The classic image of a cyberattack—an intruder breaking down a system’s door—is becoming outdated. According to the First Threat Intel Report 2026 published by Cloudflare, state actors and cybercriminals are changing their strategies: instead of forcing entry through exploits, they seek ways to “log in”. That is, impersonate legitimate users, move stealthily through corporate applications, and turn identity into the new attack surface.
The report, prepared by the Cloudforce One research team and supported by Cloudflare’s global network, depicts a reconfiguration of modern cyberattacks: record-breaking DDoS attacks, intensive use of language models (LLMs) to accelerate exploitation and reconnaissance, and a growing reliance on traditional weak points—especially email—for credential theft and persistent access.
To grasp the scale of the problem, Cloudflare provides a figure that summarizes the volume of this invisible war: the company claims to block an average of 230 billion threats daily. And the fundamental shift isn’t just quantitative but qualitative: with AI lowering barriers to entry, attackers are moving “faster than ever,” and defense is no longer just about building walls but about continuously proving that those inside are who they claim to be.
AI as a multiplier: less technical skill, greater reach
One of the most alarming findings of the report is how attackers are using LLMs to industrialize tasks that previously required specialization: real-time network mapping, exploit development, generating hyper-realistic deepfakes, and generally speeding up the entire attack cycle.
Cloudflare describes a case tracked by Cloudforce One where an actor used AI to identify the location of high-value data and then compromised hundreds of corporate environments in high-volume SaaS applications (multi-tenant). According to the company, this resulted in one of the “most impactful” supply chain attacks observed to date. Beyond technical details, the lesson is clear: AI is making advanced attacks more accessible and scalable.
China: from mass attacks to surgical precision
The report also highlights a shift in patterns among actors linked to China. Instead of indiscriminate campaigns, Cloudflare notes that groups like Salt Typhoon and Linen Typhoon have shifted focus toward higher-value strategic targets: North American telecommunications, government entities, and IT services.
The key here is “persistent prior positioning”: installing components within an adversary’s network to enable future actions—a tactic that blurs the line between espionage and operational preparation. When applied to telecommunications, the risk is no longer just data theft but a potential threat to critical infrastructure and essential services.
North Korea: the “kidnapping” of corporate identities from within
If the idea of “logging in” as an attacker was already concerning, the report describes an even more troubling evolution: operations linked to North Korea reportedly using AI-generated deepfakes and fraudulent identities to infiltrate hiring processes in Western companies and end up inside corporate payrolls.
The technique, according to Cloudflare, even relies on “laptop farms” located in the United States to mask the real location of the actors. The practical impact is severe: an attacker no longer needs to breach a perimeter if they can get hired, operate with genuine credentials, and move within the organization as an employee.
This kind of threat forces a rethinking of traditional HR and security controls: identity validation, presence verification, strong authentication, and behavior monitoring from day one.
Unhuman-scale DDoS: when manual response is out of reach
The report also issues a stark warning about the most visible front: denial-of-service attacks. Cloudflare points out that DDoS attacks are reaching a scale beyond human response capacity. Mentioned are botnets like Aisuru, which have evolved into “state-level” threats, with record attacks of 31.4 Tbps.
In such scenarios, defense can’t rely on manual escalation, slow decisions, or improvised mitigation. The conclusion is that, faced with bursts of such magnitude, organizations need autonomous defenses, automation, and a security posture based on real-time telemetry.
“Security is no longer about keeping outsiders out”
The paradigm shift proposed by Cloudflare is summarized in one phrase: the goal is no longer just to prevent intrusions but to prevent impersonation. When an attacker “logs in,” traditional alarms may not trigger. Therefore, the report emphasizes actionable threat intelligence and closing gaps created by fragmented signals.
Matthew Prince, CEO of Cloudflare, argues that attackers “prosper” where intelligence is obsolete or incomplete, and advocates that sharing visibility helps to “give defenders the advantage.” Similarly, Blake Darché, threat intelligence lead at Cloudforce One, sums up the message bluntly: either you lead with real-time intelligence, or risk always being behind.
Summary table of key findings from the report
| Trend | What’s happening | Why it matters |
|---|---|---|
| AI in attacks | LLMs for reconnaissance, exploits, and deepfakes | Lowers barriers and accelerates campaigns |
| China (Salt Typhoon, Linen Typhoon) | From volume to precision; focus on telcos and government | Increased strategic and critical infrastructure risks |
| North Korea | Deepfakes for infiltrating payrolls; “laptop farms” | Attackers enter as “employees” |
| Extreme DDoS | Peaks of 31.4 Tbps; botnets like Aisuru | Manual mitigation no longer scales |
| Changing tactics | From “breaking in” to “logging in” | Identity becomes the perimeter |
In summary, the Threat Intel Report 2026 portrays cybersecurity where the perimeter blurs and identity becomes the battleground. It leaves us with an uncomfortable idea: when an attacker is already “inside” with valid credentials, defense depends less on walls and more on continuous authenticity checks, telemetry, and automation.
Frequently Asked Questions
What does it mean that attackers shift from “breaking in” to “logging in”?
They prioritize gaining access with real or impersonated credentials (via phishing, fraud, or infiltration) to move as legitimate users and avoid traditional detections.
How does AI affect cybersecurity according to Cloudflare?
Cloudflare states that attackers use LLMs to map networks, develop exploits, and create deepfakes, lowering the technical barriers for sophisticated attacks.
What is a “laptop farm” and why is it associated with labor fraud?
The report suggests that farms of laptops located in the U.S. are used to hide the true location of operatives aiming to penetrate companies using fake identities.
How can a company defend against DDoS attacks exceeding 30 Tbps?
The report recommends that, at such scale, autonomous, automated defenses with real-time mitigation are necessary because human response would be too slow.