Cloudflare published its inaugural 2026 Cloudflare Threat Report. This report draws on the expertise of the Cloudforce One threat research team and the scale of Cloudflare’s global network to spotlight a fundamental rewiring of the modern cyberattack. The data reveals that threat actors are using DDoS attacks of unprecedented scale, leveraging AI systems to exploit vulnerabilities, and continuing to strike at traditional weak spots like email to find ways to “log in” versus “break in.”

The 2026 report arms security teams against emerging threats, detailing the tactics and trends behind the 230 billion threats Cloudflare blocks on average each day. With AI making it easier for anyone to launch sophisticated attacks, threat actors are moving faster than ever. They are not just crashing websites; they are quietly infiltrating payroll systems and tricking software into trusting them. Security is no longer about keeping strangers out, it’s about proving that the users inside your network are who they say they are.

“Hackers thrive on the gaps left by fragmented, stale threat intelligence. At Cloudflare, we’ve built the largest and most comprehensive global sensor network that gives us a front-row seat to threats invisible to everyone else,” said Matthew Prince, co-founder and CEO of Cloudflare. “By sharing this intelligence with the world, we’re plugging the gaps and shifting the advantage back to the defenders. The result is a safer, more reliable Internet, where it is fundamentally more difficult and expensive for hackers to operate.”

Over the past year, Cloudforce One has analysed trillions of network signals and threat actor tactics, techniques, and procedures (TTPs) to uncover the most common attack vectors, nation-state espionage tactics, and the real-world impact of AI on cyberattacks. Key findings include:

– AI Erases the Technical Barrier to Entry to Launch Attacks: Threat actors are using Large Language Models (LLMs) to map networks in real-time, develop new exploits, and create hyper-realistic deepfakes. Cloudforce One tracked a threat actor who leveraged AI to help identify the location of high-value data. This allowed the actor to compromise hundreds of corporate tenants — high-volume SaaS applications that allow multiple organisations to share resources in one of the most impactful supply chain attacks seen.

– Chinese Threat Actors Trade Broad Attacks for Precision Strikes: State-sponsored actors, specifically Salt Typhoon and Linen Typhoon, have shifted focus toward North American telecommunications, government entities, and IT services. These actors are shifting from traditional espionage to persistent pre-positioning — the act of installing code on the network or system of a rival state to allow for future attacks — within U.S. critical infrastructure.

– Corporate Identities are Being Hijacked: North Korean operatives are using AI-generated deepfakes and fraudulent IDs to bypass hiring filters, embedding state-sponsored workers directly into Western corporate payrolls. Using U.S.-based “laptop farms,” these threat actors are masking their true location.

– DDoS Attacks Surpass Human Response Capabilities: Large-scale botnets like Aisuru have evolved into nation-state level threats capable of taking down entire country’s networks. With record-breaking attacks reaching 31.4 Tbps, these high-speed strikes now demand fully autonomous defences.

“Threat actors are constantly changing tactics, finding new vulnerabilities to exploit and ways to overwhelm their victims. To avoid being caught off guard, organisations must shift from a reactive posture to one fueled by real-time, actionable intelligence,” said Blake Darché, head of threat intelligence, Cloudforce One at Cloudflare. “This report is a North Star for understanding the scale of attacks, and how threat actor aggression and techniques are shifting. The message to defenders is simple: lead with intelligence or risk falling behind in a race where the stakes have never been higher.”