From Washington: The cybersecurity industry faces a reckoning. Cloudflare's threat research unit published its inaugural annual report this week, and the findings suggest something has fundamentally shifted in how attackers operate. The takeaway is sobering for anyone managing corporate security: the most dangerous actors are no longer the ones with the most sophisticated code. They are the ones optimising for speed and bang-for-buck.
Cloudflare's network blocks over 230 billion threats per day. That volume alone speaks to the industrialisation of cyber attacks.The total number of DDoS attacks observed by Cloudflare more than doubled in 2025 to 47.1 million, with network-layer attacks more than tripling year over year. These figures do not represent growing sophistication; they represent automation at scale.
What makes the report valuable is its reframing of the threat landscape. Rather than obsess over zero-day exploits and complex attack chains, Cloudflare's researchers documented a shift toward what they call "Measure of Effectiveness" (MOE): the ratio of attacker effort to operational outcome.The modern adversary is trading the pursuit of sophistication in favour of throughput. Why develop a novel exploit when stealing an active session token grants direct access? Why search for vulnerabilities when phishing still works?
Infostealers such as LummaC2 extract live session tokens from infected machines rather than stored passwords, giving attackers access to already-authenticated sessions and bypassing multi-factor authentication entirely.Bots account for 94% of all login attempts observed on Cloudflare's network. These metrics paint a picture of an attack surface that has fundamentally changed shape.
The report identifies artificial intelligence as a multiplier for attacker capability.Threat actors use generative AI for real-time network mapping, exploit development, and the creation of deepfakes, enabling low-skill actors to conduct high-impact operations. This matters because it means technical gatekeeping has largely dissolved. A determined but inexperienced operator can now use large language models to map a target's network, identify vulnerabilities, and craft persuasive phishing campaigns. The barrier to entry, once formidable, has collapsed.
State-sponsored activity is evolving in ways that demand attention.Chinese threat actors, including Salt Typhoon and Linen Typhoon, are prioritising North American telecommunications, commercial, government, and IT services, anchoring their presence for long-term geopolitical leverage.State-sponsored operatives linked to North Korea are obtaining employment at Western organisations using AI-generated deepfake profiles and U.S.-based laptop farms that create the appearance of domestic residency. These are not probing attacks; they are embedding operatives for sustained access.
For Australian organisations, the implications are direct.The findings have implications for Australian organisations as they move towards cloud-first and API-driven architectures. Cloud services like Google Calendar, Dropbox, and GitHub are designed for legitimate work but have become attack infrastructure. A compromised credential in one SaaS application can cascade through an entire interconnected stack.
Here is where the reporting invites critical scrutiny: Cloudflare has obvious commercial incentives to highlight threat severity. The company sells security products. Publishing alarming findings increases demand for solutions. Yet the raw data from handling 20 percent of global web traffic carries inherent credibility. The numbers are difficult to dismiss.
The report's central argument is worth examining: defenders are losing because they focus on the wrong things. Traditional security architecture sought to prevent entry through walls and gates. The modern threat presumes entry is inevitable and focuses instead on validating identity and detecting lateral movement in real time.Security is no longer about keeping strangers out, it's about proving that the users inside your network are who they say they are. That reframing has merit.
Organisations should take the report seriously without accepting every recommendation uncritically. Security investment is finite. Priorities must be weighted against risk, cost, and practicality. Not every organisation needs to detect a 31.4 terabit-per-second distributed denial-of-service attack; that class of assault targets infrastructure providers and large platforms. But credential theft, SaaS abuse, and AI-assisted phishing affect nearly every business with cloud presence.
The pragmatic reading suggests three things: credential management and multi-factor authentication now matter more than perimeter defences; cloud infrastructure offers powerful tools but creates new blind spots that require active monitoring; and artificial intelligence has lowered the floor for who can execute damaging attacks, not raised the ceiling for defenders. Organisations that address these basics may find themselves ahead of peers who remain fixated on sophisticated attack scenarios.