Cloudflare 2026 Threat Report: Attackers Shift from Breaking In to Logging In
Cloudflare's inaugural 2026 Threat Report reveals attackers are shifting from breaking in to logging in. AI lowers the barrier for sophisticated attacks, DDoS hits 31.4 Tbps, and nation-state actors pre-position inside critical infrastructure. 230 billion threats blocked daily.
230 billion threats blocked daily
Cloudflare published its inaugural 2026 Threat Intelligence Report, drawing on data from the Cloudforce One research team and its global network. The headline number: Cloudflare blocks an average of 230 billion threats per day. The report covers DDoS attacks, AI-assisted exploitation, nation-state tactics, and the growing shift from brute-force attacks to credential-based infiltration.
The core message is that attackers are moving from "breaking in" to "logging in." Stolen credentials, AI-generated deepfakes, and compromised identities are replacing traditional exploit chains as the primary attack vector.
AI lowers the barrier to entry
The report details how threat actors are using large language models to map networks in real-time, develop exploits, and create deepfakes. In one tracked case, an attacker used AI to locate high-value data across hundreds of corporate SaaS tenants, pulling off one of the most impactful supply chain attacks of the year.
North Korean operatives are using AI-generated deepfakes and fraudulent IDs to bypass hiring filters, embedding state-sponsored workers directly into Western corporate payrolls through US-based "laptop farms." Chinese state-sponsored groups Salt Typhoon and Linen Typhoon have shifted from broad espionage to persistent pre-positioning within US critical infrastructure, particularly in telecommunications and government IT.
DDoS attacks hit record scale
The report highlights that DDoS attacks now surpass human response capabilities. The Aisuru botnet has evolved into a nation-state level threat capable of disrupting entire country networks. Record-breaking attacks reached 31.4 Tbps, a scale that demands fully autonomous defense systems. Manual mitigation at those volumes and speeds is no longer realistic.
WAFplanet take
This is Cloudflare using its unique position to publish threat intelligence that doubles as a product pitch, and that is fine because the data is genuinely useful. The shift from "breaking in" to "logging in" has real implications for WAF operators. Traditional WAFs are designed to catch malicious payloads and exploit patterns. They are not built to detect a legitimate-looking login from a stolen credential.
The 31.4 Tbps DDoS record is worth noting. At that scale, only a handful of providers can absorb the traffic: Cloudflare, Akamai, AWS, and Google Cloud Armor. For organizations without hyperscale DDoS protection, these numbers are a reminder that volumetric attacks remain an existential threat to availability. The AI findings are the most forward-looking part. If attackers use AI to find and exploit vulnerabilities faster than defenders can patch, the WAF becomes the last line of defense for a longer window. That raises the stakes for rule quality and response time across every provider.
