That trusted door is usually one of these:
A real employee login
A stolen “already logged in” browser session
A trusted cloud app like Google Drive, Dropbox, GitHub, or Calendar
A third-party integration your company approved (often with too many permissions)
Cloudflare explains this shift using a new attacker score they call MOE (Measure of Effectiveness) — basically:
“How much damage can I do for the least effort?”
First, the key terms (in plain English) Here are the acronyms you’ll see in modern threat reporting — explained like you’d explain them to a smart non-technical executive:
MOE (Measure of Effectiveness) A “return on effort” score attackers use. Low effort + big result = high MOE.
DDoS (Distributed Denial-of-Service) A traffic flood attack. Attackers use huge numbers of machines (often infected devices) to overwhelm a website or service so real users can’t access it.
Tbps (Terabits per second) A measure of traffic volume. Bigger number = bigger flood.
SaaS (Software as a Service) A cloud app you access through the web (Salesforce, Google Workspace, Microsoft 365, Dropbox, GitHub, etc.).
API (Application Programming Interface) The “connector” that lets one software system talk to another. Great for automation. Also great for attackers when it’s over-permissioned.
OAuth (Open Authorization) A common login/permission system that lets you click “Sign in with Google/Microsoft” or authorize an app to access your account without sharing your password. Powerful — and risky when the app gets broad permissions.
Session token A digital “wristband” your browser gets after you log in. If a criminal steals it, they can often act like you without re-entering your password.
MFA (Multi-Factor Authentication) “Two-step login,” like a password plus a text code or authentication app. Great — but not enough when attackers steal session tokens.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) An email protection standard that helps stop criminals from sending email that looks like it came from your domain.
Phishing Tricking someone into giving up credentials or approving something harmful.
C2 (Command and Control) The way malware “phones home” to the attacker for instructions.
PhaaS (Phishing as a Service) A criminal subscription service: pay money, get phishing tools, templates, and automation.
CVE (Common Vulnerabilities and Exposures) A public ID number for a known software vulnerability.
CVSS (Common Vulnerability Scoring System) A severity score for a vulnerability (higher = worse).
“Living off the land” Using legitimate tools (like Google Drive or GitHub) as part of an attack so the malicious behavior looks normal.
Cloudflare’s core claim: “Trust is the new perimeter” Cloudflare says the threat landscape evolved into high-trust exploitation. Translation:
Attackers don’t want to break your wall if they can borrow your badge.
That’s why Cloudflare highlights things like token theft, cloud app abuse, and over-trusted integrations as the new “fast lane” for attackers.
The 8 trends Cloudflare says will define 2026 (jargon-free) 1) AI is speeding up attacks Attackers use artificial intelligence to move faster: scouting networks, writing phishing content, and creating fake identities.
What this means: you can’t rely on slow, manual security processes anymore.
2) Nation-states are quietly “pre-positioning” Cloudflare says some state-sponsored actors are planting long-term access now so they can use it later during geopolitical conflict.
What this means: resilience matters as much as prevention. Assume someone might already be inside.
3) Over-permissioned cloud integrations widen the blast radius A single compromised third-party app integration (connected by APIs) can become a chain reaction across many environments.
What this means: your “software connectors” can become your weakest link.
4) Attackers are hiding inside trusted cloud tools Instead of using obviously malicious servers, attackers may use Google Drive, Dropbox, GitHub, Calendar, and other trusted platforms to store payloads or pass instructions.
What this means: “it came from Google/Microsoft” is no longer reassuring.
5) Deepfake job candidates are a real security problem Cloudflare warns about criminals using fake identities and deepfakes to get hired into real companies — especially into IT roles.
What this means: hiring and onboarding is now part of cybersecurity.
6) Token theft can bypass two-step login Even if you have MFA (two-step login), criminals can steal session tokens from infected machines and act as the user.
What this means: you must defend what happens after login, not just the login itself.
7) Email identity gaps enable high-trust impersonation Cloudflare says many emails fail DMARC checks, leaving room for convincing “looks-like-the-CEO” emails.
What this means: email authentication and internal verification procedures still matter a lot.
8) Massive traffic-flood attacks keep breaking records Cloudflare describes extremely large DDoS attacks that reduce the time humans have to respond.
What this means: mitigation must be automated and pre-approved, not improvised during the emergency.
The new “defense goal”: drive attacker MOE down If attackers choose the path that gives the biggest result for the least effort, your strategy is:
Make the easy wins not easy.
That means you focus on the things that give attackers high MOE:
Stolen session tokens
Over-permissioned cloud apps
Weak email authentication
Hiring/onboarding identity gaps
Cloud tools that can be abused as camouflage
What enterprises should do now (practical checklist, no fluff) 1) Map your “trust graph” List the systems that can open doors to everything else:
Identity provider (your main login system)
Email system
File storage
Source code (GitHub)
Finance tools
Admin consoles
All third-party integrations and what they can access
2) Tighten third-party app permissions For every connected app:
Remove unnecessary permissions
Restrict who can approve new integrations
Review every OAuth app and token scope
Monitor for unusual bulk access
3) Treat session tokens like stolen passwords Do this especially for high-privilege users:
Shorten session lifetime
Require re-verification for sensitive actions (exports, payments, admin changes)
Use device checks (only trusted devices can access critical systems)
4) Fix email authentication and internal “payment/change” procedures Enforce DMARC properly
Require a second verification channel for money movement and sensitive requests
5) Automate DDoS and bot protection If most login attempts are automated, your security must handle automation:
Bot detection
Rate limiting
Auto-mitigation rules for traffic floods
Drills and runbooks that don’t require a human to click “approve” during the incident
6) Upgrade hiring and onboarding identity checks Especially for remote hires and technical roles:
Identity proofing
Device provisioning controls
“Real person” checks that deepfakes can’t easily fake
Strong access restrictions until trust is earned
Where QuSecure, iVALT, and AI PQ Audit fit (cleanly) QuSecure Cloudflare’s report is about attackers exploiting trust at scale. One way to reduce systemic risk is crypto agility — the ability to upgrade and rotate encryption and cryptographic configurations without ripping everything apart. That’s the lane QuSecure is in: reducing fragility and improving your ability to change fast when standards and threats evolve.
iVALT A major theme here is identity: fake people, stolen tokens, and impersonation. iVALT’s positioning is “prove the person,” using multiple checks (identity + device + context). That aligns with the idea that “logged in” isn’t always “trusted.”
AI PQ Audit Cloudflare is describing a system-level shift. Most companies fail at turning “system-level” into “this quarter’s plan.” AI PQ Audit fits as the program layer: discover exposures, score risk, and produce an executive-readable roadmap (especially around identity, AI-driven risk, and post-quantum readiness).
Links Cloudflare threat report launch post: https://blog.cloudflare.com/2026-threat-report/ QuSecure: https://www.qusecure.com/ iVALT: https://ivalt.com AI PQ Audit: https://aipqaudit.com/