Cloudflare, Inc. on Wednesday released its inaugural 2026 Cloudflare Threat Report, highlighting a major shift in cyberattack strategies as nation-state actors and cybercriminals increasingly rely on stolen credentials and identity manipulation rather than traditional hacking methods.
The report, compiled by the company’s threat research team Cloudforce One, draws on data from Cloudflare’s global network and analysis of trillions of network signals. It says attackers are now focusing on quietly infiltrating systems—such as payroll platforms and enterprise software—by gaining legitimate-looking access instead of breaching security perimeters.
According to the report, Cloudflare blocks an average of 230 billion cyber threats every day, with attackers increasingly using artificial intelligence tools to accelerate sophisticated attacks.
“Hackers thrive on the gaps left by fragmented, stale threat intelligence,” said Matthew Prince, co-founder and chief executive officer of Cloudflare. He added that sharing intelligence from the company’s global network could help security teams better defend against emerging threats.
The report notes that large language models (LLMs) are lowering the technical barriers to cybercrime. Threat actors are using AI to map networks, develop exploits and generate deepfakes, enabling them to target sensitive corporate data and launch supply-chain attacks.
Cloudflare’s analysis also highlighted growing geopolitical cyber risks. State-linked groups such as Salt Typhoon and Linen Typhoon are increasingly focusing on telecommunications, government systems and IT services in North America, shifting toward long-term infiltration of critical infrastructure.
Another concern identified in the report involves North Korean operatives allegedly using AI-generated identities and fraudulent documents to obtain remote jobs at Western companies, enabling insider access to corporate systems.
The study also recorded a surge in large-scale distributed denial-of-service (DDoS) attacks, with botnets such as Aisuru launching attacks reaching 31.4 terabits per second, a scale that often requires automated defence systems.
Blake Darché said organisations must adopt real-time threat intelligence to keep pace with evolving attack techniques.