A new report out from Cloudflare Inc. today warns that cybercrime has reached full industrial scale, with attackers weaponizing the openness of the internet and the connective tissue of cloud and software-as-a-service platforms to move faster and more efficiently than ever.

The inaugural 2026 Cloudflare Threat Report draws on telemetry from a network that processes more than 20% of global internet traffic and blocks more than 234 billion threats a day. The report forecasts that 2026 will reward stealth over spectacle in that instead of chasing technically elegant exploits, threat actors are optimizing for “measure of effectiveness” that prioritizes speed, automation and return on effort.

The report provides various examples to back up its claims. In a campaign tracked as GRUB1, attackers compromised a trusted SaaS-to-SaaS connection and then used generative artificial intelligence to navigate complex enterprise platforms in real time. The actor turned a single integration into a multitenant breach with supply chain implications by identifying high-value database tables moments before accessing production environments.

Large language models are now a force multiplier across the attack chain, the report added. They’re being used to generate phishing lures at scale, bridge knowledge gaps in specialized enterprise software and accelerate exploit development.

Though some aspects of the attack path are evolving, others stay the same, with the report finding that email remains a primary entry point.

Link-based phishing accounted for the largest share of detections in Cloudflare’s dataset and nearly half of analyzed emails failed domain-based message authentication, reporting and conformance, or DMARC, validation, exposing what the report describes as a persistent authentication gap. Cloudflare says industrialized phishing-as-a-service operations are capitalizing on that weakness. They’re offering turnkey infrastructure that can bypass multifactor authentication by harvesting live session tokens instead of static passwords.

On the infrastructure side, the report details that distributed denial-of-service attacks have become both larger and faster. So-called hypervolumetric assaults are now hitting a 31.4-terabit-per-second baseline and peaking within seconds, compressing response windows to near zero.

Business email compromise was found to continue to deliver reliable returns. Cloudforce One analysts identified more than $123 million in explicit financial theft attempts in 2025 alone. Attackers consistently targeted requests around the $49,000 mark — large enough to be profitable, yet often small enough to evade scrutiny.

The report also details the role of nation-state actors. Alleged China-linked groups such as Salt Typhoon and Linen Typhoon are prioritizing North American telecommunications, government and information technology services for long-term pre-positioning within critical infrastructure.

North Korean operators were found to have industrialized remote IT worker schemes using deepfakes and U.S.-based laptop farms to funnel revenue back to the regime. Other state actors embed command-and-control traffic inside trusted cloud platforms to blend into legitimate enterprise activity.

To combat this shift, Cloudflare argues, defenders must shift toward equally automated, system-level resilience to keep pace. “Organizations must pivot from reactive, infrastructure-centric defense to a proactive, identity-centric resilience model,” the Cloudflare researchers write. In a landscape defined by session hijacking, SaaS supply chain abuse and AI-accelerated intrusion, the identity layer, not the perimeter, has become the primary battleground.

Among the report’s recommendations are stricter enforcement of email authentication standards. Those measures include DMARC, Sender Policy Framework and DomainKeys Identified Mail, tighter controls around SaaS-to-SaaS integrations, and overprivileged application programming interface keys and expanded use of zero-trust principles, including biometric verification and geofencing for remote access tools.

Image: SiliconANGLE/Ideogram