Founded in 1994, and publicly listed since 2019, EQT is a global investment company headquartered in Stockholm, Sweden. With over €100 billion in assets under management, EQT’s business lines cover private equity, venture capital, infrastructure, real estate, and other sectors.
EQT’s investment strategy combines sector-specific expertise (e.g. healthcare, technology, services) with thematic focuses on macro challenges, which today include climate and nature, health and wellbeing, inclusion and equality, and urbanization. Over the past five years, EQT has continued its strong historic performance — its portfolio companies grew revenue by 17%, EBITDA by 18%, and employee count by 7% on average annually. In particular, its private equity business is one of the largest in the world, ranking third in Private Equity International’s PEI 300 in 2023 based on capital raised over the past five years.
In 2022, EQT grew its Asian presence by acquiring Baring Private Equity Asia (BPEA). As a result of the expansion, EQT now operates in countries representing 80% of the global GDP across Europe, North America, and Asia Pacific.
In addition to expanding its global and regional presence, over the past few years, EQT completed a major cloud migration and rapidly scaled its workforce. The combined changes and growth raised the stakes for its central IT and security team, which is responsible for both protecting its employees and investors and supporting security for its portfolio companies.
To prepare for its expansion, in 2017, EQT began migrating all of its on-prem infrastructure and applications to a 100% multi-cloud architecture. To aid in scaling its broader digital transformation goals, EQT began to explore cloud-based security vendors.
More recently, with the 2022 BPEA EQT merger, the company’s global headcount jumped from roughly 800 employees to more than 1800. In response, EQT has focused on scaling protections for EQT workers and strengthening cybersecurity across its new portfolio companies. EQT also continues to grow as a public company, increasing investor attention and regulatory scrutiny.
“The cloud migration and global expansion compelled us to reimagine our technology stack and strengthen our security posture,” says João Pedro Gonçalves, EQT’s Global Chief Information Security Officer. “We wanted to bring on a cloud-native security like Cloudflare that could support us on a global scale into the future.”
EQT’s first challenge is a common starting point for Cloudflare customers: protecting its public websites with a Web Application Firewall (WAF). Gonçalves was aware of Cloudflare’s strong reputation in this area and, in fact, had direct positive experiences setting up Cloudflare in prior companies and for his personal use.
“Cloudflare was the first solution we turned to. We set it up, and it worked wonderfully,” he says. “As engineers, we like the fact that we could just sign up and start using and testing the service without the weeks of negotiation we have experienced with other vendors.”
The ease of the initial WAF rollout motivated EQT to displace its incumbent vendor for DNS record management with Cloudflare.
“We weren’t looking for a new DNS management solution,” says Kristian Petersen, EQT Group SRE Team lead, “But we quickly recognized that we could reduce our operational complexity with Cloudflare. By putting everything in Cloudflare's connectivity cloud, we streamlined service management and improved our security by limiting the potential for human error.”
Today, Cloudflare manages 5 primary and 70 secondary domains for EQT, improves the performance of those websites with caching and dynamic content delivery via a CDN, and protects them from threats like DDoS attacks.
“Cloudflare WAF, DDoS, and DNS Management are more robust, reliable, easier to use, and throw fewer false positives than any solution I have experienced,” says Petersen. “Because of that, we depend more and more on Cloudflare.”
Impressed by its early results, EQT continues to expand its use of Cloudflare applications. To transform the user experience and improve application security across its operations in China, EQT adopted the newly introduced Cloudflare China Zero Trust/WARP solution. This provides EQT users behind the Great Firewall with protection and performant, reliable network access consistent with the rest of the company’s global workforce — all on the Cloudflare platform.
EQT also leveraged the Cloudflare Developer Platform, specifically Workers, to manage caching and dynamic content delivery and further improve the performance of its public websites. In addition to providing performance benefits, the Workers configuration allows EQT to completely isolate its public websites from its cloud-hosted applications, protecting critical internal systems from potential threats.
EQT’s cloud migration in 2017 set in motion efforts to reimagine how employees accessed internal resources.
Previously, EQT relied on traditional tools like Microsoft’s on-premises Active Directory to set access policies for its on-prem apps. Complicating matters, briefly after its cloud migration, EQT relied on a mix of its own custom proxies and on-premise VPN, which were, according to Petersen, “a lot of pain to maintain” and “not always secure.”
At the same time, EQT was focusing on building its own internal applications to drive business growth, and in turn, hiring more developers who needed safe, streamlined access. One of EQT's major internal projects is Motherbrain, a proprietary AI language model for identifying and analyzing investment opportunities.
“The custom solutions we developed were fine when we had one or two local applications to protect,” says Petersen. “But we soon had over 20 proprietary web applications that were used every day for important work by a growing number of users. When Cloudflare showed us its portfolio of Zero Trust security services, it was exactly what we needed.”
Today, EQT protects access to all self-hosted applications for all employees and contractors using Cloudflare Access, a Zero Trust Network Access (ZTNA) service. Using a secure access service edge (SASE) and secure service edge (SSE) approach, Cloudflare authenticates a request to an application only after verifying a user’s identity – in this case, based on integration with EQT’s identity provider, Okta.
EQT’s security teams value that they can strengthen security with default-deny, least-privilege policies that are consistent with Zero Trust best practices, while still streamlining the experience for their employees.
“The experience for end users is very smooth, and using a centralized service like Cloudflare to manage application access policies makes it easier for our IT and security teams,” says Gonçalves. “Plus, we now have visibility into who is using each of our services, which helps us improve our security holistically.”
EQT has also been able to automate the vast majority of the policy configuration process via Cloudflare integration with Terraform, the infrastructure-as-code tool. Before Cloudflare, changing or creating application access policies could take up to a full week, now the process takes five minutes.
“The time saved is a radical shift for us and allows our teams to focus on more strategic efforts,” says Gonçalves.
EQT’s positive experiences with Cloudflare have encouraged the company to continue growing the partnership. The manageability, ease of implementation, user-friendly interface, and extensive functionality of the Cloudflare platform have led the company to reconsider its attitude toward consolidation. The unified Cloudflare ecosystem with its core Application Services — WAF, DDoS Protection, and DNS and Bot Management solutions — alongside the Cloudflare Developer Platform and Cloudflare Zero Trust, SASE/SSE network security have become the foundations of EQT’s connectivity cloud.
“We have always taken a best-of-breed approach to our IT and security stack,” says Gonçalves. “We are not afraid of killing security services that don’t work, but, with everything Cloudflare offers and the positive experiences we’ve had, we keep increasing our adoption of a unified solution. That's a very positive sign for the future.”
Reduced security policy implementation time from one week to five minutes using Cloudflare/Terraform automation
Simplified complex WAF and DNS Management and minimized administrative errors with unified core application services
Enhanced visibility into user authentication and service usage, improving application security for 2100 Access users
Centralized user authentication under WARP and Access to improve security and simplify the user onboarding process
Improved web performance and isolated public web content from internal cloud services with Workers
“The cloud migration and global expansion compelled us to reimagine our technology stack and strengthen our security posture. We wanted to bring on cloud-native security like Cloudflare that could support us on a global scale into the future.”
Joāo Pedro Gonçalves
Global Chief Information Security Officer
“We quickly recognized that we could reduce our operational complexity with Cloudflare. By putting everything in Cloudflare's connectivity cloud, we streamlined service management and improved security by limiting the potential for human error.”
SRE Team Lead