This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our next Cloud Threat Horizons Report, #13 (full version, no info to enter!) that we just released (the official blog for #1 report, my unofficial blogs for #2, #3, #4, #5, #6, #7, #8, #9, #10, #11 and #12).My favorite quotes from the report follow below: “software exploitation overtook credentials as the primary initial access vector for the first time.” and “Threat actors exploited third-party software-based entry (44.5%) more frequently than weak credentials.” THR H1 2026 image 1“While threat actors continued to use brute-force attacks against weak credentials, the increase in RCE represents a pivot toward more automated exploitation of unpatched application-layer vulnerabilities.” “Threat actors continued to transition from traditional phishing to voice-based social engineering (vishing), and credential harvesting from third-party SaaS tokens to facilitate large-scale, silent data exfiltration.” Still “Identity compromise underpinned 83% of compromises. THR H1 2026 image 2“High-volume data theft operations — executed through compromised but legitimate access channels — remained the primary goal for threat actors, with our metrics showing they targeted data in 73% of cloud-related incidents.” “The window between vulnerability disclosure and mass exploitation collapsed by an order of magnitude, from weeks to days.” “Trend analysis from 2008–2025 indicates cloud services will soon surpass email as the primary data exfiltration pathway.” “45% of intrusions resulted in data theft without immediate extortion attempts at the time of the engagement, and these were often characterized by prolonged dwell times and stealthy persistence.”“The traditional incident response model is no longer viable when dealing with containerized workloads and serverless architectures where data can vanish in seconds.” “Threat actors used large language models (LLM) to automate credential harvesting and transition from a developer’s local environment to full cloud administration access.” Thus “Prevent LLM exploitation as an extension of living-off-the-land (LOTL) by treating LLM activity with the same scrutiny as administrative command-line tools.” Now, go and read the CTHR 13 report!Related posts:Google Cloud Security Threat Horizons Report #12 Is Out!EP112 Threat Horizons — How Google Does Threat Intelligence podcastGoogle Cloud Security Threat Horizons Report #11 Is Out!Google Cloud Security Threat Horizons Report #10 Is Out!Google Cybersecurity Action Team Threat Horizons Report #9 Is Out!Google Cybersecurity Action Team Threat Horizons Report #8 Is Out!Google Cybersecurity Action Team Threat Horizons Report #7 Is Out!Google Cybersecurity Action Team Threat Horizons Report #6 Is Out!Google Cybersecurity Action Team Threat Horizons Report #5 Is Out!Google Cybersecurity Action Team Threat Horizons Report #4 Is Out!Google Cybersecurity Action Team Threat Horizons Report #3 Is Out!Google Cybersecurity Action Team Threat Horizons Report #2 Is Out!Illicit coin mining, ransomware, APTs target cloud users in first GoogleCybersecurity Action Team Threat Horizons reportGoogle Cloud Security Threat Horizons Report #13 (H1 2026) Is Out! was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

Security Boulevard is a leading cybersecurity news and information portal, offering articles, analysis, and insights on cybersecurity threats, vulnerabilities, and best practices. From the latest trends in cyber threats to expert commentary on security technologies and compliance frameworks, Security Boulevard provides resources for security professionals, IT leaders, and business executives seeking to protect their organizations from cyber attacks and data breaches.

Security Boulevard

Google Cloud's 13th Cloud Threat Horizons Report (H1 2026) reveals a major shift in attack patterns: software exploitation has overtaken credential attacks as the primary initial access vector for the first time, with third-party software entry at 44.5%. Key findings include identity compromise still underpinning 83% of breaches, data theft as the goal in 73% of cloud incidents, the exploitation window collapsing from weeks to days, and threat actors using LLMs to automate credential harvesting. The report also warns that traditional incident response models are inadequate for containerized and serverless environments, and that cloud services are on track to surpass email as the primary data exfiltration pathway.