Cloudflare Threat Report: Key Findings of the Report

1. AI is automating high-velocity attacker operations

The primary metric for risk in 2026 is the Measure of Effectiveness — the ratio of attacker effort to operational outcome. The accessibility of generative AI significantly lowers the barrier to entry for highly effective operations, moving the industry beyond technically elegant code to “offense by the system.” By leveraging a victim’s own cloud, software as a service (SaaS), and AI infrastructure to fund and scale missions, adversaries are achieving a level of frictionless scale that traditional risk models fail to capture.

2. State-sponsored pre-positioning is compromising critical infrastructure resilience

Chinese threat actors, notably Salt Typhoon and Linen Typhoon, are prioritizing North American telecommunications, government, and IT services for persistent pre-positioning. This strategic targeting suggests a deliberate shift toward preparing for future disruptive events over immediate espionage. By embedding footholds within core infrastructure, adversaries are eroding the foundational resilience of essential public and private sector services, anchoring their presence for long-term geopolitical leverage.

3. Over-privileged SaaS integrations are expanding the blast radius of attacks

The security of corporate data is now defined by third-party integrations rather than the traditional network perimeter. In 2026, a single over-privileged SaaS-to-SaaS connection can be weaponized via AI to trigger surgical, multi-tenant breaches across entire ecosystems simultaneously. This structural vulnerability turns the “connective tissue” of modern enterprises into a primary vehicle for widespread and automated operational disruption.

4. Adversaries are subverting service ecosystems to mask attacks

Threat actors are weaponizing legitimate cloud ecosystems (SaaS, IaaS, and PaaS) to camouflage malicious actions within benign enterprise operations. In 2026, the use of trusted platforms for encrypted command delivery has matured into a standardized obfuscation layer within broader, multi-stage hybrid infrastructures. This democratization of scalable, high-bandwidth cloud resources allows even low-tier actors to execute sophisticated attacks that bypass traditional egress filtering.

5. Deepfake personas are embedding adversarial operatives within Western payrolls

The industrialization of fraudulent identities now allows state-sponsored operatives to embed themselves directly into Western payrolls. These actors leverage deepfake profiles and remote laptop farms to maintain a residency illusion that evades geolocation and identity controls. This infiltration turns the remote workforce into an attack vector, placing malicious insiders within the organization’s most trusted administrative and financial systems.

6. Token theft is neutralizing multi-factor authentication

Adversaries are neutralizing standard multi-factor authentication (MFA) by transitioning from “attacking the box” to “attacking the session.” Using infostealers like LummaC2, attackers actively harvest live session tokens to capture already-authenticated states and bypass perimeter controls. This shift has turned ransomware into a simple login event, where attackers exploit fragmented identity estates to move laterally without triggering the credential alerts once relied upon for detection.

7. Relay blind spots are enabling internal brand spoofing

Attackers are exploiting a critical blind spot where mail servers fail to reverify a sender’s identity after a message passes through a third-party gateway. Because the traffic arrives from a “trusted” relay, the system incorrectly treats external spoofed messages as internal or safe. This allows phishing-as-a-service bots to bypass standard protection and deliver high-trust brand impersonations directly to user inboxes by abusing fragmented mail authentication.

8. Hyper-volumetric strikes are exhausting infrastructure capacity

Hyper-volumetric distributed denial-of-service (DDoS) attacks, fueled by massive botnets like Aisuru, have established a record-breaking 31.4 Tbps baseline that physically exhausts most organizations’ network capacity. These autonomous strikes peak in seconds, effectively closing the window for human intervention and placing an extreme resource tax on local infrastructure.

The key findings in this report signal that the 2026 threat landscape is defined by the weaponization of identity, the industrialization of SaaS supply chain vulnerabilities, and the emergence of hyper-volumetric, autonomous DDoS strikes that outpace human intervention.

To thrive in this environment, organizations must pivot from reactive, infrastructure-centric defense to a proactive, identity-centric resilience model. The following recommendations provide a high-level roadmap for neutralizing these emerging force multipliers and securing the modern, AI-integrated enterprise.

1. Focus AI security efforts on securing workforce AI usage

Prioritize securing how employees interact with LLMs to prevent AI-assisted navigation by attackers. Implement strict data loss prevention (DLP) for AI prompts and deploy browser-isolated environments for generative AI tools to ensure corporate keys to the kingdom aren’t inadvertently leaked into model training sets or captured by infostealers.

2. Transition from MFA to identity-first zero trust

Since infostealers like LummaC2 now harvest session tokens to bypass MFA, organizations must move beyond simple one-time codes. Implement phishing-resistant MFA (FIDO2 / passkeys) and continuous monitoring that invalidates sessions instantly if impossible travel or suspicious device fingerprints (like mouse-jiggling software) are detected.

3. Harden the SaaS-to-SaaS connective tissue

The GRUB1 campaign proves that a single compromise of a trusted integration can create a dangerous ripple effect. Conduct an immediate audit of all SaaS API permissions. Apply the principle of least privilege to integrations, specifically looking for over-privileged read / write tokens in tools like Salesforce, Slack, and GitHub that could allow an attacker to pivot between clouds.

4. Implement human-in-the-loop verification for remote hiring

To counter the industrialized North Korean insider threat, move away from purely digital onboarding. Use zero trust biometric verification for all remote video interviews and enforce strict hardware-based geofencing. Corporate laptops should be cryptographically paired to the user’s physical location to neutralize “laptop farm” facilitators.

5. Adopt autonomous, hyper-volumetric DDoS defenses

With the Aisuru botnet pushing attacks to a 31.4 Tbps new baseline, the window for human intervention has closed. Organizations must shift to automated, edge-based mitigation that can respond in seconds. Legacy scrubbing center models are no longer sufficient for attacks that peak and conclude within 10 minutes.

6. Isolate peripheral infrastructure to contain exposure

To establish a robust defensive posture, organizations must implement a strategic shift in how they manage IaaS and SaaS dependencies. Specifically, subsidiary and supporting services should operate independently, utilizing dedicated domain names, unique IP addresses, and, where feasible, distinct autonomous system numbers (ASNs).

7. Eliminate email blind spots with AI-first security

PhaaS bots can rapidly bombard organizations with emails leveraging polymorphic tactics that bypass legacy secure email gateways. Organizations must adopt AI-first email security capable of interpreting these shifting variables and adapting to both incoming and lateral threats. By utilizing signals beyond the email inbox, these systems can better identify and neutralize internal compromised accounts in real time.

Modern cybersecurity should focus not only on the network perimeter but also, more importantly, on identities, accesses, and interactions between services, as these elements are increasingly becoming the primary target of attacks. It is important for organizations to strengthen control over integrations between SaaS platforms, implement a principle of least privilege, and ensure continuous monitoring of suspicious activity.

At the same time, effective protection requires not only technologies but also access to quality cyber intelligence and expert support. The Cloudforce One solution combines global threat visibility with practical expertise: from threat analytics and monitoring to incident response and digital forensics.

The combination of threat analytics, continuous monitoring, and rapid response enables organizations to detect attacks faster, minimize their impact, and enhance their overall level of cyber resilience. In today’s digital environment, such a comprehensive approach becomes a crucial factor for effective business protection.

If you are interested in how to turn insights from this research into concrete steps to enhance the cyber resilience of your organization, contact our specialists. We will help assess current risks and select solutions that match your business processes.