Cloudflare has released its 2026 Threat Intelligence Report, outlining how cyberattacks are changing as nation-state actors and criminal groups move from “breaking in” to “logging in.” Drawing on data from its global network and Cloudforce One research team, the security firm says attackers are now focused on abusing legitimate access rather than simply crashing systems.
The report examines the 230 billion threats CLoudflare blocks on average each day and describes what it calls a rewiring of modern cyberattacks. Instead of relying only on brute-force disruption, attackers are using AI tools, large-scale botnets, and identity compromise to gain persistent access inside networks.
SEE ALSO: Quantum threats are coming, and Cloudflare wants your network ready now
Cloudforce One analyzed trillions of network signals over the past year, along with threat actor tactics, techniques, and procedures. The findings point to AI systems being used to map networks in real time, develop exploits, and generate convincing deepfakes.
In one case, the researchers tracked a threat actor using AI to locate high-value data inside SaaS environments. That campaign led to the compromise of hundreds of corporate tenants in what Cloudflare describes as one of the most impactful supply chain attacks observed.
The report also details activity linked to Chinese state-sponsored groups, including Salt Typhoon and Linen Typhoon. These actors have narrowed their focus toward North American telecommunications, government entities, and IT services.
Rather than wide espionage campaigns, the activity centers on persistent pre-positioning inside critical infrastructure, essentially placing code within rival networks to enable future operations.
Identity abuse is another theme, with the report saying that North Korean operatives are using AI-generated deepfakes and fraudulent identification documents to bypass hiring processes. According to the findings, these are embedded into Western corporate payrolls and masking their location through US-based laptop farms.
Cloudflare vs. DDoS
The report cites record-breaking DDoS attacks reaching 31.4Tbps and notes that large botnets such as Aisuru now operate at levels once associated with nation-states. Response windows are now too small for manual intervention, and so require autonomous defenses.
Matthew Prince, co-founder and CEO of Cloudflare, said: “Hackers thrive on the gaps left by fragmented, stale threat intelligence. At Cloudflare, we’ve built the largest and most comprehensive global sensor network that gives us a front-row seat to threats invisible to everyone else. By sharing this intelligence with the world, we’re plugging the gaps and shifting the advantage back to the defenders. The result is a safer, more reliable Internet, where it is fundamentally more difficult and expensive for hackers to operate.”
Blake Darché, head of threat intelligence at Cloudforce One, added: “Threat actors are constantly changing tactics, finding new vulnerabilities to exploit and ways to overwhelm their victims. To avoid being caught off guard, organizations must shift from a reactive posture to one fueled by real-time, actionable intelligence. This report is a North Star for understanding the scale of attacks, and how threat actor aggression and techniques are shifting. The message to defenders is simple: lead with intelligence or risk falling behind in a race where the stakes have never been higher.”
The overall conclusion of the report seems to be is that identity verification, continuous monitoring, and automation are becoming central to cybersecurity strategy as attackers increasingly rely on valid credentials instead of brute force.
What do you think about Cloudflare’s latest threat findings? Let us know in the comments.