Just Eat Takeaway

Just Eat Takeaway consolidates security defenses and eliminates costly downtime, saving millions with Cloudflare

Just Eat Takeaway is about empowering convenience. A leading online delivery service that operates seven brands across 17 countries, Just Eat Takeaway connects over 61 million consumers worldwide with 300,000+ partner restaurants, services, and retailers.

To provide exceptional customer experiences, delivering efficiency, choice, and value is Just Eat Takeaway’s core mission. The company is focused on consolidating tech platforms to streamline delivery logistics and accelerate customer services, while expanding beyond food and beverage delivery to electronics, groceries, and popular day-to-day conveniences.

“Customers come to us because we offer them all the choice they need,” says Neal Potter, Just Eat Takeaway’s Head of Security Operations. “But also we offer great value — the logistics network that underpins our services makes sure consumers get what they've ordered, and they get it on time.”

Eliminating platform outages and malicious bot traffic to protect revenue, reliability, and user trust

Processing over 700 million customer transactions per year, Just Eat Takeaway required a secure digital foundation that guaranteed uptime, protected services under heavy load, and supported rapid change. As the company scaled, however, their third-party service provider mismanaged recurring outages that stretched internal teams and undermined platform trust.

“It was time for a reliable partner,” says Potter. “Every platform outage the provider caused cost us money.”

Exacerbating the company’s performance and availability issues, unauthorized bots targeted courier scheduling workflows, overwhelming their logistics infrastructure, and degrading the work experience for legitimate users. Attackers also launched regular DDoS events and countless exploit attempts, many powered by AI-driven scanning tools.

“Our biggest application security concern is the rapidly evolving threat environment,” Potter explains. “Our attackers can now use AI to scan for chinks in our armour at scale. That’s a very serious issue — every hour of outage on our platforms costs us millions.”

To manage their growing attack surface and enforce consistent global security policies, Just Eat Takeaway needed a partner that could help them enhance reliability and reduce platform complexity while securing their public web infrastructure with a single, comprehensive networking and security solution.

“Because uptime, platform resilience, and protecting customer data are paramount, we partnered with Cloudflare,” says Potter. “They're the industry leader and have a fantastic reputation in the space. It has proven to be the right move.”

Creating a secure, high-performance digital foundation with Cloudflare Application Security and Performance Solutions

Cloudflare provided Just Eat Takeaway with the global coverage and functionality to update and stabilize their global platform in their connectivity cloud — a composable global network-powered ecosystem consolidating performance, networking, security, and application development.

Just Eat Takeaway migrated from the old provider to Cloudflare application security and performance solutions in parallel with a new initiative to automate WAF configuration and global CI/CD and deployment pipelines with infrastructure-as-code (IaC).

“Moving to infrastructure-as-code at the same time as our WAF migration, we had a skill barrier to jump,” says Potter. “Partnering with Cloudflare was the key to our success. It gave us access to the right people and helped us acquire the skills we needed. That laid the groundwork for where we are today.”

Just Eat Takeaway completed the entire migration in under two months. Using Cloudflare’s Web Application Firewall (WAF), cloud-native security on the 335-city, 125-country Cloudflare network, and the 405 Tbps capacity of Cloudflare’s DDoS Protection, Just Eat Takeaway absorbs and mitigates attacks on the network edge without straining performance or exhausting team resources.

“When we first moved to Cloudflare, all eyes were on availability, but the solution effortlessly blocks hundreds of DDoS attacks alongside hundreds of thousands of exploit attempts per year,” says Potter. “It is like magic. It just happens. We don't need to give it much thought at all.”

Further streamlining the security of their public web assets, Just Eat Takeaway built Terraform pipelines to augment the Cloudflare-managed and OWASP WAF rulesets that block zero-day vulnerabilities, top-10 attack techniques, stolen and leaked credentials, and the extraction of sensitive data.

“Cloudflare’s rules are really good — they offer a zero-touch approach to keeping pace with evolving threats and exploit attempts,” says Potter. “But using Cloudflare to create and deploy custom rules as code and manage them at scale across our estate is also hugely valuable.”

Reducing unwanted bot traffic to ensure fair scheduling practices

Rounding out their public application security with Cloudflare Bot Management as part of a multi-technology effort, Just Eat Takeaway blocked another major drain on finances, performance, and internal resources — couriers turning to unauthorized, automated platforms to monopolize prime delivery shifts.

“Our courier scheduling applications were receiving upwards of 90% bot traffic as people used shift grabbers to game the system. These created far higher system loads than human traffic,” says Potter. “Working alongside the other technologies we implemented, Cloudflare reduced that to negligible levels overnight, cutting our costs and administrative overheads and leveling the playing field for the individuals that don't resort to automated techniques.”

Just Eat Takeaway has also seen significant success using Bot Management to secure web properties against credential stuffing, content scraping, inventory hoarding, AI-powered vulnerability scans, and other emergent threats. Using a combination of methods that include JA3 and JA4 fingerprinting, machine learning, and behavioral analysis, the company has achieved new levels of threat protection without complex configurations or high maintenance overheads.

“Our previous provider was not particularly good at mitigating vulnerability scans or other bot-based attacks, especially at the scale today’s AI allows,” says Potter, “While the easy-to-implement Cloudflare solution seems less complex on the surface, deep analytics and Cloudflare threat intelligence under the hood protect us, even if we don’t know exactly how it works.”

Reducing operational overheads and platform complexity with Terraform integration and no-touch security automation

According to Potter, re-establishing availability with Cloudflare had a profound effect on Just Eat Takeaway’s bottom line.

“By protecting our availability, Cloudflare also safeguards our profitability. It's as simple as that. Every outage we had cost us millions — Cloudflare helped us put an end to that.”

Besides increasing availability and enhancing Just Eat Takeaway’s security posture, switching to Cloudflare has simplified security management. Eliminating manual intervention and switching to automated deployment workflows, the company has reduced operational complexity and costs while enhancing speed, consistency, and flexibility. Cloudflare Terraform integration also facilitates better collaboration, version control, and disaster recovery capabilities.

“Cloudflare’s infrastructure-as-code compatibility has been really beneficial,” says Potter. “It has allowed us to scale our approach to deploying rules across our entire infrastructure, and given us a robust, repeatable, and versioned CI/CD pipeline that ensures we have the flexibility to quickly revert incorrect configurations.”

Compounding the company’s gains, Cloudflare’s WAF, DDoS protection, and bot management operate primarily as hands-off defenses, freeing security engineers from the constant firefighting of the past to focus on new strategic business challenges. Cloudflare has also lightened the workloads of Just Eat Takeaway’s security teams by simplifying previously burdensome tasks like rule deployment, false-positive tuning, and exploit defense.

“If we were still responding manually to threats, each DDoS incident would cost us several hours,” Potter says. “Now we can put that time to better use somewhere else, like developing our internal SOC.”

An ongoing partnership to enhance platform observability and improve the developer experience with Cloudflare automation and AI tools

Just Eat Takeaway aims to further streamline operations and extract more value from the Cloudflare platform.

“We’re keen to look into using Cloudflare Log Explorer,” says Potter. “Exporting logs into a SIEM or observability platform is very expensive because of the volume. Accessing the data natively with the Cloudflare API and exposing it to other tools could save us a lot of money.”

He also sees a growing opportunity to leverage AI and Cloudflare automation to make operations even more efficient for Just Eat Takeaway’s developers and engineers.

“I want to ensure that our team has a good experience managing the code and managing Cloudflare,” he says. “Advances in AI will enable more consistent experiences for our engineers and a more consistent application of our policies.”

Potter also sees continued potential in the company’s relationship with Cloudflare, especially around emerging security features and roadmap alignment.

“Our partnership works because Cloudflare is transparent,” he adds. “We can talk to the people building the product. That kind of access gives us a real say in how we solve problems and approach what comes next.”