That "hours rather than months" claim Cloudflare makes about migrating from Zscaler to its Zero Trust platform isn't marketing hype - it's now a downloadable skill file any agent can load. Cloudflare released the Cloudflare One stack: two files that package the migration and deployment expertise their team built over tens of thousands of customer-facing hours.
Two Skill Files That Replace Months of Discovery
The stack ships as cloudflare-one and cloudflare-one-migration. These are plain skill files agents load automatically when the context matches. No custom integration, no vendor lock-in. You can use them standalone, layer your own context on top, or build tooling around them. The cloudflare-one-migration file contains handpicked logic for migrating from Zscaler, Palo Alto Networks, and Netskope - the same logic that powered Cloudflare's Descaler and Deskope programs.
Each file bundles structured knowledge, decision trees, and tool definitions. For example, ask an agent to replace your VPN with Cloudflare Tunnel or Cloudflare Mesh, and the skill knows how to inventory existing VPN applications, map each to the right Cloudflare primitive (self-hosted Access app, Tunnel-connected service, or Mesh-connected network segment), generate a recommended deployment sequence that minimizes cutover disruption, and produce a configuration summary for your team to review before changes are made.
How the Migration Logic Works: Enterprise Playbook, No Engagement Required
The migration skill doesn't just offer generic advice. It maps Zscaler application definitions to Cloudflare Access application definitions, transforms Zscaler user groups and policies into Cloudflare Access policies, then uses the Cloudflare API to create equivalent resources in your account. A summary tells you what was migrated and what needs manual review. Cloudflare's Descaler and Deskope programs have already moved enterprise customers through this process in hours. The stack makes that capability available to any customer or partner at any time, without waiting for a scheduled engagement.
Vendor concept translation is a first-class feature. The stack handles remote access and VPN replacement with Cloudflare Access, user/network/device/data security with Cloudflare Gateway, and connectivity with Tunnel, Mesh, and WAN. Network diagram interpretation and generation lets you visualize proposed changes. The troubleshooting and operations toolkit includes Digital Experience Monitoring (DEX) and automated rule recommendations based on live traffic.
Pairing with the MCP Server for Live API Control
Alone, the skill files give agents context. Paired with Cloudflare's code mode MCP server, agents get a typed interface to the Cloudflare API. The MCP server compresses authentication into a single interface, keeping credentials out of model context. Agents can query your live account, inspect configurations, and make changes through curated, Cloudflare-recommended workflows rather than ad-hoc API calls that could misconfigure something.
The stack is available today from the Cloudflare Skills repository. Cloudflare plans to add more migration sources and advanced troubleshooting workflows as they learn how customers and partners actually use these agent-playbooks in production.
Source: Introducing the Cloudflare One stack: agent-powered deployment
Domain: blog.cloudflare.com
Comments load interactively on the live page.