New Cloudflare threat report warns AI now drives high-velocity attacker operations
5 min. read 
Published on
Cloudflare’s threat intelligence team, Cloudforce One, says attackers now run cyber operations at machine speed and use AI to reduce cost while increasing impact. In its inaugural 2026 Cloudflare Threat Report, Cloudflare argues that adversaries increasingly choose “log in” paths like stolen sessions and bot-driven credential abuse instead of “break in” exploits, because the return on effort looks better.
Cloudflare also says defenders need to assume automation in every stage of the attack lifecycle, from phishing and credential stuffing to SaaS abuse and hyper-volumetric DDoS. The report draws from Cloudflare’s network telemetry and threat intelligence work, including identity and email signals, DDoS mitigation data, and incident investigations.
What Cloudflare says changed in 2026
Cloudflare frames the shift around attacker “efficiency.” It says adversaries choose actions that maximize impact with minimal effort, and AI compresses the timeline from target selection to compromise. The report highlights identity abuse, token theft, and trusted cloud services as the shortcuts attackers prefer today.
The numbers Cloudflare cites show why defenders feel pressure:
- Cloudflare says 94% of all login attempts now come from bots.
- It says nearly 46% of analyzed emails failed DMARC, which creates room for automation-driven phishing at scale.
- It also points to a DDoS baseline that reached 31.4 Tbps, driven by hyper-volumetric events that can overwhelm legacy defenses.
Key takeaways at a glance
| Trend | What Cloudflare reported | Why it matters |
|---|---|---|
| Bots dominate logins | 94% of login attempts originate from bots | Identity defenses need automation, not manual review |
| Email trust gap | ~46% of analyzed emails failed DMARC | PhaaS tooling scales fast when authentication fails |
| Record-scale DDoS | 31.4 Tbps baseline in Cloudflare’s DDoS telemetry | Hyper-volumetric attacks can disrupt services and incident response |
| “Log in” beats “break in” | Token theft and credential reuse rise | MFA can still help, but attackers aim for session and SaaS abuse |
| Trusted cloud tools get abused | Attackers route activity through reputable SaaS and cloud storage | Normal-looking traffic can hide real compromise |
AI and automation: what “high-velocity” looks like now
Cloudflare says generative AI and automation lower the barrier for reconnaissance, content generation, and operational scaling. That does not mean every attacker writes a zero-day. Instead, many groups automate the cheap moves: scan faster, phish faster, test credentials faster, and reuse access faster.
Cloudflare also ties “high-velocity” to decision-making speed, not just packet volume. If bots run most login attempts and phishing infrastructure can rotate quickly, defenders need detection and response loops that work in minutes, not days.
DDoS: the volume problem keeps growing
Cloudflare’s DDoS reporting shows a major step up in scale. It says 2025 ended with record activity, including a 31.4 Tbps milestone and strong growth in very large attacks. In its Q4 2025 DDoS report, Cloudflare says total DDoS attacks more than doubled in 2025 and that network-layer attacks drove much of the growth.
Cloudflare also links the biggest events to botnets like Aisuru-Kimwolf, which its own learning material describes as capable of hyper-volumetric attacks with a very large infected host base.
Email and identity: attackers aim for sessions, not passwords
Cloudflare calls out an “identity gap” in email telemetry and says attackers exploit it with phishing automation. If almost half of analyzed emails fail DMARC, attackers gain a larger lane to deliver convincing lures and scale targeting.
The report also highlights token theft and post-authentication abuse. Attackers prefer sessions and stolen tokens because they can skip interactive login hurdles. This approach often pairs with infostealers and phishing kits that focus on browser data and SaaS access flows.
Weaponizing trusted cloud tools
Cloudflare says many threat actors now hide behind tools and services that enterprises already trust. The report points to attackers routing activity through reputable platforms, which makes malicious traffic look like normal business workflows. This trend fits the broader “living off the land” pattern where attackers rely on legitimate services instead of obviously malicious infrastructure.
What security teams should do next
- Enforce DMARC, DKIM, and SPF, then monitor failures and alignment drift. Cloudflare’s email telemetry highlights how often DMARC fails in real traffic.
- Treat bots as the default for login traffic, and tune controls for bot-scale attempts. Cloudflare says bots generate 94% of login attempts.
- Harden session and token protections: shorter session lifetimes, device binding where possible, step-up checks for risky actions, and rapid token revocation after suspected theft.
- Watch trusted SaaS and storage usage for abnormal patterns, not just “bad domains.” Cloudflare flags cloud-tool abuse as a core tradecraft shift.
- Prepare for very large DDoS events: validate upstream capacity, rate-limit at edges, and rehearse failover. Cloudflare’s DDoS telemetry shows a higher baseline.
FAQ
Cloudflare says attackers now use AI and automation to execute high-velocity operations, and they increasingly choose identity abuse and trusted-service abuse over complex intrusion methods.
Cloudflare describes attackers leaning on stolen credentials, bots, and session abuse to get legitimate access paths rather than exploit-heavy intrusion chains.
Cloudflare reports a 31.4 Tbps baseline milestone in its DDoS telemetry and links this period to growth in very large attacks.
Cloudflare says nearly 46% of analyzed emails failed DMARC, which gives attackers room to scale phishing and brand impersonation.
Cloudflare’s reporting points to email authentication, bot-resistant identity controls, token protection, and visibility into trusted SaaS usage patterns.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages