Cloudflare has released its inaugural 2026 Cloudflare Threat Intelligence Report, revealing a fundamental shift in how nation‑state actors and cybercriminals target organisations. Rather than relying on traditional intrusion techniques, attackers are increasingly exploiting trusted access pathways—leveraging identities, AI tools and high‑speed automation to “log in” instead of “break in.”
Drawing on insights from the Cloudforce One threat research team and analysis of more than 230 billion threats blocked daily, the report uncovers how AI and global-scale botnets are lowering technical barriers and accelerating both criminal and state‑backed operations. According to Cloudflare, emerging attack patterns are reshaping the risk landscape for businesses, governments and critical infrastructure worldwide.
“Hackers thrive on the gaps left by fragmented, stale threat intelligence,” said Matthew Prince, co-founder and CEO of Cloudflare. “By sharing this intelligence with the world, we’re plugging the gaps and shifting the advantage back to the defenders. The result is a safer, more reliable Internet, where it is fundamentally more difficult and expensive for hackers to operate.”
“Hackers are no longer breaking in they’re logging in, and they’re doing it faster and smarter than ever.”
— Matthew Prince, Co‑founder & CEO, Cloudflare
The report highlights several trends driving this transformation. Threat actors are now using large language models (LLMs) to accelerate reconnaissance, generate exploits and create realistic deepfakes to bypass identity checks. Cloudflare tracked one case where AI-assisted reconnaissance enabled attackers to infiltrate hundreds of corporate SaaS tenants in a large-scale supply chain attack one of the most damaging incidents observed last year.
Geopolitical activity is also intensifying. Chinese state-linked groups Salt Typhoon and Linen Typhoon have shifted from broad espionage efforts to highly targeted operations against U.S. telecommunications, government agencies and IT service providers, focusing on long-term pre‑positioning within critical networks. Meanwhile, North Korean actors are hijacking corporate identities by using AI-generated IDs and deepfakes to embed operatives into Western companies through remote‑work “laptop farms.”
The rise of massive botnets like Aisuru, capable of launching record-breaking 31.4 Tbps DDoS attacks, marks another escalation. These events now exceed human response speeds, creating an urgent need for automated defense systems.
“To avoid being caught off guard, organisations must shift from a reactive posture to one fuelled by real-time, actionable intelligence,” said Blake Darché, head of threat intelligence, Cloudforce One. “This report is a North Star for understanding how threat actor aggression and techniques are shifting.”
Cloudflare’s 2026 Threat Intelligence Report is now available with further resources through Cloudforce One.
