Unauthorized access to user-managed cloud software has overtaken credential abuse as the primary method threat actors use to gain initial access to cloud resources.
In its semi-annual "Cloud Threat Horizons Report," Google found that security incidents targeting user-managed software applications—such as the React2Shell vulnerability targeting a flaw in React Server Components—surpassed credential-based access to become the most frequent initial access vector. Overall, "software-based entry," which includes targeting software vulnerabilities like remote code execution (RCE) flaws, accounted for about 44% of all initial-access activity in Google Cloud, the company stated.
This shift likely results from Google's focus on secure-by-default strategies and organizations taking active measures to reduce the exposed surface of misconfigurations and stolen credentials. Crystal Lister, a security adviser in the Office of the CISO at Google Cloud, observes that as organizations resolve enduring cloud hygiene issues, threat actors shift toward more automated paths. The defensive perimeter has effectively moved from the cloud infrastructure itself to the third-party, user-managed software running on top of it.
Identity remains the primary vector outside Google Cloud
Outside of Google's specific cloud environments, identity and credential weaknesses remain the primary focus for unauthorized access. In platform-agnostic incidents investigated by Google Mandiant, 83% of initial-access vectors traced back to identity. According to the Google report, nearly a third of these incidents originated from phishing, a fifth from compromised trust relationships with third parties, a fifth from stolen credentials, and a tenth from malicious insiders and software supply-chain compromises. The remaining 17% of non-identity-related access involved misconfigurations and software vulnerabilities.
Palo Alto Networks observed a similar pattern in its "Global Incident Response Report 2026," finding that 65% of initial access tied to identity. The firm's report noted that as organizations adopt SaaS, cloud, and hybrid environments, traditional network perimeters matter less, making identity the practical perimeter.
Automation accelerates vulnerability targeting
When defenders successfully secure credentials and configurations, threat actors naturally look for other entry points. Saumitra Das, vice president of engineering at Qualys, notes that targeting software has become more efficient due to AI-driven vulnerability analysis and access development. Threat actors quickly adapt to focus on unpatched software, a transition accelerated by AI-assisted tools that allow for the near-instant operationalization of newly disclosed CVEs.
Under the shared responsibility model for cloud security, both the cloud provider and the customer must secure their respective operational areas. Keith Lunden, a manager with the Google Threat Intelligence Group, points out that cloud architectures contain identity weak points that require careful management. Threat actors continuously scan for these gaps, evolving their methods through the use of AI.
Because customers hold greater responsibility for securing infrastructure-as-a-service (IaaS) than platform-as-a-service (PaaS), most software-based access attempts in the cloud focus on IaaS. Edge devices, along with publicly exposed assets like virtual machines and serverless architectures, are typically the first to be targeted.
Accelerating the patching response
The adoption of AI services by malicious actors represents a major factor in the evolving threat environment. Large language models (LLMs) enable less technically adept individuals to generate well-crafted reconnaissance frameworks, leading to an increase in sophisticated access attempts.
In previous years, defenders had more time to respond to a vulnerability. Today, the response window has shrunk from weeks to hours, yet many patch management processes were not designed to operate at that speed.
To protect systems effectively in this environment, organizations need an accelerated approach to patching. Lister recommends that organizations virtually patch vulnerabilities within 24 hours of a public report, and fully remediate the issue within 72 hours. To achieve this, defenders should replace manual processes with identity-centric proxies and automated posture enforcement. For example, teams can use Google Cloud's Organization Policy services to programmatically block overly permissive firewall rules from being created. As unauthorized access timelines compress into hours, defensive measures must rely on automation to keep pace.