traditional software. Traditional software usually runs in known places, follows known workflows, and talks to known endpoints.
AI agents behave differently. They make decisions. They call APIs. They retrieve data. They use tools. They talk to models. They may trigger actions across applications. They may interact with other agents.
That creates a very different security challenge. It is not enough to ask whether an application is protected.
Enterprises now have to ask:
→Who is making the request?
→What are they asking for?
→What data is involved?
→What tool is being used?
→What action is about to happen?
→Should it be allowed?
→Should it be blocked?
→Should it be logged?
→Should a human approve it first?
That is why this origin story matters.
AI does not need another security product sitting beside the action. It needs control at the point of interaction. That is what this architecture was built to do.
The punchline is not that a better security company got built. The punchline is that the old security model got rejected entirely. It did not assume the Internet was something to hide from. It assumed the Internet itself could become the place where security, performance, routing, and application logic happen.
That is why the same architecture now applies to websites, applications, APIs, employees, bots, and AI agents.
This was not built for AI.
It was built for the world AI creates.