Modernizing apps for strategic growth
When and how to rehost, replatform, or refactor
For technology leaders, the question isn’t whether to modernize their applications. You already know it’s worthwhile, and you’re likely in the midst of modernizing right now. But it’s not always a straightforward endeavor. Modernization efforts stumble without a clear strategy. The real challenge is choosing a path that strengthens security, accelerates business agility, and delivers lasting value.
There’s no time to lose. According to the 2026 Cloudflare App Innovation Report, organizations that modernize their applications effectively see significant cost savings, operational efficiency, and stronger customer loyalty, while also spending less on remediating preventable security incidents.
Three forces are driving application modernization:
1. AI requires agility. AI-driven systems thrive on agile, secure, data-rich infrastructure. According to our latest app innovation report, companies that modernize their applications are three times more likely to see a clear ROI on AI. In fact, 93% of leaders say that updating their software was the single most important factor in boosting their AI capabilities.
2. Evolving threats demand security by design. Sophisticated adversaries exploit the slightest weaknesses in legacy systems. While aligning security and app development teams can be challenging, modernization enables you to embed security features and compensating controls across applications and infrastructure, with unified visibility and deep observability.
3. Users expect instant, seamless experiences. Customers and employees demand applications that are fast, personalized, and always on. Organizations unable to deliver secure, resilient, and high-performing digital experiences risk losing both trust and market share.
Despite these pressures, only 13% of senior enterprise leaders say their application modernization efforts are ahead of schedule. Blame it on the rapid pace of technological change, especially around AI and multicloud adoption, which also exposes the limits of legacy architectures. These older hardware and software systems often persist because they support mission-critical functions. Yet they typically rely on outdated code, lack vendor support, and miss modern security controls. Maintaining those older systems means carrying forward a minefield of unpatched vulnerabilities, unsupported dependencies, and undiscovered attack paths.
For business leaders, application modernization is more than a technical upgrade. It’s a growth and strategic defense initiative.
Beginning with the right questions
Choosing the best application modernization strategy is a highly complex and time-sensitive decision that often involves assessing critical business factors, such as speed, cost, risk, and long-term value. Doing so ensures that the chosen approach aligns with both immediate operational needs and strategic objectives for sustainable growth.
Essential but highly individual decisions must quickly be made along three main areas:
Timeline: How quickly do you need to modernize critical applications and infrastructure? Are there compliance deadlines or known vulnerabilities that demand immediate action?
Budget: What resources can you allocate to application modernization versus routine operations and committed programs? Which areas align with overarching business goals?
Team capabilities: Does your team possess the necessary skills to implement and secure modern architectures? Will you need to hire, train, or partner with external expertise?
Though their paths may differ, organizations that are successful with modernization often share one element: They have decisive leadership.
Successful organizations empower small teams to act swiftly rather than getting mired in consensus-building. Cloudflare research shows that 66% of organizations surveyed state that they have a streamlined decision-making process, regardless of the size of the team.
Nearly all leaders also recognize they need to allocate dedicated budget line items for continuous application modernization, not just crisis response. According to Cloudflare research, almost 90% of all organizations anticipate an increase to their application modernization budget.
Moreover, success requires embedding security from the start. A "security by design" approach frees technical teams to focus on the big picture rather than day-to-day troubleshooting. The payoff is immediate. Organizations that embrace security by design waste fewer resources on remediating security weakness and firefighting security incidents. Instead, they can apply their teams to innovating and achieving operational excellence.
Evaluating three approaches to app modernization
With key questions answered, you can evaluate the technological options for application modernization: rehosting, replatforming, or refactoring. No one size fits all, and the approaches are complementary. Organizations often implement multiple processes at different times, tailored to their specific needs.
Rehost: Lift and shift
This approach is straightforward: It involves directly moving workloads and applications from on-premises environments to the cloud without changing code. It’s primarily used to exit legacy data centers where speed of change overrides optimization. Rehosting makes sense when urgent contracts end, you have a small team, or you need immediate relief from aging on-premises infrastructure. But it should be seen as a stepping stone to more comprehensive modernization.
There are multiple benefits from a security standpoint. Primarily, you're slamming shut the window of vulnerability from outdated infrastructures. You may see quick cost savings that can be redirected to security initiatives, and you'll see immediate wins, making the boardroom happy.
However, with this approach, technical problems can follow you. Outdated authentication mechanisms, encryption protocols, and unpatched holes all get a free ride to the new environment. You're moving known — and perhaps unknown — risks and issues to a new location without addressing their root causes.
Replatform: Lift and reshape
Replatforming involves making selective upgrades while preserving core logic. You're making targeted improvements without a complete rebuild. This approach is ideal when you’re seeking an efficient way to modernize applications and infrastructure across multicloud and hybrid environments. It's particularly valuable when specific security pain points need to be addressed immediately, but business-critical logic must remain intact.
Legacy application replatforming offers more security value than rehosting, as it allows you to address vulnerabilities during the migration. You can modernize authentication, implement better encryption, and integrate modern security tooling without rewriting entire applications. The core application logic remains monolithic, though, limiting your agility for feature development and restricting your ability to address systemic security issues.
Refactor: Redesign for the cloud
Refactoring means rebuilding applications entirely with modern architectures. You're redesigning from scratch with security baked in from day one. Refactoring is essential for mission-critical, high-growth, high-change applications, especially those handling sensitive data or with a high likelihood of being targeted by sophisticated attacks.
This approach offers significant security benefits because it allows CISOs to implement modern security tools from the ground up. Defense-in-depth, secure-by-design, and zero trust principles become foundational rather than retrofitted.
On the other hand, the journey is expensive, with long timelines and higher implementation risks. New codebases can also introduce new vulnerabilities if not properly secured during development.
Advances in AI-assisted code modernization can help. You can greatly reduce the time and complexity involved in application refactoring, enable dynamic language translation, and convert legacy code directly into your optimized language of choice. At the same time, you can automatically identify and fix deprecated libraries and security weaknesses during migration.
Taking a hybrid approach
Most organizations don't choose just one path for all their applications. They mix approaches based on application risk profiles and business criticality, which is actually the most pragmatic security strategy. Consider these scenarios:
1. Rehost your HR system: It's stable and handles sensitive data. Moving it to a more secure cloud infrastructure provides immediate risk reduction with cost benefits.
2. Replatform your customer portal: Remove performance bottlenecks by replatforming to cloud infrastructure. This strategy integrates modern authentication, encryption, and API security controls to protect customer data without a complete redesign.
3. Refactor your core product: This application is your innovation engine and primary target for attack. Invest in complete modernization with security-first architecture to protect intellectual property and customer trust.
The advantage of this hybrid approach is balance. You achieve speed where needed, optimize security controls where practical, and invest in transformation where it matters most.
Preparing for challenges in application modernization
No matter which application modernization strategies you employ, prepare for some challenges along the way. For example:
Consistency: Bringing together disparate applications onto a unified platform and ensuring consistent security, performance, and compliance across all apps can be difficult.
Cost: Modernizing an entire application landscape is often expensive, especially for organizations managing hundreds or thousands of applications.
Vendor management: Vendor management is also a big concern in app modernization. Many organizations rely on multiple technology vendors for different parts of their software landscape, making modernization more complicated.
Regulations: Companies that operate globally face challenges in adhering to data sovereignty policies, diverse industry and locally enforced standards, as well as established and emerging sector-specific or national regulatory requirements.
These challenges are real, but they shouldn’t keep you from driving forward. Choosing the right approach (or approaches) for your organization, and then building in sufficient time and resources, can help you address these challenges and achieve your goals.
Prioritizing application modernization
With mounting pressure to improve agility, security, and user experiences, application modernization is a survival imperative. It is foundational to growth and resilience. Conversely, the cost of inaction includes mounting technical debt, missed opportunities, and rising spend.
There is no single best strategy for everyone. The most successful modernization projects align technical choices with clear business objectives and security imperatives.
Cloudflare can help your organization accelerate your application modernization journey — whether you are rehosting, replatforming, refactoring, or employing a hybrid approach. With app development, app delivery, security, and observability capabilities built into a single platform, Cloudflare enables your teams to efficiently bring your software into the present and prepare for the future.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Dive deeper into this topic.
Discover the latest application modernization trends and the strategies that industry leaders have in common in the 2026 Cloudflare App Innovation Report.
Author
James Todd — @jamesctodd
Field CTO, Cloudflare
Key takeaways
After reading this article, you will be able to understand:
How to strategically plan application modernization initiatives
The difference between key app modernization strategies
Common roadblocks to app modernization