Welcome to the first Cloud CISO Perspectives for March 2026. Today, Bob Mechler and Crystal Lister, from Google Cloud’s Office of the CISO, share cloud threat intelligence and analysis from our new Cloud Threat Horizons Report.
As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.
By Bob Mechler, director, and Crystal Lister, security advisor, Office of the CISO
Bob Mechler, director, Office of the CISO
As we become more firmly entrenched in the AI era, the time it takes for defenders to mitigate a vulnerability before threat actors exploit it is shrinking fast. Google Cloud Security observed in the second half of 2025 that the window between a vulnerability disclosure and active exploitation collapsed from weeks to just days. This acceleration, fueled by threat actors using AI-assisted to rapidly probe targets and discover unpatched applications probing, means organizations should move beyond reactive, manual security — as soon as they can.
Crystal Lister, security advisor, Office of the CISO
That’s the primary takeaway from our newest Cloud Threat Horizons Report, a biannual publication sharing strategic intelligence and risk recommendations on threats to cloud service providers, from Google Cloud's Office of the CISO, Google Threat Intelligence Group (GTIG), Mandiant Consulting, and other Google Cloud security and product teams.
Third-party software vulnerabilities take the leadFor the first time since we began publishing the CTHR in 2021, we observed a tactical pivot by threat actors. They’re now targeting third-party software vulnerabilities more than weak or missing credentials as the primary initial access vector. These incidents targeted external vulnerabilities in Google Cloud customer environments, but did not involve breaches of Google Cloud’s core infrastructure.
In the second half of 2025, threat actors exploited software-based vulnerabilities (44.5%) more frequently than weak credentials (27.2%), a significant increase from the start of 2025, when software exploitation accounted for less than 3% of incidents.
We believe that this shift is a sign of defensive progress. Google’s secure-by-default strategy and enhanced credential protections are likely closing traditional paths, forcing threat actors to adopt faster, more automated paths through unpatched applications. We assess that threat actors are increasingly using AI to accelerate the discovery phase, allowing them to identify and exploit vulnerable software at unprecedented speeds.
As part of our shared fate approach to help build resilient cloud foundations through secure configurations and policies, we made available last week a new recommended security controls checklist.
As we look ahead to 2026, our security experts offer four critical insights from the new report:
How CISOs can help organizations adaptAs 2026 unfolds — bringing with it geopolitical unrest and major events such as the FIFA World Cup and U.S. midterm elections — threat actors will continue to exploit the trust gap in cloud platforms. We strongly recommend moving toward automated identity-based controls and forensic readiness to navigate these threats.
For deeper technical analysis on these trends, including granular data on malicious insider behavior and risk management recommendations for Google Cloud and platform-agnostic environments, you can download the full H1 2026 Cloud Threat Horizons report here.
Here are the latest updates, products, services, and resources from our security teams so far this month:
Please visit the Google Cloud blog for more security stories published this month.
Please visit the Google Cloud blog for more threat intelligence stories published this month.
To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in a few weeks with more security-related updates from Google Cloud.
