Cloudflare 2026 Threat Intelligence Report: Nation-State Actors and Cybercriminals Shift from 'Breaking In' to 'Logging In'

Key Terms

ddos technical

A DDoS (distributed denial-of-service) attack is when many compromised computers or devices artificially flood a company's online systems with traffic so legitimate users cannot access websites, apps, or services. For investors, DDoS episodes can disrupt sales, damage customer trust, and expose weaknesses in a company's security — like a traffic jam that shuts down a city's main highway, revealing costs and operational risks that can affect revenue and stock value.

large language models technical

Large language models are advanced AI systems trained on vast amounts of text to understand and generate human-like writing, like a very fast reader and writer that learns patterns in words and sentences. They matter to investors because they can change how companies operate—automating customer service, speeding analysis, cutting costs, creating new products—and they introduce risks around accuracy, security and regulation that can affect a firm’s revenue and reputation.

llms technical

Large language models are advanced computer programs that read and generate human-like text by learning patterns from huge amounts of written material; think of them as digital employees that can draft reports, answer questions, summarize documents, or generate code. They matter to investors because they can change a company’s costs, speed of product development, customer service, and competitive edge — and they also create new risks and regulatory questions that can affect profits and valuation.

deepfakes technical

Deepfakes are audio, video or image content created or altered by artificial intelligence to make people appear to say, do, or be somewhere they did not. They matter to investors because a convincing fake can trigger sudden market moves, enable fraud, manipulate sentiment, or harm a company’s reputation—similar to a counterfeit document or forged signature sparking real financial consequences and regulatory scrutiny.

botnets technical

A botnet is a network of internet-connected devices that have been secretly taken over by criminals and are controlled remotely to carry out coordinated attacks or fraud. Think of it like a fleet of hijacked cars driven by a remote operator to block highways or steal goods; for investors, botnets can cause costly outages, data breaches, lost sales, regulatory fines and reputational damage that can quickly reduce a company’s revenue and share price.

supply chain attacks technical

A supply chain attack is when criminals compromise a company’s suppliers, partners, or third-party software to gain access to that company’s systems or products — like slipping a fake ingredient into a recipe so every dish is affected. Investors should care because these breaches can halt operations, force costly fixes, trigger regulatory penalties, and erode customer trust, any of which can reduce revenue and hurt a company’s stock value.

New insights demonstrate that the barrier to entry for sophisticated cybercrime has collapsed

SAN FRANCISCO--(BUSINESS WIRE)-- Cloudflare, Inc. (NYSE: NET), the leading connectivity cloud company, today published its inaugural 2026 Cloudflare Threat Report. This report draws on the expertise of the Cloudforce One threat research team and the scale of Cloudflare’s global network to spotlight a fundamental rewiring of the modern cyberattack. The data reveals that threat actors are using DDoS attacks of unprecedented scale, leveraging AI systems to exploit vulnerabilities, and continuing to strike at traditional weak spots like email to find ways to “log in” versus “break in.”

The 2026 report arms security teams against emerging threats, detailing the tactics and trends behind the 230 billion threats Cloudflare blocks on average each day. With AI making it easier for anyone to launch sophisticated attacks, threat actors are moving faster than ever. They are not just crashing websites; they are quietly infiltrating payroll systems and tricking software into trusting them. Security is no longer about keeping strangers out, it’s about proving that the users inside your network are who they say they are.

“Hackers thrive on the gaps left by fragmented, stale threat intelligence. At Cloudflare, we’ve built the largest and most comprehensive global sensor network that gives us a front-row seat to threats invisible to everyone else,” said Matthew Prince, co-founder and CEO of Cloudflare. "By sharing this intelligence with the world, we’re plugging the gaps and shifting the advantage back to the defenders. The result is a safer, more reliable Internet, where it is fundamentally more difficult and expensive for hackers to operate."

Over the past year, Cloudforce One has analyzed trillions of network signals and threat actor tactics, techniques, and procedures (TTPs) to uncover the most common attack vectors, nation-state espionage tactics, and the real-world impact of AI on cyberattacks. Key findings include:

• AI Erases the Technical Barrier to Entry to Launch Attacks: Threat actors are using Large Language Models (LLMs) to map networks in real-time, develop new exploits, and create hyper-realistic deepfakes. Cloudforce One tracked a threat actor who leveraged AI to help identify the location of high-value data. This allowed the actor to compromise hundreds of corporate tenants — high-volume SaaS applications that allow multiple organizations to share resources — in one of the most impactful supply chain attacks seen.
• Chinese Threat Actors Trade Broad Attacks for Precision Strikes: State-sponsored actors, specifically Salt Typhoon and Linen Typhoon, have shifted focus toward North American telecommunications, government entities, and IT services. These actors are shifting from traditional espionage to persistent pre-positioning — the act of installing code on the network or system of a rival state to allow for future attacks — within U.S. critical infrastructure.
• Corporate Identities are Being Hijacked: North Korean operatives are using AI-generated deepfakes and fraudulent IDs to bypass hiring filters, embedding state-sponsored workers directly into Western corporate payrolls. Using U.S.-based "laptop farms," these threat actors are masking their true location.
• DDoS Attacks Surpass Human Response Capabilities: Large-scale botnets like Aisuru have evolved into nation-state level threats capable of taking down entire country’s networks. With record-breaking attacks reaching 31.4 Tbps, these high-speed strikes now demand fully autonomous defenses.

“Threat actors are constantly changing tactics, finding new vulnerabilities to exploit and ways to overwhelm their victims. To avoid being caught off guard, organizations must shift from a reactive posture to one fueled by real-time, actionable intelligence,” said Blake Darché, head of threat intelligence, Cloudforce One at Cloudflare. “This report is a North Star for understanding the scale of attacks, and how threat actor aggression and techniques are shifting. The message to defenders is simple: lead with intelligence or risk falling behind in a race where the stakes have never been higher.”

To learn more about the 2026 Cloudforce One Threat Intelligence Report please check out the resources below:

• 2026 Cloudforce One Global Threat Report
• Cloudforce One

About Cloudforce One

Driven by a mission to help defend the Internet, Cloudforce One leverages telemetry from Cloudflare’s global network, which protects approximately 20% of the web, to drive threat research and operational response, protecting critical systems for millions of organizations worldwide.

About Cloudflare

Cloudflare, Inc. (NYSE: NET) is the leading connectivity cloud company. It empowers organizations to make their employees, applications and networks faster and more secure everywhere, while reducing complexity and cost. Cloudflare’s connectivity cloud delivers the most full-featured, unified platform of cloud-native products and developer tools, so any organization can gain the control they need to work, develop, and accelerate their business.

Powered by one of the world’s largest and most interconnected networks, Cloudflare blocks billions of threats online for its customers every day. It is trusted by millions of organizations – from the largest brands to entrepreneurs and small businesses to nonprofits, humanitarian groups, and governments across the globe.

Learn more about Cloudflare’s connectivity cloud at cloudflare.com/connectivity-cloud. Learn more about the latest Internet trends and insights at https://radar.cloudflare.com.

Follow us: Blog | X | LinkedIn | Facebook | Instagram

Forward-Looking Statements

This press release contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, which statements involve substantial risks and uncertainties. In some cases, you can identify forward-looking statements because they contain words such as “may,” “will,” “should,” “expect,” “explore,” “plan,” “anticipate,” “could,” “intend,” “target,” “project,” “contemplate,” “believe,” “estimate,” “predict,” “potential,” or “continue,” or the negative of these words, or other similar terms or expressions that concern Cloudflare’s expectations, strategy, plans, or intentions. However, not all forward-looking statements contain these identifying words. Forward-looking statements expressed or implied in this press release include, but are not limited to, statements regarding the capabilities and effectiveness of Cloudforce One and Cloudflare’s other products and technology, the benefits to Cloudflare’s customers from using Cloudforce One and Cloudflare’s other products and technology, Cloudflare’s plans and objectives for the 2026 Cloudflare Threat Report, Cloudflare’s global network, and Cloudflare’s products and technology, Cloudflare’s technological development, future operations, growth, initiatives, or strategies, and comments made by Cloudflare’s CEO, head of threat intelligence, and others. Actual results could differ materially from those stated or implied in forward-looking statements due to a number of factors, including but not limited to, risks detailed in Cloudflare’s filings with the Securities and Exchange Commission (SEC), including Cloudflare’s Annual Report on Form 10-K filed on February 26, 2026, as well as other filings that Cloudflare may make from time to time with the SEC.

The forward-looking statements made in this press release relate only to events as of the date on which the statements are made. Cloudflare undertakes no obligation to update any forward-looking statements made in this press release to reflect events or circumstances after the date of this press release or to reflect new information or the occurrence of unanticipated events, except as required by law. Cloudflare may not actually achieve the plans, intentions, or expectations disclosed in Cloudflare’s forward-looking statements, and you should not place undue reliance on Cloudflare’s forward-looking statements.

©2026 Cloudflare, Inc. All rights reserved. Cloudflare, the Cloudflare logo, and other Cloudflare marks are trademarks and/or registered trademarks of Cloudflare, Inc. in the U.S. and other jurisdictions. All other marks and names referenced herein may be trademarks of their respective owners.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260303235760/en/

Cloudflare, Inc.

Daniella Vallurupalli

Vice President, Head of Global Communications

press@cloudflare.com

Source: Cloudflare, Inc.