TL;DR
Cloudflare’s 2026 Application Security Report analyzed 230 billion daily cyber threats across its global network and revealed that automated bots now dominate the attack landscape. 46% of attacks leverage compromised credentials from previous breaches. Attackers use legitimate cloud services like Google Calendar, AWS, and Azure for command and control, making detection nearly impossible with traditional security tools.
The scale problem: With 230 billion threats processed daily, enterprises face industrial-scale credential stuffing operations that test stolen credentials against thousands of systems simultaneously. Traditional rate limiting and IP blocking fail because attacks distribute across millions of residential proxies and legitimate cloud infrastructure.
The visibility gap: Internal security tools cannot detect when your credentials appear in breach databases or are being tested by bot networks. Organizations need external threat intelligence to identify credential exposure before automated attacks weaponize stolen authentication data.
Cloudflare operates one of the world’s largest networks, processing requests for millions of websites and applications globally. Every day, this infrastructure handles trillions of requests, blocks billions of threats, and provides unprecedented visibility into the global cyber attack landscape.
The company’s 2026 Application Security Report, released this week, analyzes data from this massive network to reveal how attacks evolve. The findings should concern every enterprise security leader, particularly in India where digital transformation accelerates while credential security lags.
The headline number is staggering: 230 billion cyber threats per day. This represents an order of magnitude increase over previous years. But volume alone does not tell the complete story. The nature of attacks has fundamentally changed.
Attacks are automated, industrial scale, and increasingly sophisticated. Bots test stolen credentials against thousands of applications simultaneously. Attackers leverage legitimate cloud services to hide malicious activity. Traditional security approaches built for human attackers cannot cope with bot-driven operations running 24/7 across global infrastructure.
Cloudflare’s analysis found that 94% of login attempts across its network originate from automated bots rather than human users. This statistic fundamentally changes how enterprises must approach authentication security.
The Credential Stuffing Industrial Complex
When major breaches occur, millions of username and password combinations enter underground markets. Criminal organizations acquire these databases and use automated tools to test credentials across thousands of websites, applications, and services.
This process, called credential stuffing, operates at massive scale. A single bot network can test millions of credential pairs per hour. They distribute attacks across millions of IP addresses using residential proxies, making traditional IP-based blocking ineffective.
Why credential stuffing succeeds:
The economics favor attackers overwhelmingly. Testing millions of credentials costs pennies in cloud computing. Even tiny success rates generate significant returns when attackers compromise accounts containing valuable data or financial access.
Cloudflare found that 46% of all attacks leverage compromised credentials from previous breaches. This means nearly half of cyber attacks begin not with sophisticated exploits but with usernames and passwords stolen months or years ago.
For enterprises, this creates a critical vulnerability. Organizations invest heavily in perimeter security, network monitoring, and endpoint protection. Yet attackers bypass all these controls by using valid credentials obtained from external breaches.
Traditional security tools see these login attempts as legitimate authentication. From the perspective of internal monitoring, an attacker using stolen credentials looks identical to a legitimate user. The breach happens invisibly, detected only when damage becomes obvious.
One of the most concerning findings in Cloudflare’s report is the trend of attackers using legitimate cloud services for malicious operations. This technique, called Living off XaaS, exploits the trust enterprises place in major cloud platforms.
Google Calendar as Command and Control
Attackers discovered they can use Google Calendar for command and control infrastructure. They create calendar events containing encoded instructions for malware. Compromised systems check these calendars periodically for new commands.
This approach bypasses traditional security controls because traffic to Google Calendar appears completely legitimate. Firewalls allow it. Proxies pass it through. Security tools see normal productivity application usage.
Similar techniques use AWS S3 buckets, Azure Blob Storage, and other trusted cloud services. Each provides attackers with free, reliable, and completely trusted infrastructure that security teams have no basis to block.
Security tools monitor for connections to known malicious infrastructure. They flag traffic to suspicious domains and IP addresses. They analyze patterns that indicate command and control activity.
Living off XaaS defeats all these approaches. The infrastructure is not malicious. The domains are trusted. The traffic patterns look like normal cloud service usage. Detection becomes nearly impossible with conventional tools.
This is why external threat intelligence matters. Organizations need visibility beyond their perimeters into the spaces where attackers coordinate, share techniques, and plan campaigns. Internal tools cannot see this external landscape.
230 billion cyber threats per day equals approximately 2.6 million threats per second. No enterprise security team can manually analyze, investigate, and respond to threats at this scale.
Even automated systems struggle. Security information and event management platforms generate millions of alerts. Security operations centers drown in false positives. Analysts suffer alert fatigue and miss genuine threats buried in noise.
Organizations cannot wait for attacks to reach their networks before detecting threats. By that point, automated credential stuffing has already tested thousands of stolen credentials. Bots have attempted to compromise accounts. Attackers using Living off XaaS techniques have established persistence.
Effective defense requires proactive threat detection before attacks arrive. This means monitoring external sources where credentials are exposed, where attack tools are shared, and where targeting decisions are made.
Critical external intelligence sources:
Organizations with visibility into these external sources detect credential exposure before automated attacks begin. They identify compromised accounts and force password resets. They monitor for their organization appearing in attacker discussions. This proactive approach prevents attacks rather than reacting to breaches.
The Cloudflare report findings have specific implications for Indian organizations navigating rapid digital transformation while facing increasingly sophisticated automated attacks.
India’s digital economy growth creates expanding attack surface. Every new online service, every digital payment platform, every e-government portal represents additional authentication systems that bot networks can target with stolen credentials.
Indian enterprises often lack the sophisticated credential monitoring capabilities that larger Western organizations deploy. Yet they face the same industrial-scale bot attacks. Attackers do not discriminate based on organization size or geography. If credentials work, bots will find and exploit them.
The widespread password reuse across Indian users, combined with numerous data breaches affecting Indian organizations, creates perfect conditions for credential stuffing success. Attackers test credentials stolen from one Indian service against banking apps, e-commerce sites, corporate VPNs, and government portals.
Q1: How can organizations detect credential stuffing attacks?
Traditional detection looks for login patterns like velocity from single IPs or geographic anomalies. However, sophisticated credential stuffing distributes attacks across millions of residential proxies, making these signals ineffective. Better detection comes from external monitoring that identifies when your credentials appear in breach databases before attacks begin.
Q2: Does multi-factor authentication stop credential stuffing?
MFA significantly reduces risk but is not foolproof. Attackers use phishing to capture one-time codes, exploit MFA fatigue by bombarding users with authentication requests, or compromise session tokens that bypass MFA. MFA should be one layer in defense-in-depth that includes credential monitoring.
Q3: Why do attackers use legitimate cloud services instead of their own infrastructure?
Legitimate cloud services are free, reliable, and trusted by security tools. Using Google Calendar or AWS for command and control means attackers avoid the cost and risk of maintaining infrastructure while their traffic appears completely benign to security monitoring.
Q4: How quickly do stolen credentials get weaponized after breaches?
Automated systems test credentials within hours of database leaks. The 230 billion daily threats Cloudflare processes include continuous credential stuffing against thousands of applications simultaneously. Organizations have very narrow windows to detect exposure and force password resets before accounts are compromised.
Q5: Can traditional security tools detect Living off XaaS attacks?
Traditional tools struggle because the traffic appears legitimate. Google Calendar access looks like normal productivity. AWS connections match expected cloud usage. Detection requires behavioral analysis of what data is accessed and external intelligence about attack techniques being deployed against your sector.
How Saptang Labs Protects Against Industrial-Scale Credential Attacks
The Cloudflare report makes clear that automated, bot-driven attacks now dominate the threat landscape. With 230 billion daily threats and 46% of attacks using compromised credentials, organizations need visibility beyond their perimeters.
Do not wait for bot networks to test stolen credentials against your systems. Contact Saptang Labs today to discover what credentials associated with your organization are already circulating in breach databases and underground markets. Visit saptanglabs.com or email sales@saptanglabs.com for immediate credential exposure assessment.
You may also find this insight very helpful: 60 Hacktivist Groups Activated: How Geopolitical Cyber Warfare Threatens Every Enterprise