preloader

· cloud security devops google-cloud aws azure vulnerability identity threat-intelligence

Google Cloud H1 2026 Threat Report: Software Vulnerabilities Now Outrank Stolen Credentials as the Top Cloud Attack Vector

Source: Google Cloud

Google Cloud’s H1 2026 Threat Horizons report, the thirteenth edition in the series produced by Google’s Mandiant and Cloud CISO office, documents a significant shift in the threat landscape facing cloud environments. For the first time since the report began, exploiting software vulnerabilities has overtaken credential abuse as the most common initial access method in cloud intrusions. The same report finds that attackers now routinely move from vulnerability disclosure to active exploitation within 48 hours, rendering traditional weekly or monthly patch cycles inadequate for internet-facing cloud infrastructure.

The report draws on Google Cloud incident response engagements, threat actor tracking, and telemetry from Google’s visibility into cloud-targeting activity. Its findings describe a threat environment where the assumptions underpinning many organisations’ cloud security programmes are no longer aligned with attacker behaviour.

Software vulnerabilities are now the primary cloud entry point

Software vulnerability exploitation accounted for 44.5% of cloud intrusions observed in the H1 2026 period, up significantly from its position at the start of 2025. Credential theft and abuse, which has historically been the dominant initial access method, fell to 27.2%.

This shift reflects structural changes in both cloud adoption and attacker tooling. Cloud environments typically expose more publicly reachable services than equivalent on-premise infrastructure. Managed services, container orchestration platforms, API gateways, and third-party integrations create a broader and more heterogeneous attack surface. The scale at which cloud environments are provisioned and changed also means that new components may introduce vulnerabilities before existing scanning and patching workflows have time to process them.

The report notes that vulnerability exploitation at 44.5% encompasses both flaws in software running inside cloud environments and weaknesses in the management planes of cloud services themselves. Both categories are growing. The implication for cloud operators is that a security programme focused primarily on credential management and identity controls will now miss the largest share of the initial access risk.

The 48-hour exploitation window

The most operationally urgent finding in the H1 2026 report is the compression of the time between vulnerability disclosure and active exploitation. For cloud-targeting vulnerabilities, threat actors now routinely deploy working exploits within 48 hours of a vulnerability’s public disclosure. In a subset of cases, exploitation preceded public disclosure, indicating that threat actors are monitoring vendor patch releases, code diffs, and security advisory feeds and developing exploits while patches are still being staged for deployment.

A 48-hour exploitation window eliminates the operating assumption behind most enterprise patch management practices: that a vulnerability disclosed on a Tuesday can be assessed and addressed in a scheduled change window within the following week. For internet-facing cloud infrastructure, 48 hours is not a conservative target. It is the threshold below which organisations must operate to avoid being exploited before a patch is applied.

This has direct implications for how patch prioritisation works in cloud environments. Vulnerabilities affecting internet-facing cloud services or management plane components cannot be treated the same as vulnerabilities in internal software with no external exposure. They require a substantially faster response cadence.

Identity is still the amplifier

Despite the shift in initial access methods, identity compromise underpinned 83% of all breaches in the report’s dataset, regardless of how attackers first entered the environment. This reflects the architecture of cloud security: in a cloud context, identity is the control plane. Once an attacker can assume a cloud IAM role, an API key, a service account, or a session token with meaningful permissions, they have access to all the resources that identity authorises.

The gap between initial access and significant damage in a cloud breach is often very short, because the credentials required for legitimate operations are the same credentials that enable an attacker to move laterally, exfiltrate data, or establish persistence. An attacker who gains access via a software vulnerability in a cloud-exposed service will typically find cloud credentials in the environment within minutes and use them to pivot.

The report also documents the use of large language model tools by threat actors to accelerate credential harvesting and scope analysis. Once a set of cloud credentials is obtained, LLM-assisted tools are being used to rapidly enumerate permissions, identify the most valuable access paths, and automate the transition from a low-privilege initial foothold to full cloud administration access.

Personal cloud storage as a growing exfiltration channel

The H1 2026 report identifies personal cloud storage services as the fastest-growing data exfiltration channel it observed in insider threat cases. Employees and contractors are using consumer services such as Google Drive, Dropbox, and OneDrive personal accounts to transfer data outside organisational boundaries.

These channels frequently bypass data loss prevention controls that are tuned to detect transfers to unknown external destinations, because the domain names involved are widely used for legitimate purposes and are often either whitelisted or not blocked. The volume transferred can also be difficult to distinguish from normal synchronisation activity.

What this means for cloud security programmes

The H1 2026 Threat Horizons picture presents patch management, vulnerability management, and identity hygiene not as separate workstreams but as a tightly coupled risk surface. A vulnerability that attackers can exploit within 48 hours of public disclosure will be exploited before the majority of organisations complete a standard patch cycle, unless cloud-facing vulnerability management is operating on a substantially faster timeline than traditional enterprise patching.

The same report identifies cloud-native tooling and legitimate cloud provider APIs as the primary tools attackers use once they have obtained initial access. This means detection strategies centred on identifying novel malware or unusual binaries will miss a significant proportion of cloud-targeting attack activity. Threat detection in cloud environments needs to focus on anomalous API call patterns, unexpected IAM role assumptions, and unusual data movement, rather than on traditional indicators of compromise.

If your organisation is reviewing its cloud security posture, patch management practices, or identity and access management configuration in response to these findings, contact Excello Digital. We work with European organisations to assess and improve cloud security controls, with a particular focus on the vulnerability management cadence and identity hygiene practices that the H1 2026 Threat Horizons data identifies as the most consequential.

These news items are automatically aggregated from industry sources and are not individually reviewed. Any inaccuracies are unintentional — let us know and we'll correct or remove it.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!