⬇️
Key Takeaways
- Network layer DDoS attacks increased 168 percent year over year with peak volumes nearing 30 Tbps
- Application layer attacks, including API abuse, grew 128 percent as attackers shifted toward vulnerability exploitation
- AI driven bot activity surged nearly 92 percent, compressing the time available for defenders to react
Radware’s newly published 2026 Global Threat Analysis Report lands at a moment when many security teams already sense the pressure mounting across their environments. The company’s assessment, which evaluates attack activity observed throughout 2025, describes a threat landscape that is expanding in both capacity and complexity. A familiar story perhaps, but the numbers this time move well beyond incremental change.
Start with the network layer. The report shows a 168.2 percent year over year jump in layer 3 and 4 DDoS attacks, with peaks approaching 30 Tbps. That is not a trivial shift, and it suggests adversaries are revisiting brute force volumetric techniques at massive scale. The average customer studied experienced more than 25,351 network layer attacks in the second half of 2025, which works out to roughly 139 attempts per day. It raises an interesting question about operational sustainability. How many teams can realistically triage that pace without automation taking the front seat?
Certain industries were hit far harder than others. Technology organizations accounted for 45 percent of all network layer DDoS activity in 2025, a dramatic rise from just under 9 percent the prior year. Telecommunications and financial services followed as primary targets. Regional distribution skewed heavily toward North America, which saw more than 63 percent of all observed network layer DDoS attacks. The Middle East and Europe trailed at 16.1 percent and 13.7 percent respectively.
Move up the stack and the pattern shifts but does not lighten. Web DDoS activity at layer 7 rose 101.4 percent compared with 2024. In practical terms, this reflects attackers leaning on fast, low duration bursts that slip under traditional thresholds. Most significant layer 7 attacks now end in under 60 seconds. That said, even the shorter events deliver meaningful disruption for organizations with customer facing services or API driven workflows.
The report highlights that 94.4 percent of Web DDoS attacks fell below 100,000 requests per second. The volume is not negligible, but the more striking detail is the frequency and persistence. Online services, retail platforms and financial institutions absorbed the bulk of these incidents, largely because they operate systems where even small interruptions cascade quickly. EMEA faced the most application layer DDoS pressure at 57 percent of global activity, yet APAC saw astonishing acceleration with a 485 percent year over year increase.
Application and API related threats followed a similar upward curve. Malicious transactions grew 128 percent, with vulnerability exploitation accounting for 41.8 percent of observed attacks. By the final quarter of 2025, nearly 58 percent of activity targeted exploitable weaknesses or business logic rather than commodity techniques. Technology centric businesses with broad API ecosystems, such as SaaS and fintech providers, saw the largest share of these attacks. North America and EMEA once again accounted for the majority of malicious application traffic.
Automation and AI remain central themes in Radware’s findings. The company notes a 91.8 percent increase in bad bot activity, driven by generative AI tools that simplify credential stuffing, scraping and account takeover campaigns. Interestingly, nearly all of 2024’s total bot volume was matched in just the first half of 2025. It may not surprise practitioners who already grapple with sophisticated bots that mimic user behavior, but the velocity of growth stands out. North America saw more than 40 percent of these malicious bot transactions, while APAC contributed 25 percent.
Hacktivism continues to evolve as a distinct category of risk. Rather than episodic surges tied to geopolitical events, Radware describes a persistent, high volume pattern that extended across 2025. Europe absorbed 48.4 percent of claimed hacktivist activity, significantly more than the Middle East or Asia. Government services were targeted most often, representing nearly 39 percent of all claimed attacks. Israel, the United States and Ukraine topped the list of national targets. The group NoName057 (16) remained the most active hacktivist entity, claiming 4,693 attacks during the year.
The commentary accompanying the report stresses that attackers are layering automation, AI and multi vector tactics to compress defenders’ reaction times. It aligns with a broader industry trend, where traditional manual response cycles are rapidly losing ground. Some organizations have begun shifting toward architectures designed to respond in seconds, not minutes, but that transition is uneven and still underway.
There is also the matter of detection thresholds. A recurring thread across both network and application layer data is the prevalence of smaller, more frequent attacks that intentionally avoid triggers tuned for high volume anomalies. That approach forces defenders to evaluate a larger number of ambiguous events, increasing both cost and cognitive load. One might argue that this slow grind of persistent micro attacks is as disruptive as the headline grabbing multi terabit events.
Radware will expand on its findings during a webinar scheduled for March 19, where its threat intelligence leadership plans to walk through the data in more detail. The full technical analysis, along with defensive guidance, is being made available through the company’s research center. For security teams looking to benchmark their experiences against broader trends, the report offers plenty of material to digest, even if it reinforces what many professionals already feel daily: the tempo of attacks shows no sign of easing.
