Cloudflare processes over 20% of the world’s Internet traffic, and the Cloudflare network is the first line of defence against more than 230 billion threats daily. The Cloudflare Threat report highlights the industrialization of cybercrime: In 2026, we are witnessing the total industrialization of cyber threats, where the barrier to entry has vanished and the “interactive hack” is now a scalable and automated model.
The collapse of the traditional perimeter has turned identity into the primary target, while the explosion of AI and SaaS-to-SaaS complexity has given attackers a force multiplier to move through networks at machine speed. From hyper-volumetric DDoS strikes that paralyze infrastructure to the silent infiltration of corporate payrolls, the 2026 landscape is defined by a shift from brute force to high-trust exploitation.
The findings reveal a major shift from traditional “hacking sophistication” toward what Cloudflare describes as “Measure of Effectiveness (MOE)”: attacks designed to maximize impact with minimal effort through AI, automation, cloud abuse, and identity compromise. The report also highlights several alarming trends, including:
- AI-powered attacker operations
- Session token theft bypassing MFA
- Deepfake-enabled insider infiltration
- Hyper-volumetric DDoS attacks reaching 31.4 Tbps
- Cloud-native “Living off the XaaS” attack models
- SaaS supply chain compromise campaigns
Key Findings
AI is automating high-velocity attacker operations
The primary metric for risk in 2026 is the Measure of Effectiveness — the ratio of attacker effort to operational outcome. The accessibility of generative AI significantly lowers the barrier to entry for highly effective operations, moving the industry beyond technically elegant code to “offense by the system.” By leveraging a victim’s own cloud, software as a service (SaaS), and AI infrastructure to fund and scale missions, adversaries are achieving a level of frictionless scale that traditional risk models fail to capture.
The Measure of Effectiveness — the ratio of attacker effort to operational outcome.
The Measure of Evaluation (MOE)
For decades, the “sophistication” of an adversary — the technical elegance of their code or the novelty of their zero-day — was the primary barometer for danger. Today, that metric is being replaced by a more pragmatic calculation: the Measure of Effectiveness (MOE).
AI is not just an additive tool, but the driver of a new paradigm.
MOE evaluates a threat by the ratio of attacker effort to operational outcome. In layman’s terms, it is a measure of “bang for the buck” — where a high- MOE attack achieves maximum disruption with minimum cost. For example, rather than spending millions to develop a custom exploit, a 2026 adversary might use a low-cost GenAI subscription to automate credential harvesting across thousands of targets.
This model measures velocity from initial access to exfiltration and the frictionless scale that attackers leverage to target hundreds of victims at once.This approach exploits a profound resource asymmetry, repurposing a victim’s own cloud, SaaS, and AI infrastructure to fund and execute the mission.
The primary threat is no longer the rarity of the skill set, but the velocity of the outcome. The sheer volume of these automated, persistent campaigns matters more than the technical elegance of the code, as the cost to discover and weaponize “weird machines” in a supply chain has been effectively commoditized.
State-sponsored pre-positioning is compromising critical infrastructure resilience
Chinese threat actors, notably Salt Typhoon and Linen Typhoon, are prioritizing North American telecommunications, government, and IT services for persistent pre-positioning. This strategic targeting suggests a deliberate shift toward preparing for future disruptive events over immediate espionage. By embedding footholds within core infrastructure, adversaries are eroding the foundational resilience of essential public and private sector services, anchoring their presence for long-term geopolitical leverage.
Over-privileged SaaS integrations are expanding the blast radius of attacks
The security of corporate data is now defined by third-party integrations rather than the traditional network perimeter. In 2026, a single over-privileged SaaS-to-SaaS connection can be weaponized via AI to trigger surgical, multi-tenant breaches across entire ecosystems simultaneously. This structural vulnerability turns the “connective tissue” of modern enterprises into a primary vehicle for widespread and automated operational disruption.
Adversaries are subverting service ecosystems to mask attacks
Threat actors are weaponizing legitimate cloud ecosystems (SaaS, IaaS, and PaaS) to camouflage malicious actions within benign enterprise operations. In 2026, the use of trusted platforms for encrypted command delivery has matured into a standardized obfuscation layer within broader, multi-stage hybrid infrastructures. This democratization of scalable, high-bandwidth cloud resources allows even low-tier actors to execute sophisticated attacks that bypass traditional egress filtering.
MOE in cloud resources: Living off the XaaS (LotX)
The pervasive adoption of anything-as-a-service (XaaS) — including SaaS, infrastructure-as-a-service (IaaS), and platform-as-a-service (PaaS) — by organizations globally has been mirrored by nearly all threat actors, representing a corresponding shift in tactics.
Cybercriminals, nation-states, and individual hackers now routinely leverage public cloud hyperscaler resources like Amazon Web Services (AWS), Google Cloud Platform (GCP), and SaaS offerings, blending their activities into the massive volume of legitimate cloud traffic. Cloud identities and configurations are also now primary threat vectors. Rather than creating new infrastructure, attackers inhabit environments using stolen credentials from initial access brokers (IABs) or leveraging shell companies to appear legitimate.
By exploiting tenant misconfigurations — like overly permissive IAM roles or unsecured cloud storage — they move laterally and operate undetected as legitimate users. Looking ahead in 2026, the exploitation of trusted platforms will likely evolve from a tactic into a standard operational baseline.
Ultimately, this evolution will transform the threat from one of external intrusion into one of architectural subversion. As a result, defenders must move beyond traditional barrier-based security toward a model that can distinguish between legitimate usage and the weaponization of a tenant’s own cloud-native resources.
Hyper-volumetric strikes are exhausting infrastructure capacity
Hyper-volumetric distributed denial-of-service (DDoS) attacks, fueled by massive botnets like Aisuru, have established a record-breaking 31.4 Tbps baseline that physically exhausts most organizations’ network capacity. These autonomous strikes peak in seconds, effectively closing the window for human intervention and placing an extreme resource tax on local infrastructure.
The Cloudflare 2026 Threat Report makes one thing clear: organizations must move beyond traditional perimeter-based security toward identity-first, cloud-native cybersecurity strategies.
Reputiva helps businesses assess cloud risks, secure SaaS environments, strengthen IAM and MFA controls, and improve cyber resilience against evolving AI-powered threats.
