Cloudflare Threat Report 2026: Key Cybersecurity Insights
Cloudflare’s network blocks over 230 billion threats daily, revealing alarming trends in cyberattacks. The Cloudflare threat report 2026 highlights how attackers are evolving tactics, leveraging stolen sessions, cloud platforms, and AI-driven phishing to bypass traditional defenses. Here’s what organizations need to know to stay ahead.
Stolen Sessions Replace Credential Guessing
Infostealers like LummaC2 now extract live session tokens instead of stored passwords, bypassing multi-factor authentication (MFA). According to the report, 54% of 2025 ransomware attacks originated from stolen session tokens. Cloudflare’s threat team disrupted LummaC2 infrastructure in 2025 but warns successor variants will automate attacks to hours, not days.
Cloud Platforms as Attack Infrastructure
Threat actors are using legitimate cloud services (AWS, Azure, Google Cloud) to blend malicious traffic with normal activity. This tactic, dubbed “Living off the XaaS” (LotX), lets attackers exploit SaaS platforms like Google Calendar for command-and-control. Chinese-affiliated groups targeted telecom providers, while Iranian-linked actors used Azure Web Apps for persistence.
DDoS Attacks Reach Record Volumes
Cloudflare recorded 47.1 million DDoS attacks in 2025, with network-layer attacks tripling. The largest attack—a 31.4 Tbps UDP flood—was six times bigger than 2024’s peak. Most attacks now last under 10 minutes, leaving little time for manual mitigation.
Phishing Exploits Email Authentication Gaps
43% of emails failed SPF checks, and 46% failed DMARC in 2025, enabling Phishing-as-a-Service. Spoofed messages impersonating Microsoft, Stripe, and Facebook accounted for $123 million in BEC fraud. Attackers target amounts below executive approval thresholds, averaging $49,225 per attempt.
North Korean Deepfake Workforces
State-sponsored operatives are infiltrating Western companies using AI-generated profiles and U.S.-based laptop farms. These “ghost employees” funnel salaries to North Korea and create backdoors into internal systems. Detection clues include impossible travel logins and video metadata anomalies.
Manufacturing Sector Under Siege
Over 50% of ransomware attacks in 2025 targeted manufacturing and critical infrastructure. The high cost of operational downtime makes these sectors prime targets. Cloudflare recommends adopting a “Secure by Design” approach to embed security from the start.
Conclusion: Proactive Defense is Critical
The Cloudflare threat report 2026 underscores the need for real-time intelligence and automated defenses. Organizations must shift from reactive strategies to proactive, data-driven security. Start by auditing session token usage, hardening cloud configurations, and training teams to spot phishing attempts.
FAQs
1. What are the key findings of the Cloudflare threat report 2026?
The report reveals 230B+ daily threats, stolen session tokens replacing MFA bypasses, and cloud platforms being weaponized for attacks.
2. How do infostealers bypass MFA?
Infostealers extract live session tokens from infected machines, granting access to already-authenticated sessions without needing credentials.
3. Why are DDoS attacks increasing?
Botnets like Aisuru and Kimwolf control millions of infected hosts, launching attacks under 10 minutes that overwhelm manual defenses.
4. How do North Korean operatives infiltrate companies?
They use AI-generated deepfake profiles and U.S.-based laptop farms to mimic legitimate employees, funneling salaries and creating backdoors.
5. What sectors are most targeted?
Manufacturing and critical infrastructure face 50% of ransomware attacks due to the high cost of operational downtime.








