A logo of CLOUDFLARE sits outside the company's house on the opening day of the 55th annual meeting of the World Economic Forum (WEF) in Davos, Switzerland, January 20, 2025. REUTERS/Yves Herman
Every single day, Cloudflare’s network blocks more than 230 billion cyber threats.
Not per year. Per day.
That number alone tells you something about the scale of what is happening in the background of the internet you use every morning.
But the number isn’t actually the most important finding in the company’s inaugural 2026 Threat Report, published this week. The most important finding is the shift in how those attacks work.
Hackers used to break in. They exploited vulnerabilities. They wrote custom code. They spent time and money on sophisticated attacks designed to penetrate defenses.
Increasingly, they just log in.
They steal your credentials, or your session tokens, or your employees’ identities, and they walk through the front door of your systems as if they belong there. Because, as far as your security tools are concerned, they do.
What “Logging In” Actually Means
The shift from “breaking in” to “logging in” is the central thesis of the entire report, and it matters because it renders a significant portion of traditional security architecture irrelevant.
Most corporate security is built around the assumption that attackers will try to force their way through barriers. Firewalls. Intrusion detection systems. Endpoint protection. All of it is designed to spot anomalous behavior and block it.
But if an attacker is using legitimate credentials, coming from a known location, accessing systems in a normal pattern, nothing looks anomalous. The barrier sees a valid user and waves them through.
The primary tool enabling this shift is the infostealer, a type of malware that specifically harvests active session tokens from infected devices. Session tokens are the digital keys that keep you logged into websites and applications without requiring a new password every time.
Steal the token and you bypass multi-factor authentication entirely. You don’t need the password. You don’t need the second factor. You are already logged in. You are already inside.
Cloudflare’s report identifies LummaC2 as one of the most prevalent infostealers in active use right now. It is being deployed at industrial scale. Most victims don’t know they’re infected until it’s too late.
AI Erased the Technical Barrier to Entry
Twelve months ago, launching a sophisticated cyberattack required genuine technical expertise. You needed to understand code. You needed to understand networks. You needed to understand the specific systems you were targeting.
That is no longer true.
Cloudflare’s threat research unit, Cloudforce One, documented the first AI-based attack in which a threat actor used a large language model to map an organization’s network in real time, identify the location of high-value data, and extract it without any specialized hacking knowledge.
The attack compromised hundreds of corporate tenants through a single supply chain entry point.
Cloudflare called it “one of the most impactful supply chain attacks seen.”
That attack is not a proof of concept. It is a template that less skilled operators are now replicating with off-the-shelf AI tools.
AI is also being used to write phishing emails that are indistinguishable from legitimate corporate communications. To generate convincing deepfake identities.
To automate exploit development. To identify vulnerabilities faster than human security teams can patch them.
Blake Darché, head of threat intelligence at Cloudforce One, summarized the stakes plainly: “The message to defenders is simple: lead with intelligence or risk falling behind in a race where the stakes have never been higher.”
North Korea Is Getting People Hired at Your Company
This section of the report deserves its own full stop before continuing.
North Korean state-sponsored operatives are using AI-generated deepfake profiles, fake identification documents, and US-based laptop farms to apply for and obtain employment at Western companies.
They are not hacking their way in. They are applying for jobs, passing video interviews with real-time deepfake rendering, getting hired, receiving paychecks, and funneling the salary back to Pyongyang while simultaneously establishing insider access to corporate systems.
The laptop farms give them a US-based IP address so their login location appears domestic. The deepfakes get them through video verification checks. Their references are fabricated. Their work history is fabricated. Their faces are fabricated.
Most companies’ HR teams have no idea what any of those things mean, let alone how to check for them.
This is not a theoretical threat. Cloudflare has documented it happening. The FBI has issued multiple warnings about it. It is ongoing.
China Is Wiring Itself Into Western Infrastructure Right Now
The report identifies two Chinese state-sponsored threat groups, Salt Typhoon and Linen Typhoon, as currently prioritizing a specific kind of attack that is different from anything most cybersecurity frameworks are designed to stop.
They are not trying to steal data today. They are embedding themselves inside North American telecommunications, government, and commercial IT infrastructure and waiting.
The technical term is pre-positioning. The strategic term is leverage. The idea is that in a future geopolitical crisis, China would have the ability to disrupt or surveil Western communications infrastructure from the inside, through access points established years in advance during peacetime.
This isn’t Cloudflare speculating. The Salt Typhoon intrusions into US telecom networks were first publicly confirmed by the FBI and CISA in late 2024 and have been the subject of congressional hearings since. Cloudflare’s report provides the 2025 and 2026 context: the activity has not stopped. It has intensified.
DDoS Attacks Have Outpaced Human Response
In 2025, Cloudflare recorded 47.1 million DDoS attacks. That is more than 5,000 per hour, every hour, for an entire year.
Most of them lasted under ten minutes.
That is not a coincidence. Ten minutes is shorter than the time it takes most security teams to detect, verify, escalate, and respond to an attack.
The attacks are designed to hit their target and disappear before human defenders can do anything about them.
The largest single attack Cloudflare documented came from the Aisuru botnet: 31.4 terabits per second. That is large enough to take down entire country networks. Cloudflare blocked it. Most organizations would not have.
The Aisuru botnet and its successor Kimwolf collectively control an estimated one to four million infected devices. These aren’t servers in a data center.
They are household routers, cheap security cameras, smart TVs, and network-attached storage devices that their owners have never updated and never thought about since the day they plugged them in.
Your Cloud Tools Are Being Used Against You
The most tactically sophisticated section of the report covers what Cloudflare calls “Living off Trusted Sites,” or LotX.
The principle is elegant and deeply frustrating from a defense standpoint. Instead of using known malicious servers to route attack traffic, adversaries are routing it through Google Drive, Microsoft Teams, Amazon S3, Dropbox, and other universally trusted enterprise platforms.
Your security tools are configured to trust traffic from Google Drive. They are supposed to trust it. Everyone uses it. So when an attacker routes their command-and-control traffic through a Google Drive file, your firewall waves it through without a second look.
Some attackers are now using Google Calendar invites to deliver encrypted attack commands. Not as a phishing lure. As actual infrastructure for an ongoing operation, embedded inside a tool you use every morning to see your schedule.
What This Means in the Context of the Iran War
The Cloudflare report was published before the Iran war started but describes the exact threat environment that the war has now activated.
We have already covered the Stryker attack, in which Iranian-linked hackers used stolen credentials to wipe 200,000 devices across 79 countries.
We have covered the 60-plus hacktivist groups mobilized in the opening hours of the conflict. We have covered the CISA warnings about Iranian targeting of critical infrastructure.
Every tactic described in the Cloudflare report, session token theft, AI-assisted network mapping, LotX cloud infrastructure abuse, infostealer deployment, is now being actively deployed in a wartime context against American targets.
The industrialization of cybercrime that Cloudflare documented throughout 2025 didn’t stop when the war started. It found a new customer base and a new operational urgency.
Matthew Prince, Cloudflare’s co-founder and CEO, framed the company’s role plainly: “Hackers thrive on the gaps left by fragmented, stale threat intelligence. By sharing this intelligence with the world, we’re plugging the gaps and shifting the advantage back to the defenders.”
The report is publicly available. It is free to read. It is one of the most comprehensive documents published this year on the actual state of digital security in 2026.
About the Author
