Cloudflare's 2026 Threat Report: Attackers Swap Break-Ins for Log-Ins as AI and Credential Theft Redefine the Threat Landscape
Cloudflare's 2026 Threat Report documents a pivotal shift: attackers now log in rather than break in, using stolen session tokens and AI-assisted credential theft to bypass MFA, as DDoS volumes doubled and nation-state pre-positioning inside critical infrastructure intensifies.
Overview
Cloudflare’s research unit Cloudforce One published the company’s first annual 2026 Threat Intelligence Report on March 3, 2026, synthesizing telemetry from more than 230 billion blocked threats per day across infrastructure that handles roughly 20 percent of global web traffic. The headline conclusion is a structural shift in how adversaries operate: the era of brute-force perimeter attacks is giving way to a model built around authentication bypass, credential reuse, and the camouflage of malicious activity within legitimate enterprise platforms.
The report introduces a new analytical framework — the Measure of Effectiveness (MOE) — which the authors describe as “the ratio of effort to operational outcome.” The framing reflects how modern adversaries think: the goal is not to demonstrate technical prowess but to achieve results at the lowest possible cost.
What We Know
Credential Theft Has Become the Primary Entry Vector
According to the Cloudflare press release, bots now account for 94 percent of login attempts observed on Cloudflare’s network. Of the remaining human-initiated logins, 46 percent involve credentials that were previously exposed in prior breaches. The report attributes 54 percent of 2025 ransomware incidents to infostealer-enabled credential theft as the initial access vector.
The mechanism most responsible for this shift is session token harvesting. Malware families such as LummaC2 extract live authentication tokens from infected machines, granting attackers access to already-authenticated sessions. As the report notes, this technique sidesteps multi-factor authentication entirely — the token proves identity to the target service regardless of how it was obtained.
DDoS Volume More Than Doubled
According to Help Net Security’s analysis of the report, Cloudflare observed 47.1 million DDoS incidents in 2025, more than double the prior year’s total. Network-layer attacks tripled over the same period. The largest single event was a 31.4 Tbps UDP flood launched by the Aisuru botnet in November 2025 — nearly six times the peak recorded in 2024. The report notes that most attacks lasted under 10 minutes, a duration deliberately calibrated to fall below the threshold where a human operator can identify, escalate, and respond before the damage is done.
Email Authentication Infrastructure Remains Deeply Broken
Cloudforce One analyzed 450 million emails and found that 43 percent failed SPF checks, 44 percent lacked valid DKIM signatures, and 46 percent failed DMARC validation. According to the report, phishing-as-a-service operations are now industrialized, exploiting these authentication gaps to conduct high-trust brand impersonation at scale. The researchers tracked $123 million in intercepted business email compromise attempts, averaging approximately $49,225 per attempt.
Nation-State Actors Are Pre-Positioning Inside Critical Infrastructure
The report identifies two Chinese state-sponsored groups — Salt Typhoon and Linen Typhoon — as conducting sustained operations against North American telecommunications carriers and government networks throughout 2025. According to the SiliconANGLE writeup, one technique involves embedding encrypted command-and-control instructions inside Google Calendar event descriptions, using legitimate Google infrastructure to mask the traffic. The goal, the report assesses, is long-term geopolitical pre-positioning rather than immediate data exfiltration.
North Korean operatives are executing a separate but parallel campaign: using AI-generated deepfake profiles and fraudulent identity documents to obtain remote employment at Western technology companies. Once inside corporate systems, they route their salaries through U.S.-based laptop farms to funnel funds back to state entities.
AI Is Lowering the Floor for Sophisticated Attacks
The report describes AI as a capability multiplier for low-skill threat actors. Large language models are being used to automate network reconnaissance, accelerate exploit development, and generate hyper-realistic social engineering content. Cloudforce One’s methodology itself demonstrates this dynamic: the researchers used AI self-analysis to discover CVE-2026-22813 (CVSS 9.4), a vulnerability in their own infrastructure, illustrating both the offensive potential and the defensive applicability of the same tools.
SaaS Integration Attack Surface Continues to Expand
The report’s most operationally significant finding for enterprise security teams may be the scale of the SaaS integration problem. Threat actors are exploiting over-privileged third-party API connections to move laterally across hundreds of corporate tenants in cascading supply chain attacks. The authors describe one unnamed incident as “one of the most impactful supply chain attacks seen” in recent years, triggered by a single compromised SaaS integration.
What We Don’t Know
The report does not identify the specific organizations affected by the supply chain incident it describes, nor does it provide attribution detail beyond nation-state-level assessments for the Chinese and North Korean campaigns. The $123 million figure for BEC attempts reflects Cloudflare’s visibility into email flows it directly processes — the full industry-wide number is almost certainly higher but not quantified here.
Cloudforce One’s methodology relies on Cloudflare’s position as a network intermediary, meaning attacks routed entirely outside its infrastructure would not appear in the data. The 230 billion daily threats figure covers only traffic that passes through Cloudflare’s network, and it is not possible to determine from the report how representative that sample is of the global threat landscape.
Analysis
The core argument of Cloudflare’s report — that attackers are shifting from breaking into systems to logging into them — is consistent with findings from other major threat intelligence publications in recent months. The IBM X-Force 2026 report reached similar conclusions about AI-assisted attacks and credential exploitation. What Cloudflare adds is scale: its vantage point covering a fifth of global web traffic provides statistical weight that most vendors cannot match.
The MOE framework is a useful conceptual addition. It explains why both opportunistic criminal groups and nation-state actors have converged on the same basic playbook: credential theft and session hijacking require less technical sophistication than zero-day exploitation, generate fewer forensic artifacts, and succeed at higher rates. Defenders building their strategies around detecting novel malware or patching vulnerabilities are likely optimizing for the less common attack scenario.
The email authentication findings deserve particular attention. Despite more than a decade of DMARC adoption campaigns, nearly half of analyzed emails still fail basic authentication checks. Phishing-as-a-service platforms are built precisely to exploit this gap, and the 94 percent bot login figure suggests that credential-stuffing operations are already operating at a scale that makes any individual organization’s password hygiene policies insufficient as a sole control.
For security operations teams, the practical takeaway from the report is a recalibration of detection priorities: session token monitoring, infostealer telemetry, and third-party API access audits are now at least as important as traditional perimeter defenses. The Aisuru botnet’s 31.4 Tbps record also underscores that DDoS mitigation capacity must be planned for volumes that were considered implausible even two years ago.