Pacsun is a leading specialty retailer offering a cross section of emerging brands and trending fashion through the lens of youth culture. Throughout the contemporary, streetwear and active lifestyle markets, Pacsun partners with the best brands to offer curated collections, rare and exclusive products, and creative collaborations on every level. Founded in 1980, Newport, CA. Curated in Los Angeles.
Pacsun’s successes with hype retail and Gen Z fashion left the company with a unique but very serious dilemma. Due to their viral drop marketing strategy — limited edition online releases of high-demand merchandise — Pacsun’s online sales events were as irresistible to automated bots and online profiteers as they were to genuine customers. Frequent attacks on their website and inventory during their drops left IT and security teams struggling to keep the site online.
“Every time we had a hype sale, we set up a war room,” explains Sarwat Siddiqi, Pacsun’s Senior Cyber Security Engineer. “Six to eight times a year, before each drop, we would wait with our security vendor on call, afraid our site would soon stop responding due to malicious traffic. Sometimes it would go down in the first 10 minutes of a sale.”
The instability was eroding consumer confidence in the Pacsun brand and their events. In addition to incapacitating their servers, inventory hoarding bots caused problems by locking stock items and making them unavailable for purchase. Bot-driven purchases of limited-quantity items for resale also left stocks severely depleted once the site was back online. Unable either to buy products or access the site, frustrated shoppers abandoned their carts, resulting in millions of dollars of lost revenue.
The company’s previous security and CDN vendor, a long-established industry presence and early entrant into the content delivery space, was powerless to address it at scale — even with specialized third-party assistance.
“It became obvious our primary CDN security provider didn't have adequate tools to deal with the high levels and sophistication of distributed bot activity,” says Scott Forrest, Pacsun’s Chief Information Security Officer. “Even if they could catch 80% of the problem traffic, we still had to deal with the most dangerous 20% percent manually. We needed to get it under control.”
Based on recommendations from their payment services partner and other vendors, Pacsun opted to migrate off their legacy CDN and security provider and move onto Cloudflare.
“We saw the obvious benefits of moving over,” says Forrest. “When a specialized third-party bot management vendor told us they preferred to run their services on Cloudflare Workers, it became clear how far ahead of the curve Cloudflare was.”
After translating the custom rules from their existing solution, Pacsun began the migration to Cloudflare. They moved more than 95% of their traffic to the Cloudflare Global Network, switching on the Cloudflare Web Application Firewall (WAF), Secure DNS, and DDoS protection. From day one, Cloudflare performed flawlessly.
“Switching to Cloudflare, our system was 27% faster overnight,” says Forrest. “It improved our performance right off the bat — cache rates jumped immediately and things just started flowing.”
“That was when we knew we made the right call,” adds Siddiqi. “The cutover to Cloudflare was so smooth. The UI was much simpler too — using Cloudflare rather than our legacy tool, I no longer felt like I was working in an early 2000s data center.”
Since the implementation, Pacsun has seen even greater user experience gains by enabling Rocket Loader, the Cloudflare utility that asynchronously accelerates website rendering by prioritizing visual elements before scripts. Cloudflare DDoS protection also helped the company detect a bandwidth spike caused by a partner accidentally uploading a 4k image for their mobile pages rather than a 600-pixel version.
Pacsun appreciates their performance improvements under Cloudflare, but bot management is where they see the greatest results.
“Before Cloudflare, bot mitigation was a painfully manual process. We had to wait for the bad traffic, investigate its causes, and figure out how to build a rule to stop it,” says Forrest. “Cloudflare, with machine learning technology behind it, is always on — it does the work unassisted. That comforts us.”
Siddiqi estimates that now Cloudflare stops all but 1% of attacks before they reach the website. At Pacsun’s lowest point, within the first 10 minutes of a sale, 90% of all traffic on the site was bots that had snuck by their defenses.
“Since Cloudflare, I get to enjoy my breakfast instead of fighting to keep the site up. The bots still come, but it’s almost a non-event,” he says. “I actually get to focus on the things I should focus on — monitoring our partners, working with the ERP staff to check for duplicate or fraudulent email addresses, and general tasks that make the site run better.”
“Now," adds Forrest, "Instead of going to the office at 5:30 am to prepare the war room, we schedule a call with our partners 30 minutes before the sale starts. We cut the call short once we realize nothing bad is going to happen. Even though new security challenges always pop up, we haven’t had an ‘Oh my god, we’re on fire!’ moment since we have been with Cloudflare.”
Along their journey, the Pacsun security team has formed strong relationships within Cloudflare, building trust and relying on their Cloudflare Customer Success team to keep them informed of new features and help them achieve their goals. Cloudflare has supported their implementation, monitored key sales events, and helped streamline communications with their payment partners.
“Cloudflare have been absolute champions at preventing potential problems, increasing our efficiency, and making our journey over the last year highly successful on every front,” says Forrest. “There isn't anything we wanted to accomplish since we made the switch that we haven’t managed.”
27% increase in system performance on day one from improved cache rates
99% of harmful bot traffic stopped at the network edge
Averted millions of dollars in lost revenue from bot-related site outages during critical sales events
95% of all network traffic secured
“Switching to Cloudflare, our system was 27% faster overnight. We improved our performance right off the bat — cache rates jumped immediately and things just started flowing.”
Scott Forrest
Chief Information Security Officer
“The cutover to Cloudflare was so smooth. The UI is much simpler too — using Cloudflare rather than our legacy tool, I no longer felt like I was working in an early 2000s data center.”
Sarwat Siddiqi
Senior Cyber Security Engineer