Cloudflare 2026 Threat Report: 230 Billion Daily Threats as

The Scale of Modern Cyber Threats

Cloudflare's threat research unit, Cloudforce One, has published its inaugural 2026 Cyber Threat Intelligence Report, drawing on telemetry from a network that handles roughly 20% of global web traffic. The headline figure is staggering: Cloudflare's infrastructure blocks over 230 billion cyber threats per day.

The report covers activity observed through 2025 and projects emerging trends, with one clear message: attackers are increasingly "logging in" rather than "breaking in."

Key Findings at a Glance

Metric	Value
Daily threats blocked	230+ billion
DDoS attacks (2025)	47.1 million (doubled year-over-year)
Network-layer DDoS growth	3x year-over-year increase
Largest DDoS recorded	31.4 Tbps UDP flood (Aisuru botnet, Nov 2025)
World-record DDoS events	19 new records in 2025
Bot login attempts	94% of all login traffic
Compromised human logins	46% use previously breached credentials

DDoS Attacks More Than Doubled

The total number of DDoS attacks observed by Cloudflare more than doubled in 2025, reaching 47.1 million incidents. Network-layer attacks specifically tripled year-over-year.

Cloudforce One recorded 19 new world-record DDoS attacks during the year. The largest — a 31.4 Tbps UDP flood launched by the Aisuru botnet in November 2025 — was nearly six times the peak volume of the largest attack recorded in 2024.

The Identity Crisis: Logging In Instead of Breaking In

Perhaps the most significant finding is the fundamental shift in how breaches begin. The report documents a clear trend away from traditional exploit-based intrusions toward credential-based attacks:

Bot-Driven Credential Abuse

94% of all login attempts on Cloudflare's network originate from bots
Of the remaining human login attempts, 46% involve credentials already compromised in prior breaches
Identity abuse now accounts for nearly two-thirds of major data breaches

Nation-State Identity Operations

The report highlights how North Korean state-sponsored operatives are obtaining employment at Western organizations using:

AI-generated deepfake profiles to pass video interviews
U.S.-based laptop farms that create the appearance of domestic residency
These operatives then gain legitimate insider access to corporate networks

Cloud Services as Attack Infrastructure

Threat actors across multiple nation-state categories are routing malicious activity through legitimate cloud services, including:

AWS, Google Cloud, and Azure for hosting attack infrastructure
SaaS platforms like Google Calendar and Dropbox for command-and-control
This approach blends attack traffic with normal enterprise usage, making detection significantly harder for network security teams

The technique mirrors the GRIDTIDE backdoor approach documented in Google's recent UNC2814 disclosure, where Google Sheets was abused as a C2 channel — suggesting this pattern is becoming the norm for sophisticated threat actors.

Recommendations

For Security Operations Teams

Prioritize identity security — invest in phishing-resistant MFA and credential monitoring
Deploy bot management capable of distinguishing automated from human login attempts
Monitor for credential stuffing using breach databases and dark web intelligence feeds
Implement zero-trust architectures that verify every access request regardless of source

For Network Defense

Ensure DDoS mitigation can handle multi-terabit attacks — the 31.4 Tbps record is the new baseline
Monitor cloud service API usage for anomalous patterns that could indicate C2 abuse
Segment critical systems from general network access to limit blast radius

For Executive Leadership

Identity is now the primary attack surface — budget accordingly
Review insider threat programs in light of North Korean deepfake employment schemes
Evaluate cloud security posture management tools to detect abuse of legitimate services

Key Takeaways

230 billion daily threats underscores the industrial scale of modern cyberattacks
DDoS attacks doubled to 47.1 million, with the largest reaching 31.4 Tbps
94% of login traffic is bots — credential abuse has overtaken vulnerability exploitation as the primary intrusion method
46% of human logins use breached credentials — password reuse remains epidemic
Cloud services are the new attack infrastructure — legitimate platforms are being weaponized for C2
The shift from "breaking in" to "logging in" demands a fundamental rethink of defensive strategies centered on identity

The Scale of Modern Cyber Threats

The report covers activity observed through 2025 and projects emerging trends, with one clear message: attackers are increasingly "logging in" rather than "breaking in."

Key Findings at a Glance

Metric	Value
Daily threats blocked	230+ billion
DDoS attacks (2025)	47.1 million (doubled year-over-year)
Network-layer DDoS growth	3x year-over-year increase
Largest DDoS recorded	31.4 Tbps UDP flood (Aisuru botnet, Nov 2025)
World-record DDoS events	19 new records in 2025
Bot login attempts	94% of all login traffic
Compromised human logins	46% use previously breached credentials

DDoS Attacks More Than Doubled

The total number of DDoS attacks observed by Cloudflare more than doubled in 2025, reaching 47.1 million incidents. Network-layer attacks specifically tripled year-over-year.

The Identity Crisis: Logging In Instead of Breaking In

Bot-Driven Credential Abuse

94% of all login attempts on Cloudflare's network originate from bots
Of the remaining human login attempts, 46% involve credentials already compromised in prior breaches
Identity abuse now accounts for nearly two-thirds of major data breaches

Nation-State Identity Operations

The report highlights how North Korean state-sponsored operatives are obtaining employment at Western organizations using:

AI-generated deepfake profiles to pass video interviews
U.S.-based laptop farms that create the appearance of domestic residency
These operatives then gain legitimate insider access to corporate networks

Cloud Services as Attack Infrastructure

Threat actors across multiple nation-state categories are routing malicious activity through legitimate cloud services, including:

AWS, Google Cloud, and Azure for hosting attack infrastructure
SaaS platforms like Google Calendar and Dropbox for command-and-control
This approach blends attack traffic with normal enterprise usage, making detection significantly harder for network security teams

Recommendations

For Security Operations Teams

Prioritize identity security — invest in phishing-resistant MFA and credential monitoring
Deploy bot management capable of distinguishing automated from human login attempts
Monitor for credential stuffing using breach databases and dark web intelligence feeds
Implement zero-trust architectures that verify every access request regardless of source

For Network Defense

Ensure DDoS mitigation can handle multi-terabit attacks — the 31.4 Tbps record is the new baseline
Monitor cloud service API usage for anomalous patterns that could indicate C2 abuse
Segment critical systems from general network access to limit blast radius

For Executive Leadership

Identity is now the primary attack surface — budget accordingly
Review insider threat programs in light of North Korean deepfake employment schemes
Evaluate cloud security posture management tools to detect abuse of legitimate services

Key Takeaways

230 billion daily threats underscores the industrial scale of modern cyberattacks
DDoS attacks doubled to 47.1 million, with the largest reaching 31.4 Tbps
94% of login traffic is bots — credential abuse has overtaken vulnerability exploitation as the primary intrusion method
46% of human logins use breached credentials — password reuse remains epidemic
Cloud services are the new attack infrastructure — legitimate platforms are being weaponized for C2
The shift from "breaking in" to "logging in" demands a fundamental rethink of defensive strategies centered on identity

Cloudflare 2026 Threat Report: 230 Billion Daily Threats as

The Scale of Modern Cyber Threats

Key Findings at a Glance

DDoS Attacks More Than Doubled

The Identity Crisis: Logging In Instead of Breaking In

Bot-Driven Credential Abuse

Nation-State Identity Operations

Cloud Services as Attack Infrastructure

Recommendations

For Security Operations Teams

For Network Defense

For Executive Leadership

Key Takeaways

New Speagle Malware Hijacks Cobra DocGuard for State-Sponsored Espionage

Shadow Campaigns: State-Backed Espionage Group Breaches 70+

Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs

Cloudflare 2026 Threat Report: 230 Billion Daily Threats as

The Scale of Modern Cyber Threats

Key Findings at a Glance

DDoS Attacks More Than Doubled

The Identity Crisis: Logging In Instead of Breaking In

Bot-Driven Credential Abuse

Nation-State Identity Operations

Cloud Services as Attack Infrastructure

Recommendations

For Security Operations Teams

For Network Defense

For Executive Leadership

Key Takeaways

New Speagle Malware Hijacks Cobra DocGuard for State-Sponsored Espionage

Shadow Campaigns: State-Backed Espionage Group Breaches 70+

Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs