Cloudflare’s 2026 Threat Report: Why Attackers Now Optimize for “MOE” (and How Defenders Can Catch Up)

AI generated image for Cloudflare’s 2026 Threat Report: Why Attackers Now Optimize for “MOE” (and How Defenders Can Catch Up)

Cloudflare just dropped its inaugural 2026 Cloudflare Threat Report, and it reads less like a traditional “top 10 threats” list and more like a field guide to modern adversaries who have discovered a dangerous productivity hack: stop trying to be clever and start trying to be effective.

The announcement, published on March 3, 2026 on the Cloudflare Blog as Introducing the 2026 Cloudflare Threat Report by Cloudforce One, frames the year ahead around a concept Cloudflare calls Measure of Effectiveness (MOE). It’s the attacker’s version of KPI culture: the cold, spreadsheet-friendly ratio of effort to outcome. And if that sounds grimly familiar to anyone who’s ever had to justify a security budget, yes — that’s the joke. The villains have OKRs now.

In this article, I’ll unpack what Cloudflare is arguing, cross-check it against other reporting and research, and translate the big trends into concrete takeaways for CISOs, security engineers, and the rest of us who occasionally enjoy sleeping through the night.

What the 2026 Cloudflare Threat Report is (and why it matters)

Cloudflare’s threat reporting has typically been delivered in slices — quarterly DDoS reports, vulnerability briefs, Radar datasets, and Cloudforce One research write-ups. This new annual Threat Report is meant to be the umbrella: a strategic roadmap built from Cloudflare’s global telemetry and incident-response visibility. In the launch post, Cloudflare describes a year spent translating “trillions of network signals” into actionable intelligence and concludes that the “era of brute force entry is fading,” replaced by a model of high-trust exploitation that prioritizes results. (Cloudflare launch post)

That phrase — high-trust exploitation — is doing a lot of work. It’s not just “phishing is still a problem.” It’s the deeper idea that the modern enterprise has outsourced, integrated, automated, and SaaS-ified so much of its workflow that attackers increasingly win by masquerading as legitimate traffic, legitimate identities, and legitimate tools. They don’t need to kick the door down if they can get issued a badge.

Cloudflare’s framing matters because it’s a shift from “what new exploit class is hot” to “what incentives and constraints shape attacker behavior.” That’s useful. Security teams can’t patch incentives, but they can change the economics of attack.

The big idea: MOE, or how attackers learned to love efficiency

Cloudflare’s Measure of Effectiveness (MOE) is their lens for understanding attacker choices in 2026: adversaries increasingly favor throughput over sophistication — the cheapest path to the biggest operational outcome. In the report introduction, Cloudflare gives examples that will feel uncomfortably plausible:

  • Why burn an expensive zero-day when a stolen session token can produce faster access?

  • Why host custom infrastructure if you can hide behind a cloud “reputation shield” and blend into normal traffic?

  • Why manually map networks when AI can accelerate reconnaissance and linkage across systems?

This isn’t entirely new, of course. “Living off the land” has been a defensive nightmare for years. What’s new is the acceleration: cloud tooling, identity tokens, API integrations, and AI-assisted operations are making the easiest attacks even easier — and therefore more common.

Put differently: if you want to predict tomorrow’s attacks, don’t start with the coolest exploit on a conference stage. Start with the attacker’s time sheet.

Eight key trends Cloudflare says will define 2026

Cloudflare’s launch post lists eight trends driven by MOE. Let’s walk through them, add context, and focus on what defenders should do differently.

1) AI is automating high-velocity attacker operations

Cloudflare’s first trend is blunt: AI is now a productivity multiplier for attackers, enabling real-time network mapping, exploit development, and deepfake creation — lowering the skill floor for high-impact operations. (Cloudflare launch post)

Security teams have talked about “AI for attackers” for years, but what’s changing is operational tempo. When you combine commodity infostealers, automated credential testing, and increasingly realistic social engineering (including deepfake audio/video), you get a pipeline where reconnaissance, access, and exploitation can be partially automated and rapidly iterated.

Defensive implication: this pushes organizations toward controls that don’t rely on user judgment or slow human review. The boring stuff — phishing-resistant authentication, least privilege, and monitoring of identity events — becomes even more valuable when the volume of attempts spikes.

2) State-sponsored pre-positioning is targeting critical infrastructure resilience

Cloudflare calls out Chinese threat actors, including Salt Typhoon and Linen Typhoon, prioritizing North American telecom, commercial, government, and IT services — “anchoring their presence now for long-term geopolitical leverage.” (Cloudflare launch post)

Pre-positioning is the cybersecurity version of leaving a spare key under the doormat — except the doormat is a supply chain, and the key is persistent access across multiple organizations. Telecom is especially attractive because it sits at the crossroads of identity, communications, and metadata. It also aligns with what we see in industry reporting about the sustained focus on infrastructure-level access.

Defensive implication: critical infrastructure and its suppliers should treat identity compromise and lateral movement as primary risks, not afterthoughts. This includes aggressive segmentation, better logging, and security posture management for cloud and SaaS systems that increasingly underpin “traditional” infrastructure.

3) Over-privileged SaaS integrations are expanding the blast radius

Cloudflare points to the GRUB1 breach of Salesloft as a demonstration of how third-party API integrations can turn a single compromised API relationship into “a breach affecting hundreds of distinct corporate environments.” (Cloudflare launch post)

This trend is less about a specific vendor and more about a structural weakness: the average enterprise app stack looks like a bowl of spaghetti made of OAuth grants. Integrations often request broad scopes “just in case,” and once granted, they persist quietly until something goes wrong.

We’ve already seen how OAuth token theft and third-party integrations can cascade across organizations. Media reporting has highlighted how the broader Salesloft/Drift incident touched multiple companies, including Cloudflare itself, which advised customers to rotate credentials shared via support channels and rotated Cloudflare API tokens discovered during its investigation. (TechRadar on the incident)

Defensive implication: “vendor risk management” can’t be just questionnaires. You need technical controls: least-privileged OAuth scopes, short token lifetimes where possible, continuous review of app grants, and monitoring for anomalous API access patterns.

4) Adversaries are weaponizing trusted cloud tooling to mask attacks

Cloudflare highlights attackers abusing legitimate SaaS/IaaS/PaaS tools — name-checking Google Calendar, Dropbox, GitHub — to camouflage malicious actions inside normal enterprise activity. In a deeper dive, Cloudflare describes using cloud ecosystems (Google Drive, Microsoft Teams, Amazon S3) for command-and-control and delivery, borrowing the “uniform” of trusted providers. (Cloudflare launch post)

This is “living off the land” but with a cloud subscription. The advantage is clear: defenders struggle to block Google Drive without breaking work. Attackers know this and increasingly treat trusted platforms as transport layers for malicious operations.

Cloudflare even lists illustrative threat actor profiles (with whimsical names and grim tactics), including a China-linked example weaponizing Google Calendar event descriptions for encrypted command loops, and a North Korea-linked example using Google Drive/Dropbox payload hosting and GitHub for covert C2. (Cloudflare launch post)

Defensive implication: you can’t rely on “block known bad IPs.” You need identity-aware controls, behavior analytics, and strong egress and API monitoring. You also need to audit your own cloud tenant configurations: misconfigurations, overly permissive sharing, and weak conditional access policies make these attacks much easier.

5) Deepfake personas are embedding adversarial operatives within Western payrolls

Cloudflare says North Korea has operationalized remote IT worker schemes, using deepfakes and fraudulent identities to embed operatives into Western payrolls for espionage and revenue. (Cloudflare launch post)

This is the nightmare scenario for HR and security: the attacker isn’t trying to break in — they’re trying to get hired. Remote work, contractor-heavy teams, and global recruiting pipelines create opportunities for identity fraud. Deepfakes raise the plausibility ceiling for interviews, onboarding calls, and even “live” verification checks.

Defensive implication: hiring and onboarding processes have become part of your security perimeter. Organizations should strengthen identity verification for contractors and remote hires, enforce device posture requirements from day one, and adopt zero trust principles (least privilege, short-lived access, and monitored sessions) so that even a “legitimate” employee account can’t quietly wander into sensitive systems.

6) Token theft is neutralizing multi-factor authentication

Cloudflare calls out token theft — often via infostealers such as LummaC2 — as a practical way to bypass traditional MFA by stealing active session tokens and jumping straight into post-authentication actions. (Cloudflare launch post)

Token theft is the evil twin of single sign-on convenience. If an attacker can obtain a valid session cookie or token, they may not need to defeat MFA at all — because the user already did the MFA part earlier.

Lumma Stealer is a good example of why infostealers matter: it’s been widely used by cybercriminals to harvest credentials and other sensitive data, and it has been the subject of coordinated disruption efforts. Cloudflare describes participating in a joint operation to disrupt Lumma infrastructure, including adding Turnstile verification to its warning interstitial to prevent the malware from bypassing it. (Cloudflare on Lumma disruption)

Defensive implication: move toward phishing-resistant authentication (like FIDO2/WebAuthn) and deploy controls that bind sessions to device posture and risk context. Also: detect and respond to suspicious session behavior (impossible travel, new device fingerprints, high-risk token reuse). MFA is necessary, but not sufficient.

7) Relay blind spots are enabling internal brand spoofing

Cloudflare’s seventh trend: phishing-as-a-service bots are exploiting a blind spot where mail servers fail to re-verify sender identity, enabling “high-trust brand impersonations” that land directly in inboxes. (Cloudflare launch post)

Email authentication (SPF, DKIM, DMARC) has improved the ecosystem, but enforcement is inconsistent — and attackers ruthlessly exploit gaps. Cloudflare says its analysis found that nearly 46% of analyzed emails failed DMARC, creating a large surface area for exploitation. (Cloudflare launch post)

Defensive implication: tighten DMARC policies (and actually enforce them), monitor for domain spoofing, and invest in phishing-resistant workflows for high-risk actions (vendor payments, payroll changes, password resets). Also treat your internal brand like a target: if attackers can convincingly impersonate “Finance” or “IT Support,” they can move faster than your controls.

8) Hyper-volumetric DDoS strikes are exhausting infrastructure capacity

Cloudflare’s last trend focuses on hyper-volumetric DDoS attacks from massive botnets such as Aisuru, pushing record-breaking traffic volumes and shrinking the window for human response. (Cloudflare launch post)

This is not theoretical. Cloudflare’s Q4 2025 DDoS Threat Report described a record-setting 31.4 Tbps attack and a broader surge in DDoS volume (Cloudflare says 2025 saw 47.1 million DDoS attacks, averaging 5,376 mitigations per hour). (Cloudflare DDoS report)

External reporting echoed the scale: multiple outlets highlighted the 31.4 Tbps peak and the short “hit and run” nature of many of these bursts. (TechRadar) (Tom’s Hardware)

Cloudflare’s Learning Center describes Aisuru-Kimwolf as an ecosystem of malware-compromised devices — including IoT, DVRs, and Android devices — with estimates ranging from 1–4 million infected hosts, capable of both packet- and bit-intensive attacks, and often monetized through residential proxy abuse and DDoS-for-hire markets. (Cloudflare Learning Center)

Defensive implication: if you’re relying on manual intervention during a DDoS incident, you’re already behind. You need automated mitigation, upstream capacity, and tested runbooks — and you need to assume attacks may be designed to stress not just bandwidth, but systems like WAFs, load balancers, and application backends.

The stealthy centerpiece: “weaponized cloud tooling” in practice

Cloudflare spends extra time on one high-MOE tactic: weaponizing cloud tooling. This is worth highlighting because it blends several trends into one operational model.

From “living off the land” to “living off anything-as-a-service”

The classic living-off-the-land playbook was about native OS tools (PowerShell, WMI, scheduled tasks). Today, organizations have layered on a second operating system: SaaS. Cloudflare’s examples span Google Drive, Microsoft Teams, Amazon S3, plus email delivery platforms like Amazon SES and SendGrid being abused for phishing and malware distribution. (Cloudflare launch post)

There’s a defensive trap here: security controls built to detect “unknown infrastructure” can miss attacks that ride on infrastructure you’ve explicitly allow-listed.

Why this tactic has a high MOE

  • It blends in. Defender tooling is more likely to flag a random VPS in an unusual geography than a Google-hosted URL.

  • It’s resilient. Cloud platforms have redundancy, fast provisioning, and reputational inertia. Even if an account is shut down, a new one can pop up quickly.

  • It’s cheap. Many cloud services are inexpensive at small scale, and attackers can leverage stolen accounts or compromised tenants.

That combination is the MOE story in a nutshell: maximize outcome (delivery, persistence) while minimizing effort and risk.

Cloudflare’s methodology: telemetry, dogfooding, and uncomfortable truths about bots

One of the more interesting parts of Cloudflare’s intro is how it claims to build the report. Cloudflare points to three methods that deserve attention:

1) “Dogfooding” AI agents to find vulnerabilities

Cloudflare says it tasked an AI coding agent with analyzing its own vulnerabilities and that this work helped uncover CVE-2026-22813, described as a critical markdown rendering pipeline flaw enabling unauthenticated remote code execution (CVSS 9.4). (Cloudflare launch post)

Even if you don’t use the specific software involved, the meta-point matters: AI agents can accelerate discovery — for both defenders and attackers. Treat “AI-assisted vuln discovery” as a permanent feature of the landscape, not a novelty.

2) Phishing-as-a-Service and the DMARC failure rate

Cloudflare claims nearly 46% of analyzed emails failed DMARC, exposing a large attack surface for automation. (Cloudflare launch post)

This aligns with a broader reality: email security improvements are uneven. One organization’s strict DMARC policy doesn’t protect you if a partner’s domain is weak, or if attacker infrastructure rides through trusted services.

3) Credential and bot pressure on logins

Cloudflare says its telemetry showed that in the prior three months, 63% of logins involved credentials already compromised elsewhere and 94% of login attempts originated from bots. (Cloudflare launch post)

Cloudflare has previously published Radar-based analysis showing similarly high bot shares for authentication requests, including reporting that during early March 2025 over 94% of authentication requests came from bots and that leaked credentials were used in a large share of authorization requests. (Cloudflare Radar post)

If you run consumer-facing login endpoints, these numbers are not just “interesting.” They are a design constraint. Bot-driven pressure is the default. Build your authentication and authorization systems accordingly.

“Autonomous defense” and the race to drive attacker MOE to zero

Cloudflare’s prescription is essentially a mirror image of the attacker’s strategy: if attackers have “offense by the system,” defenders need defense by the system. The launch post argues that when threats move at machine speed, human-centric defense is no longer viable, and organizations must pivot toward autonomous defense to drive adversary MOE to zero. (Cloudflare launch post)

That can sound like vendor marketing — and yes, Cloudflare is also announcing product enhancements — but the underlying logic is hard to dispute. When DDoS bursts last a minute and credential stuffing runs 24/7, the ideal response can’t depend on a human noticing an alert between meetings.

Cloudflare’s Threat Intelligence Platform upgrade

Alongside the report, Cloudflare references an upgrade to its threat events platform, positioning it as a more automated, visual command center for SOC teams. In a related post published the same day, Cloudflare describes evolving its Threat Intelligence Platform to reduce the need for complex ETL pipelines, using a sharded, SQLite-backed architecture to handle scale. (Cloudflare TIP post)

Cloudflare has also been adding practical integration features such as STIX2 support for Threat Events, helping security teams ingest threat data into SIEM/SOAR/TIP ecosystems. (Cloudflare Security Center changelog)

Whether you use Cloudflare’s platform or another vendor’s, the strategic takeaway is platform convergence: threat intel, telemetry, enrichment, and response workflows are increasingly being pulled into single operational views — because stitching together seven dashboards at 2:00 AM is, in technical terms, not ideal.

Industry context: Cloudflare isn’t the only one seeing DDoS and automation spikes

It’s worth sanity-checking Cloudflare’s narrative against other industry reporting. DDoS volume and scale increases have been highlighted elsewhere. For example, Radware’s 2026 Global Threat Analysis Report release claimed large year-over-year increases in network-layer DDoS attacks and peak volumes approaching 30 Tbps. (Radware press release)

Different vendors have different telemetry, incentives, and definitions, so treat the exact percentages with caution. But the directional trend is consistent: attack automation, credential abuse, and volumetric pressure are not slowing down. If anything, they’re being industrialized.

Practical takeaways: how to defend against high-MOE attacks

Cloudflare’s MOE framing is useful because it suggests a defensive strategy: attack what makes attacks efficient. Here’s a practical checklist aligned to the trends above.

1) Treat identity as your primary control plane

  • Adopt phishing-resistant MFA where possible (FIDO2/WebAuthn). Cloudflare has previously described its own move toward hardware keys as part of phishing resistance. (Cloudflare on FIDO2)

  • Implement conditional access and device posture checks to reduce the value of stolen tokens.

  • Monitor session anomalies and token reuse patterns — because token theft is increasingly the point.

2) Audit OAuth and SaaS integrations like they’re production code (because they are)

  • Minimize scopes and enforce least privilege on integrations.

  • Regularly review app grants and remove stale integrations.

  • Monitor API usage for anomalies (bulk exports, unusual endpoints, odd times).

3) Assume trusted platforms will be abused

  • Log and analyze activity in core SaaS platforms (file sharing, messaging, code hosting).

  • Restrict external sharing and enforce tenant hardening.

  • Consider egress controls and CASB/SSE policies that focus on behavior, not just domains.

4) Make email authentication boringly strict

  • Enforce DMARC and monitor alignment failures.

  • Harden high-risk business processes (invoicing, payroll) with out-of-band verification and least-privileged approvals.

5) Automate DDoS and bot mitigation, then rehearse the ugly parts

  • Ensure automated mitigation is in place for volumetric and application-layer DDoS.

  • Test incident playbooks for short-burst attacks, not just long “slow burn” scenarios.

  • Reduce dependency bottlenecks: DNS, auth endpoints, and API gateways are common choke points.

What to watch in 2026: the “trust tax” on modern IT

If Cloudflare’s report can be summarized in one sentence, it’s this: attackers are monetizing trust. Trust in identity tokens. Trust in reputable SaaS brands. Trust in integrations. Trust in email. Trust in “it looks like a normal Zoom interview.”

The uncomfortable implication is that modern IT stacks have created a kind of trust tax. Every convenience layer (SSO, OAuth, SaaS automation, cloud scale) reduces friction for users — and can reduce friction for attackers if it’s not paired with equally modern controls.

Cloudflare’s MOE framing is a helpful way to think about what to fix first. You don’t have to make attacks impossible. You have to make them inefficient.

Read the original announcement and the full report

The original RSS item points to Cloudflare’s launch post: Introducing the 2026 Cloudflare Threat Report, published March 3, 2026, created by Cloudforce One. That post includes a link to the full 2026 Cloudflare Threat Report and a summary of Cloudflare’s key findings.

Sources

Bas Dorland, Technology Journalist & Founder of dorland.org