This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our next Cloud Threat Horizons Report, #13 (full version, no info to enter!) that we just released (the official blog for #1 report, my unofficial blogs for #2, #3, #4, #5, #6, #7, #8, #9, #10, #11 and #12).

My favorite quotes from the report follow below:

• [in Google Cloud] “software exploitation overtook credentials as the primary initial access vector for the first time.” and “Threat actors exploited third-party software-based entry (44.5%) more frequently than weak credentials.” [A.C. — some of you may say this is because AI is making more zero days, but a dozen more mundane answers may be correct instead]

• “While threat actors continued to use brute-force attacks against weak credentials, the increase in RCE represents a pivot toward more automated exploitation of unpatched application-layer vulnerabilities.” [A.C. — to some extent “creds or vulns” debate is rather pointless as the real answer is “both”, and it varies by environment too, see below]


• “Threat actors continued to transition from traditional phishing to voice-based social engineering (vishing), and credential harvesting from third-party SaaS tokens to facilitate large-scale, silent data exfiltration.” [A.C. — again, this means “AND” not “OR” because classic phishing still works well in many cases, but yes “credential harvesting from third-party SaaS” has become very fruitful too]


• [overall] Still “Identity compromise underpinned 83% of compromises. [A.C. — so, yes, “creds” still beat “vulns” on many environments]

• “High-volume data theft operations — executed through compromised but legitimate access channels — remained the primary goal for threat actors, with our metrics showing they targeted data in 73% of cloud-related incidents.” [A.C. — again, not new, but very useful data confirming the running trend. Beware!]


• “The window between vulnerability disclosure and mass exploitation collapsed by an order of magnitude, from weeks to days.” [A.C. — again, some of you may see the invisible robot hand of an AI here, but, as usual, the reality is more complicated…]


• “Trend analysis from 2008–2025 indicates cloud services will soon surpass email as the primary data exfiltration pathway.” [A.C. — $32B reasons to finally get serious about it across all clouds?]


• “45% of intrusions resulted in data theft without immediate extortion attempts at the time of the engagement, and these were often characterized by prolonged dwell times and stealthy persistence.”


• “The traditional incident response model is no longer viable when dealing with containerized workloads and serverless architectures where data can vanish in seconds.” [A.C. — a very useful reminder here! Cloud is cloudy! Don’t be that guy who thinks that cloud is a rented colo. Cloud is not JUST somebody else’s computer.]


• “Threat actors used large language models (LLM) to automate credential harvesting and transition from a developer’s local environment to full cloud administration access.” [A.C. — this really should not be news for anybody in 2026, but if it is, HERE IS SOME NEWS: BAD GUYS USE AI!]


• Thus “Prevent LLM exploitation as an extension of living-off-the-land (LOTL) by treating LLM activity with the same scrutiny as administrative command-line tools.” [A.C. — or, as I say, “with AI agents, every prompt injection is an RCE”]

Now, go and read the CTHR 13 report!

Related posts:

• Google Cloud Security Threat Horizons Report #12 Is Out!


• EP112 Threat Horizons — How Google Does Threat Intelligence podcast


• Google Cloud Security Threat Horizons Report #11 Is Out!


• Google Cloud Security Threat Horizons Report #10 Is Out!


• Google Cybersecurity Action Team Threat Horizons Report #9 Is Out!


• Google Cybersecurity Action Team Threat Horizons Report #8 Is Out!


• Google Cybersecurity Action Team Threat Horizons Report #7 Is Out!


• Google Cybersecurity Action Team Threat Horizons Report #6 Is Out!


• Google Cybersecurity Action Team Threat Horizons Report #5 Is Out!


• Google Cybersecurity Action Team Threat Horizons Report #4 Is Out!


• Google Cybersecurity Action Team Threat Horizons Report #3 Is Out!


• Google Cybersecurity Action Team Threat Horizons Report #2 Is Out!


• Illicit coin mining, ransomware, APTs target cloud users in first Google


• Cybersecurity Action Team Threat Horizons report

---

Google Cloud Security Threat Horizons Report #13 (H1 2026) Is Out! was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Google Cloud Security Threat Horizons Report #13 (H1 2026) Is Out! appeared first on Security Boulevard.

Anton Chuvakin

Source: Security Boulevard
Source Link: https://securityboulevard.com/2026/03/google-cloud-security-threat-horizons-report-13-h1-2026-is-out/