Welcome to the first Cloud CISO Perspectives for March 2026. Today, Bob Mechler and Crystal Lister, from Google Cloud’s Office of the CISO, share cloud threat intelligence and analysis from our new Cloud Threat Horizons Report.
As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.
- aside_block
- <ListValue: [StructValue([(‘title’, ‘Get vital board insights with Google Cloud’), (‘body’, <wagtail.rich_text.RichText object at 0x7fb7e1739cd0>), (‘btn_text’, ‘Visit the hub’), (‘href’, ‘https://cloud.google.com/solutions/security/board-of-directors?utm_source=cloud_sfdc&utm_medium=email&utm_campaign=FY24-Q2-global-PROD941-physicalevent-er-CEG_Boardroom_Summit&utm_content=-&utm_term=-‘), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>
Cloud Threat Horizons: From rapid exploitation to forensic readiness
By Bob Mechler, director, and Crystal Lister, security advisor, Office of the CISO
Bob Mechler, director, Office of the CISO
As we become more firmly entrenched in the AI era, the time it takes for defenders to mitigate a vulnerability before threat actors exploit it is shrinking fast. Google Cloud Security observed in the second half of 2025 that the window between a vulnerability disclosure and active exploitation collapsed from weeks to just days. This acceleration, fueled by threat actors using AI-assisted to rapidly probe targets and discover unpatched applications probing, means organizations should move beyond reactive, manual security — as soon as they can.
Crystal Lister, security advisor, Office of the CISO
That’s the primary takeaway from our newest Cloud Threat Horizons Report, a biannual publication sharing strategic intelligence and risk recommendations on threats to cloud service providers, from Google Cloud’s Office of the CISO, Google Threat Intelligence Group (GTIG), Mandiant Consulting, and other Google Cloud security and product teams.
Third-party software vulnerabilities take the lead
For the first time since we began publishing the CTHR in 2021, we observed a tactical pivot by threat actors. They’re now targeting third-party software vulnerabilities more than weak or missing credentials as the primary initial access vector. These incidents targeted external vulnerabilities in Google Cloud customer environments, but did not involve breaches of Google Cloud’s core infrastructure.
In the second half of 2025, threat actors exploited software-based vulnerabilities (44.5%) more frequently than weak credentials (27.2%), a significant increase from the start of 2025, when software exploitation accounted for less than 3% of incidents.
Sophisticated threat actors are no longer just stealing data; they are sabotaging the evidence… Moving to high-fidelity, tamper-resistant logging is now a regulatory and operational necessity.
We believe that this shift is a sign of defensive progress. Google’s secure-by-default strategy and enhanced credential protections are likely closing traditional paths, forcing threat actors to adopt faster, more automated paths through unpatched applications. We assess that threat actors are increasingly using AI to accelerate the discovery phase, allowing them to identify and exploit vulnerable software at unprecedented speeds.
As part of our shared fate approach to help build resilient cloud foundations through secure configurations and policies, we made available last week a new recommended security controls checklist.
As we look ahead to 2026, our security experts offer four critical insights from the new report:
- Collapse of the exploitation window: Attack speeds can now be measured in days. For example, during the React2Shell incident, GTIG observed threat actors deploying cryptocurrency miners within approximately 48 hours of the vulnerability’s public disclosure. Organizations shouldn’t wait for patches to be tested to take action. They should pivot to automated defenses — such as Web Application Firewalls (WAF) — to neutralize exploits at the network edge as soon as possible.
- North Korean actors weaponize Kubernetes: The report details a previously undocumented, sophisticated campaign by UNC4899 targeting a cryptocurrency organization. By abusing legitimate DevOps workflows and breaking out of privileged containers, these threat actors stole millions in cryptocurrency. This highlights the critical risk posed by living-off-the-cloud (LOTC) techniques, and the need for strict isolation in cloud runtime environments.
- From CI/CD to cloud destruction: We’re also following supply chain infections targeting the CI/CD pipeline. In one case, compromised node package manager package QUIETVAULT allowed threat actors (UNC6426) to abuse OpenID Connect trust relationships, gaining full Amazon Web Services administrator permissions in less than 72 hours. This crown jewel access vector underscores the need for the principle of least privilege in automated pipelines.
- Anti-forensic and destructive tactics: Sophisticated threat actors are no longer just stealing data; they are sabotaging the evidence. In late 2025, we continued seeing all major ransomware gangs delete logs, core dumps, and backups to hinder recovery and forensic investigations. Moving to high-fidelity, tamper-resistant logging is now a regulatory and operational necessity.
How CISOs can help organizations adapt
As 2026 unfolds — bringing with it geopolitical unrest and major events such as the FIFA World Cup and U.S. midterm elections — threat actors will continue to exploit the trust gap in cloud platforms. We strongly recommend moving toward automated identity-based controls and forensic readiness to navigate these threats.
For deeper technical analysis on these trends, including granular data on malicious insider behavior and risk management recommendations for Google Cloud and platform-agnostic environments, you can download the full H1 2026 Cloud Threat Horizons report here.
- aside_block
- <ListValue: [StructValue([(‘title’, ‘Fact of the month’), (‘body’, <wagtail.rich_text.RichText object at 0x7fb7e1739d30>), (‘btn_text’, ‘Learn more’), (‘href’, ‘https://art-analytics.appspot.com/r.html?uaid=G-87JKLRZBJ0&utm_source=aRT-&utm_medium=aRT&utm_campaign=&destination=cisop&url=https%3A%2F%2Fcloud.google.com%2Fsecurity%2Freport%2Fresources%2Fcloud-threat-horizons-report-h1-2026’), (‘image’, <GAEImage: Cloud-CISO-Perspectives-logo-A>)])]>
In case you missed it
Here are the latest updates, products, services, and resources from our security teams so far this month:
- How Google Does It: Applying SRE to cybersecurity: Learn how Google uses Site Reliability Engineering to modernize security operations and deliver value quickly, safely, and securely. Read more.
- Make security simpler: Introducing the Google Cloud recommended security checklist: Now available is a new recommended controls checklist to help you set configurations and policies when building a resilient cloud foundation. Read more.
- Cultivating a robust and efficient quantum-safe HTTPS: Announcing a new program in Chrome to make HTTPS certificates secure against quantum computers. Read more.
- Hybrid FIDO transport goes offline: Building on our previous posts on Hybrid transport covering cross-device passkeys and JSON message support, we’re now pivoting to how FIDO’s hybrid transport architecture supports the offline world. Read more.
Please visit the Google Cloud blog for more security stories published this month.
- aside_block
- <ListValue: [StructValue([(‘title’, ‘Join the Google Cloud CISO Community’), (‘body’, <wagtail.rich_text.RichText object at 0x7fb7e1739d90>), (‘btn_text’, ‘Learn more’), (‘href’, ‘https://rsvp.withgoogle.com/events/google-cloud-ciso-community-interest-form-2026?utm_source=cgc-blog&utm_medium=blog&utm_campaign=FY25-Q1-global-GCP30328-physicalevent-er-dgcsm-parent-CISO-community-2025&utm_content=cisop_&utm_term=-‘), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>
Threat Intelligence news
- 2025 zero-day vulnerabilities in review: Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in the wild in 2025, and found that 48% targeted enterprise technology. For the first time, commercial surveillance vendors overtook state-sponsored actors for attribution. Read more.
- The mysterious journey of Coruna, a powerful iOS exploit kit: GTIG has identified a new and powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) through version 17.2.1 (released in December 2023). Read more.
- Disrupting the GRIDTIDE global cyber-espionage campaign: GTIG, Mandiant Threat Defense, and partners have taken action to disrupt a global espionage campaign targeting telecommunications and government organizations in dozens of nations across four continents. Read more.
- How UNC6201 is exploiting a Dell RecoverPoint for virtual machines zero-day: Mandiant and GTIG have identified zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines by UNC6201, a suspected PRC-nexus threat cluster. Read more.
Please visit the Google Cloud blog for more threat intelligence stories published this month.
Now hear this: Podcasts from Google Cloud
- Resetting the SOC: Detecting state actors or doing the basics: How does a company’s detection strategy change when the adversary is a state-funded group whose goal might be long-term persistence or subtle data manipulation? Allie Mellen discusses her new book with hosts Anton Chuvakin and Tim Peacock. Listen here.
- Beyond shadow IT: Unsanctioned AI agents do more than talk: And you thought shadow IT was bad. The threat of shadow agents takes shadow AI, itself an evolution of the IT risk, to the next level. Alastair Paterson, CEO and co-founder, Harmonic Security, joins Anton and Tim to explore the AI risks — and how to secure it effectively. Listen here.
- Cyber-Savvy Boardroom: From AI theater to measurable business value: Ryan McManus joins hosts Alicja Cade and David Homovich to discuss the shift from simply storing data to using it to actively power your business. More than just theory, we dive into why boards should move toward a cohesive, three-year AI roadmap. Listen here.
- Behind the Binary: How EtherHiding and frontend attacks are weaponizing the blockchain: Host Josh Stroschein is joined by Robert Wallace, Joseph Dobson, and Blas Kajusner to dissect the new hybrid heist — the era of isolated crypto-theft is over. Listen here.
To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in a few weeks with more security-related updates from Google Cloud.
