Cloudflare has released its inaugural 2026 Cloudflare Threat Report, highlighting a major shift in the global cybersecurity landscape as cybercriminals increasingly leverage artificial intelligence, large-scale botnets, and identity-based attacks to infiltrate digital systems.
The report, based on insights from Cloudflare’s threat intelligence unit Cloudforce One and data collected across its global network, reveals that cyber threats are becoming more sophisticated, faster, and more difficult to detect.
According to the report, Cloudflare blocks an average of 230 billion cyber threats every day, illustrating the immense scale of modern cyberattacks. The findings indicate that threat actors are no longer focused solely on disrupting websites but are increasingly targeting internal systems such as payroll platforms and enterprise software by exploiting authentication mechanisms rather than traditional system vulnerabilities.
Matthew Prince, Co-founder and CEO, Cloudflare, said, “Hackers thrive on the gaps left by fragmented, stale threat intelligence. At Cloudflare, we’ve built the largest and most comprehensive global sensor network that gives us a front-row seat to threats invisible to everyone else. By sharing this intelligence with the world, we’re plugging the gaps and shifting the advantage back to the defenders. The result is a safer, more reliable Internet, where it is fundamentally more difficult and expensive for hackers to operate.”
The report highlights how the rapid advancement of artificial intelligence is lowering the technical barriers for launching cyberattacks. Threat actors are now using Large Language Models (LLMs) to map networks in real time, develop new exploits, and create highly convincing deepfakes. In one tracked incident, an attacker used AI tools to identify the location of high-value data, enabling the compromise of hundreds of corporate tenants within a shared SaaS environment in what Cloudflare describes as one of the most significant supply chain attacks observed.
The research also notes a shift in the tactics used by certain state-sponsored groups. Chinese threat actors, including groups identified as Salt Typhoon and Linen Typhoon, are reportedly moving away from broad espionage campaigns toward more targeted and persistent attacks on North American telecommunications providers, government institutions, and IT service organisations. These operations involve placing malicious code inside networks to enable future cyber operations against critical infrastructure.
Another growing concern identified in the report is the misuse of digital identities. Cloudflare states that North Korean operatives are increasingly using AI-generated deepfakes and fraudulent identification documents to bypass hiring processes and gain employment inside Western companies. In some cases, attackers are operating through U.S.-based “laptop farms” to disguise their actual location while working remotely for corporate organisations.
The report also highlights the unprecedented scale of modern distributed denial-of-service (DDoS) attacks. Botnets such as Aisuru have evolved into highly powerful networks capable of overwhelming national-level internet infrastructure. Cloudflare observed record-breaking DDoS attacks reaching 31.4 terabits per second, levels that now require fully automated defence systems because they exceed the response capacity of human operators.
Blake Darché, Head of Threat Intelligence at Cloudforce One, Cloudflare, said, “Threat actors are constantly changing tactics, finding new vulnerabilities to exploit and ways to overwhelm their victims. To avoid being caught off guard, organizations must shift from a reactive posture to one fueled by real-time, actionable intelligence. This report is a North Star for understanding the scale of attacks, and how threat actor aggression and techniques are shifting. The message to defenders is simple: lead with intelligence or risk falling behind in a race where the stakes have never been higher.”
The report concludes that as AI accelerates the sophistication and scale of cyberattacks, organisations must increasingly rely on intelligence-driven security frameworks and automated defensive systems to protect critical infrastructure and enterprise networks.
About The Author
