Cloudflare released its first annual threat intelligence report this week, warning that attackers have moved beyond traditional break-in tactics and are instead turning the internet’s own infrastructure into an offensive weapon. The report describes a shift in which nation-state actors and cybercriminals alike prefer to log in with stolen credentials rather than exploit software vulnerabilities, a change that collapses the distinction between sophisticated government-backed operations and low-level criminal hacking. For organizations that depend on cloud services and interconnected APIs, the findings signal that the attack surface is no longer a perimeter to defend but the entire digital ecosystem they operate within.
From Breaking In to Logging In
The central finding of Cloudflare’s inaugural report is a tactical pivot across the threat spectrum. Rather than hunting for zero-day exploits or brute-forcing their way through firewalls, attackers increasingly rely on stolen identities and session tokens to walk through the front door. This approach is cheaper, faster, and far harder to detect because the malicious activity looks identical to legitimate user behavior. When an attacker logs in with a valid credential, traditional perimeter defenses have no alert to trigger, and even advanced anomaly detection can struggle to distinguish a compromised account from a legitimate but unusual work pattern.
That shift carries a second-order consequence most coverage has glossed over. If the primary attack vector is now credential theft and token abuse rather than code exploitation, then patching software alone offers diminishing returns. Organizations that have spent years building vulnerability management programs may find those investments less effective against adversaries who simply purchase leaked credentials on dark-web marketplaces or harvest them through phishing. The barrier to entry drops sharply. A criminal group with modest resources can now mimic the access patterns of a nation-state operator, blurring the line between geopolitical espionage and financially motivated crime. This convergence makes attribution harder for defenders and law enforcement alike, because the tools and techniques overlap almost entirely and the same compromised accounts can be reused across multiple campaigns.
Cloud Connectivity as an Attack Vector
Cloudflare’s report identifies what it calls the “connective tissue” of cloud infrastructure as a growing vulnerability. Modern enterprises run dozens or hundreds of SaaS applications linked through APIs, and each connection creates a potential path for lateral movement. Once an attacker gains access to one service, the SaaS-to-SaaS API blast radius allows them to pivot across an organization’s entire cloud footprint without ever touching an on-premises network. Independent reporting confirmed that attackers are turning victims’ own cloud services and interconnections into offensive tools, effectively using a company’s network against itself and chaining together permissions that were never designed to be viewed as a single, unified access graph.
This dynamic inverts the traditional security model. Defenders used to worry about outsiders getting in; now the threat is an insider-looking outsider already inside the trust boundary. The report highlights “invisible cloud persistence” as a distinct threat theme, describing scenarios where attackers maintain long-term access within cloud environments without triggering conventional detection. Because cloud sessions rely on tokens rather than passwords, a compromised token can grant access that persists across password resets and even multi-factor authentication changes. For businesses, this means a breach may go unnoticed for weeks or months, with the attacker quietly exfiltrating data or mapping internal systems for a larger operation. It also complicates incident response, since revoking access requires a full inventory of tokens, service accounts, and API keys that many organizations do not yet maintain in a centralized way.
DDoS at Unprecedented Scale
The report also documents distributed denial-of-service attacks reaching what Cloudflare describes as unprecedented scale. Rather than relying solely on botnets composed of compromised IoT devices, attackers are now co-opting legitimate cloud infrastructure to generate traffic volumes that overwhelm targets. This is the most literal expression of the report’s thesis: the internet itself, its bandwidth, its routing protocols, its cloud compute capacity, becomes the weapon. Defenders face the paradox of trying to filter malicious traffic that originates from the same trusted networks their own services depend on, including major hyperscale providers and content delivery platforms.
The scale problem compounds the identity problem. When DDoS traffic comes from legitimate cloud providers, simple IP-based blocking risks cutting off real customers. Attackers exploit this ambiguity deliberately, knowing that defenders will hesitate before blacklisting traffic from major cloud platforms. The industrialization of these techniques means that even mid-tier criminal groups can rent cloud resources to launch attacks that would have required state-level resources just a few years ago. The economics have shifted. Attack infrastructure is now a commodity, available on demand and difficult to distinguish from normal business operations. At the same time, volumetric attacks are increasingly paired with extortion, data theft, or account compromise, turning what used to be a blunt-force tactic into part of a multi-pronged intrusion strategy.
GenAI Accelerates the Threat Cycle
Cloudflare flags generative AI as an accelerant across every phase of the attack lifecycle. GenAI-fueled operations appear as a distinct threat theme in the report, covering everything from automated phishing campaigns that generate convincing, personalized lures to AI-assisted reconnaissance that maps target environments faster than human operators could. The technology does not create fundamentally new attack categories, but it compresses the time between initial access and full compromise, giving defenders a shrinking window to detect and respond. Attackers can rapidly iterate on malicious code, translate social engineering scripts into multiple languages, and tailor messages to specific roles inside a target organization using publicly available data.
The AI angle deserves some skepticism, though. Security vendors have a commercial incentive to frame AI as an existential accelerant because it drives demand for AI-powered defense products. Cloudflare itself sells security services, and the report functions partly as a marketing vehicle for its platform. That said, the underlying mechanism is real. Large language models can automate the tedious parts of social engineering and code analysis that previously bottlenecked attack campaigns. The practical effect is that a single operator can now run campaigns at a scale that once required a team, which reinforces the report’s broader point about the industrialization of cyber threats. For defenders, the takeaway is that speed matters more than ever, and detection systems built around human-speed attack timelines are increasingly inadequate unless they incorporate automation, behavioral analytics, and continuous monitoring tuned to cloud-native environments.
What This Means for Organizations and Users
The cumulative picture Cloudflare presents is one where the internet’s greatest strength, its interconnectedness, has become its most exploitable feature. Every API connection, every federated login, every cloud-to-cloud integration represents both a productivity gain and a potential attack path. The report’s framing of a “total industrialization of cyber threats” is not just rhetoric; it reflects a measurable shift in how attacks are sourced, scaled, and sustained. Organizations that treat cybersecurity as a perimeter problem are defending against yesterday’s threat model and risk overlooking the identity, token, and SaaS-layer controls that now determine whether an attacker can move freely once inside.
For individual users and smaller businesses, the implications are direct. Credential hygiene, meaning unique passwords, hardware-based multi-factor authentication, and cautious handling of sign-in links, is now a frontline defense rather than a best practice. Regular reviews of connected apps, third-party OAuth grants, and dormant accounts can limit the blast radius if one service is compromised. On the organizational side, the report implicitly argues for a shift toward zero trust principles, continuous verification of identities and devices, and closer scrutiny of how cloud services interconnect. Cloudflare’s findings do not suggest that the internet is unmanageable, but they do underscore that security assumptions built for a world of isolated networks and clear perimeters no longer hold in an era where logging in has replaced breaking in as the attacker’s tactic of choice.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
