Cloudflare Threat Intelligence Report 2026, analysing 230 billion daily blocked threats, documents a paradigm shift where adversaries prioritise ‘logging in’ over ‘breaking in’, using AI to automate reconnaissance, exploit development and deepfake generation for persistent access. Large language models enable real-time network mapping and high-value data localisation, facilitating supply chain compromises across hundreds of SaaS tenants in record efficiency. CEO Matthew Prince emphasised sharing this intelligence to raise attacker costs through global visibility into evolving tactics.
For CISOs, the report signals that perimeter defences alone fail against industrialised threats demanding identity-first security and behavioural analytics to detect anomalous logins masked as legitimate activity. Indian enterprises, increasingly targeted in credential-stuffing campaigns, must interpret AI democratisation as compressing detection windows, necessitating autonomous mitigations over manual response teams.
Nation-state pre-positioning in critical infrastructure
Chinese actors Salt Typhoon and Linen Typhoon have pivoted to precision strikes on North American telecoms, government and IT services, embedding persistent code for future disruption rather than immediate exfiltration, as seen in AT&T, Verizon, Lumen and Microsoft SharePoint breaches. North Korean operatives embed via AI deepfakes and fraudulent remote hiring, using U.S. laptop farms to funnel salaries while introducing insider access, detectable via travel anomalies and video artifacts.
These tactics expose supply chains to long-dwell threats where nation-states establish footholds for geopolitical leverage, compelling enterprises to audit remote onboarding, vendor telemetry sharing and privileged session monitoring rigorously.
Hyper-volumetric DDoS exceeds human response
Aisuru botnet attacks peaked at 31.4 Tbps and 200 million requests per second, surpassing human-scale mitigation and targeting telecoms and IT infrastructure autonomously via compromised Android TVs and IoT devices. Cloudflare’s autonomous defences absorbed these without alerts, highlighting the necessity of always-on, AI-driven DDoS scrubbing for mission-critical availability.
Infrastructure leaders must deploy capacity planning for Tbps-scale bursts, integrating botnet intelligence feeds to preempt campaigns before they overwhelm legacy appliances.
Enterprise imperatives for intelligence-led defence
Threat actors optimise via ‘measure of effectiveness’ metrics, dynamically adapting to countermeasures, as Cloudflare observed in payroll infiltrations and SaaS tenant compromises. Blake Darché advocates real-time intelligence over reactive postures to counter velocity gains from AI tooling.
Organisations should operationalise continuous threat exposure management, fusing network telemetry with identity signals for proactive hunting of pre-positioned actors and deepfake-enabled insiders.
