New insights demonstrate that the barrier to entry for sophisticated cybercrime has collapsed
DUBAI, UAE,March, 2026: Cloudflare, Inc. (NYSE: NET), the leading connectivity cloud company, today published its inaugural 2026 Cloudflare Threat Report. This report draws on the expertise of the Cloudforce One threat research team and the scale of Cloudflare’s global network to spotlight a fundamental rewiring of the modern cyberattack. The data reveals that threat actors are using DDoS attacks of unprecedented scale, leveraging AI systems to exploit vulnerabilities, and continuing to strike at traditional weak spots like email to find ways to “log in” versus “break in.”
The 2026 report arms security teams against emerging threats, detailing the tactics and trends behind the 230 billion threats Cloudflare blocks on average each day. With AI making it easier for anyone to launch sophisticated attacks, threat actors are moving faster than ever. They are not just crashing websites; they are quietly infiltrating payroll systems and tricking software into trusting them. Security is no longer about keeping strangers out, it’s about proving that the users inside your network are who they say they are.
“Hackers thrive on the gaps left by fragmented, stale threat intelligence. At Cloudflare, we’ve built the largest and most comprehensive global sensor network that gives us a front-row seat to threats invisible to everyone else,” said Matthew Prince, co-founder and CEO of Cloudflare. “By sharing this intelligence with the world, we’re plugging the gaps and shifting the advantage back to the defenders. The result is a safer, more reliable Internet, where it is fundamentally more difficult and expensive for hackers to operate.”
Over the past year, Cloudforce One has analyzed trillions of network signals and threat actor tactics, techniques, and procedures (TTPs) to uncover the most common attack vectors, nation-state espionage tactics, and the real-world impact of AI on cyberattacks. Key findings include:
- AI Erases the Technical Barrier to Entry to Launch Attacks: Threat actors are using Large Language Models (LLMs) to map networks in real-time, develop new exploits, and create hyper-realistic deepfakes. Cloudforce One tracked a threat actor who leveraged AI to help identify the location of high-value data. This allowed the actor to compromise hundreds of corporate tenants — high-volume SaaS applications that allow multiple organizations to share resources — in one of the most impactful supply chain attacks seen.
- Chinese Threat Actors Trade Broad Attacks for Precision Strikes: State-sponsored actors, specifically Salt Typhoon and Linen Typhoon, have shifted focus toward North American telecommunications, government entities, and IT services. These actors are shifting from traditional espionage to persistent pre-positioning — the act of installing code on the network or system of a rival state to allow for future attacks — within U.S. critical infrastructure.
- Corporate Identities are Being Hijacked: North Korean operatives are using AI-generated deepfakes and fraudulent IDs to bypass hiring filters, embedding state-sponsored workers directly into Western corporate payrolls. Using U.S.-based “laptop farms,” these threat actors are masking their true location.
- DDoS Attacks Surpass Human Response Capabilities: Large-scale botnets like Aisuru have evolved into nation-state level threats capable of taking down entire country’s networks. With record-breaking attacks reaching 31.4 Tbps, these high-speed strikes now demand fully autonomous defenses.
“Threat actors are constantly changing tactics, finding new vulnerabilities to exploit and ways to overwhelm their victims. To avoid being caught off guard, organizations must shift from a reactive posture to one fuelled by real-time, actionable intelligence,” said Blake Darché, head of threat intelligence, Cloudforce One at Cloudflare. “This report is a North Star for understanding the scale of attacks, and how threat actor aggression and techniques are shifting. The message to defenders is simple: lead with intelligence or risk falling behind in a race where the stakes have never been higher.”
To learn more about the 2026 Cloudforce One Threat Intelligence Report please check out the resources below:
- 2026 Cloudforce One Global Threat Report
- Cloudforce One
Photo Caption: Matthew Prince, co-founder and CEO of Cloudflare
About Cloudforce One:
Driven by a mission to help defend the Internet, Cloudforce One leverages telemetry from Cloudflare’s global network, which protects approximately 20% of the web, to drive threat research and operational response, protecting critical systems for millions of organizations worldwide.
About Cloudflare:
Cloudflare, Inc. (www.cloudflare.com / @cloudflare) is on a mission to help build a better Internet. Cloudflare’s suite of products protect and accelerate any Internet application online without adding hardware, installing software, or changing a line of code. Internet properties powered by Cloudflare have all web traffic routed through its intelligent global network, which gets smarter with every request. As a result, they see significant improvement in performance and a decrease in spam and other attacks. Cloudflare was named to Entrepreneur Magazine’s Top Company Cultures 2018 list and ranked among the World’s Most Innovative Companies by Fast Company in 2019. Headquartered in San Francisco, CA, Cloudflare has offices in Austin, TX, Champaign, IL, New York, NY, San Jose, CA, Seattle, WA, Washington, D.C., Toronto, Lisbon, London, Munich, Paris, Beijing, Singapore, Sydney, and Tokyo.
