AI-powered attacks, identity compromise, and massive DDoS campaigns reshape the global cybersecurity landscape.
Cloudflare, Inc. has released its inaugural Cloudflare 2026 Threat Intelligence Report, revealing how nation-state actors and cybercriminals are fundamentally changing their attack strategies. The report, developed by the Cloudforce One threat research team, analyzes data from Cloudflare’s global network and highlights how attackers are increasingly focusing on identity compromise and credential-based access rather than traditional system breaches.
According to the report, modern cyberattacks are evolving rapidly as threat actors leverage artificial intelligence (AI), large-scale distributed denial-of-service (DDoS) attacks, and advanced social engineering tactics to infiltrate networks. Instead of attempting to break into systems directly, attackers are increasingly attempting to log in using stolen or manipulated credentials, making identity verification and internal security controls more critical than ever.
The findings are based on the analysis of trillions of network signals and threat actor behaviors, including tactics, techniques and procedures (TTPs). Cloudflare reports that its network blocks an average of 230 billion cyber threats every day, providing insight into emerging cybercrime trends and global attack patterns.
Matthew Prince, Co-founder and CEO of Cloudflare, said that cybercriminals often exploit gaps created by fragmented or outdated threat intelligence. He explained that Cloudflare operates one of the world’s largest global sensor networks, allowing the company to identify threats that may otherwise go unnoticed. By sharing this intelligence publicly, Cloudflare aims to strengthen global cybersecurity defenses and make it significantly more difficult and costly for attackers to operate online.
The Cloudflare 2026 Threat Intelligence Report identifies several major trends shaping the global cyber threat landscape. One of the most significant findings is that artificial intelligence is lowering the barrier to entry for cybercrime. Threat actors are increasingly using large language models (LLMs) to map networks, generate exploit code and create highly convincing deepfakes for fraud and social engineering attacks. In one case documented by Cloudforce One, a threat actor used AI to identify the location of high-value data and subsequently compromised hundreds of corporate tenants across multi-tenant SaaS platforms, resulting in one of the most significant supply chain cyberattacks observed.
The report also highlights a shift in the tactics of Chinese state-sponsored threat actors, particularly groups known as Salt Typhoon and Linen Typhoon. These groups have moved away from broad cyber espionage campaigns toward more targeted and persistent operations. Their activities increasingly focus on North American telecommunications companies, government institutions and IT service providers, with attackers planting code within critical infrastructure systems to enable potential future attacks.
Another growing threat identified in the report involves the hijacking of corporate identities. According to Cloudflare, operatives linked to North Korea are using AI-generated deepfakes and fraudulent identity documents to bypass corporate hiring processes. These individuals are able to secure remote employment positions in Western organizations, effectively embedding state-sponsored actors within corporate payroll systems. In many cases, these operations are supported by U.S.-based “laptop farms” that allow attackers to mask their real geographic location and appear as legitimate employees.
The report also warns that DDoS attacks are reaching unprecedented scale and speed, making them increasingly difficult for human teams to manage manually. Large botnets such as Aisuru have evolved into highly sophisticated networks capable of launching attacks at speeds exceeding 31.4 terabits per second, potentially disrupting large portions of internet infrastructure. These attacks now require fully automated and autonomous defense systems to mitigate their impact effectively.
Blake Darché, Head of Threat Intelligence at Cloudforce One, stated that cyber threat actors are continuously evolving their methods to exploit new vulnerabilities and overwhelm security defenses. He emphasized that organizations must move away from purely reactive cybersecurity strategies and instead adopt real-time threat intelligence and proactive security monitoring to stay ahead of attackers.
He added that the Cloudflare report serves as a strategic guide for security teams seeking to understand how cyber threats are evolving and how adversaries are adapting their tactics. According to Darché, organizations that fail to integrate intelligence-driven security strategies risk falling behind in a rapidly escalating cybersecurity arms race.
The Cloudflare 2026 Threat Intelligence Report underscores the growing complexity of the global threat landscape and highlights the importance of AI-driven cybersecurity, identity protection, and automated threat detection systems in protecting modern digital infrastructure.
