In March 2026, Cloudforce One — Cloudflare’s in-house threat research unit — published its inaugural 2026 Cloudflare Threat Report. The findings document what the report calls a “fundamental rewiring of the modern cyberattack.” The era of brute-force break-ins is fading. In its place is a more dangerous model: attackers who use your own trusted tools against you, log in rather than hack in, and move at a speed that makes human response effectively impossible.
For Australian IT managers and business owners, this report is not abstract. Australia was among the top targets for many of the attack categories documented — and the techniques described are exactly what is being used against local businesses right now.
Here are the key takeaways — and what they mean for your organisation.
The Core Shift: From “Breaking In” to “Logging In”
The defining insight of the 2026 Cloudflare Threat Report can be summarised in a single phrase the report uses as its headline: attackers have shifted from breaking in to logging in.
For years, the popular image of a cyberattack involved exploiting technical vulnerabilities — finding a flaw in software and using it to force entry. That model still exists, but it is no longer the dominant approach. The reason is simple economics.
The report introduces a concept called Measure of Effectiveness (MOE) — the ratio of effort to operational outcome. Modern threat actors, including both financially motivated criminal groups and nation-state actors, apply this framework coldly and rationally. Why spend weeks exploiting an expensive zero-day vulnerability when a stolen login credential provides faster, cleaner, more deniable access?
The report’s telemetry found that 63% of all logins observed across Cloudflare’s network in the past three months involved credentials already compromised elsewhere — and that 94% of all login attempts originate from bots, not human users.
Infostealers such as LummaC2 extract live session tokens from infected machines rather than stored passwords — those tokens give attackers access to already-authenticated sessions, bypassing multi-factor authentication entirely. According to the report, 54% of ransomware attacks in 2025 traced back to infostealer-enabled credential theft.
What this means for Australian organisations: Your firewall and antivirus are largely irrelevant if an attacker can simply log in with valid credentials. Endpoint protection, credential monitoring, and zero-trust architecture — verifying every user and device regardless of whether they appear to be “inside” the network — are no longer optional layers. They are the primary line of defence.
Finding 1 — AI Has Eliminated the Technical Barrier to Cybercrime
The 2026 report’s first major finding is that threat actors are using Large Language Models (LLMs) to map networks in real time, develop new exploits, and create hyper-realistic deepfakes. Cloudforce One tracked a threat actor who leveraged AI to identify the location of high-value data — allowing the actor to compromise hundreds of corporate tenants in one of the most impactful supply chain attacks documented.
Until recently, conducting a sophisticated cyberattack required genuine technical skill — the ability to write malware, find vulnerabilities, and navigate complex enterprise environments. AI has compressed that learning curve to near zero. Attackers can now use AI tools to scan for exposed credentials, identify misconfigured cloud services, draft convincing phishing emails in fluent English, and automate lateral movement through a network after initial access.
The report found that in 2025, security researchers detected over USD $123 million in attempted fraud through Business Email Compromise (BEC) attacks — with the brands most frequently impersonated including Microsoft, Windows, SANS Institute, Stripe, and Facebook.
The deepfake threat extends beyond email. State-sponsored operatives linked to North Korea are obtaining employment at Western organisations using AI-generated deepfake profiles and US-based laptop farms that create the appearance of domestic residency — embedding themselves as legitimate employees with insider access.
What this means for Australian organisations: The assumption that your business is too small or unglamorous to be targeted by sophisticated attacks is no longer valid. AI-automated tools mean that sophisticated techniques can now be applied at scale against any target. Staff training on phishing and social engineering, MFA enforcement, and email authentication (DMARC) are critical.
Finding 2 — DDoS Attacks Have Exceeded Human Response Speed
The total number of DDoS attacks observed by Cloudflare more than doubled in 2025 to 47.1 million. Network-layer attacks more than tripled year over year. Cloudforce One recorded 19 new world-record attacks during the year.
Cloudflare reported 47.1 million DDoS attacks during 2025 — equivalent to more than 5,000 attacks every hour. Many of these incidents lasted less than ten minutes, leaving very little time for human intervention.
The scale milestone that defines this era is a single attack: the largest attack, a 31.4 Tbps UDP flood launched by the Aisuru botnet in November 2025, was nearly six times the peak volume of the largest attack recorded in 2024. The Aisuru botnet and its successor Kimwolf collectively control an estimated one to four million infected hosts.
To put 31.4 Tbps in context: that is enough traffic to overwhelm the internet infrastructure of a mid-sized country. Large-scale botnets like Aisuru have evolved into nation-state level threats capable of taking down entire country networks — with these high-speed strikes now demanding fully autonomous defences.
The implication is stark: at this scale and speed, there is no human response fast enough. By the time an analyst reviews an alert, the attack has either been automatically mitigated or the damage is done. Manual DDoS response is no longer a viable model.
What this means for Australian organisations: Australia recorded a 280% increase in DDoS incidents in FY2024–25, according to the ACSC. The global trend documented in the 2026 Cloudflare report is the context for that number — and it is accelerating. Organisations without automated, always-on DDoS mitigation are operating with a critical gap.
Finding 3 — Your Trusted Cloud Tools Are Being Used Against You
One of the most operationally significant findings in the 2026 report is the systematic weaponisation of legitimate cloud services.
Instead of using known malicious servers, attackers are utilising legitimate cloud ecosystems like Google Drive, Microsoft Teams, and Amazon S3 to mask their command-and-control traffic — wearing the uniform of trusted providers to make their activity nearly indistinguishable from benign corporate traffic.
SaaS platforms are also being used by threat actors to host, launch, redirect, or scale attacks. Services like Amazon SES and SendGrid, designed for legitimate bulk email delivery, are frequently exploited to launch phishing campaigns at scale.
The most technically sophisticated example documented: FrumpyToad, attributed to China, uses what Cloudforce One calls “logic-based C2” — reading and writing encrypted commands directly into Google Calendar event descriptions, operating entirely within the legitimate logic of a widely trusted SaaS application.
Over-privileged SaaS-to-SaaS connections — where one compromised API can trigger breaches across hundreds of corporate environments — represent one of the report’s most urgent structural warnings.
What this means for Australian organisations: Conventional security tools that rely on IP reputation or known malicious domains will miss these attacks entirely. The traffic looks legitimate because it is legitimate infrastructure. Detecting it requires behavioural analysis at the application layer — exactly what a properly configured WAF (Web Application Firewall) and Zero Trust architecture are built to do.
Finding 4 — Email Remains the Most Exploited Entry Point
Despite decades of awareness campaigns, email remains the single most reliable attack vector — and it is getting more dangerous, not less.
Email telemetry in the report found that nearly 46% of analysed emails failed DMARC — an email authentication protocol — revealing a large surface area that Phishing-as-a-Service (PhaaS) bots are rapidly exploiting.
Phishing-as-a-Service has industrialised what was previously a skilled craft. Attackers can now rent a complete phishing operation — hosting, templates, credential harvesting, and bypass techniques — with no technical knowledge required. Analysts observed attackers leveraging high-reputation domains including Google Drive and Azure to bypass email security filters, as these domains are automatically trusted by most enterprise security tools.
What this means for Australian organisations: If your domain does not have DMARC, DKIM, and SPF configured, you are both easier to impersonate and less protected against inbound phishing. Email security configuration is one of the highest-ROI defensive actions available — and one of the most commonly neglected.
Finding 5 — Nation-State Actors Are Now a Threat to Every Sector
The 2026 report names specific nation-state threat groups and their targeting priorities in detail that is unusual for a public report.
Chinese state-sponsored actors Salt Typhoon and Linen Typhoon have shifted focus toward North American telecommunications and government infrastructure, while North Korean operatives operating as PatheticSlug, Russian actors NastyShrew, and Iranian groups CrustyKrill have each been tracked conducting operations against Western targets.
The practical takeaway for Australian businesses: while direct nation-state targeting of individual SMBs remains unlikely, these groups systematically exploit the supply chain. A smaller business that supplies services to a government agency, a financial institution, or critical infrastructure operator may be targeted as a softer path to the ultimate objective.
Australia’s critical infrastructure — defined under the SOCI Act to include 22 sectors — has been repeatedly identified as a priority target in ACSC reporting. The 2026 Cloudflare Threat Report provides the global context for what Australian threat intelligence reports have been documenting locally.
What Australian Businesses Should Do Right Now
The 2026 Cloudflare Threat Report is not a document designed to create panic — it is, as Cloudforce One’s head of threat intelligence Blake Darché put it, a “North Star for understanding the scale of attacks.” The organisations best positioned to withstand these threats are those that have moved from reactive to proactive security postures.
Concretely, that means:
Implement automated DDoS protection. At 31.4 Tbps and attack durations under 10 minutes, human response is no longer viable. You need always-on, autonomous mitigation.
Deploy a Web Application Firewall (WAF). Living-off-the-land attacks that route through trusted cloud infrastructure require application-layer behavioural inspection to detect — exactly what a WAF provides.
Enforce Zero Trust. The shift from “break in” to “log in” means perimeter-based security is insufficient. Every access request must be verified, regardless of origin.
Secure your email with DMARC/DKIM/SPF. 46% failure rate globally means this is likely misconfigured or absent in your environment. It takes hours to fix and closes a major attack surface.
Protect endpoints with EDR. With 54% of ransomware originating from infostealer-enabled credential theft, endpoint protection that detects infostealer behaviour — not just known malware signatures — is essential.
How ANP Technology Can Help
As an official Cloudflare partner based in Sydney, ANP Technology helps Australian businesses implement the exact defensive technologies the 2026 Threat Report identifies as critical:
Cloudflare DDoS Protection — Automated, unmetered mitigation across Layer 3, 4, and 7, backed by Cloudflare’s 348 Tbps global network. Designed for the era of 31.4 Tbps attacks.
Cloudflare WAF — Application-layer protection against living-off-the-land attacks, SQL injection, XSS, and bot abuse — with real-time threat intelligence updated across 20% of the web.
Cloudflare Zero Trust (Access) — Verify every user and device on every access attempt, eliminating the credential-based attack surface the report identifies as the primary risk vector.
Contact the ANP Technology team today and make sure your 2026 security posture reflects the 2026 threat landscape — not the one from five years ago. Contact us: https://www.anptech.com.au/contact-us/
Download the Report : https://blog.cloudflare.com/2026-threat-report/
