How many web attacks happened in 2025?

Industry tracking documented approximately 6.29 billion attacks targeting website vulnerabilities in 2025, up from approximately 4 billion in 2024 — a 56 percent year-over-year increase.

Which CVEs defined 2025?

Five vulnerabilities had outsized impact: CVE-2025-7775 (NetScaler ADC RCE), CVE-2025-53770 (SharePoint Zero-Day), CVE-2025-55182 (React2Shell), CVE-2025-66516 (Apache Tika SSRF/XXE), and CVE-2025-52691 (SmarterMail RCE). Each was unauthenticated, remotely exploitable, and affected widely deployed software.

What was the AI-driven attack story of 2025?

AI moved from supporting tool to attack instrument in 2025. AI-enabled incidents grew 89 percent year-over-year. Research published in 2025 demonstrated AI-generated payloads bypass regex WAFs at 89-97 percent rates. By year-end, autonomous agents were executing full attack chains, including one disclosed agent that compromised 600+ firewalls across 55 countries without a human operator.

Which sectors were targeted most heavily?

Financial services remained the highest-value target. Government and critical infrastructure saw the highest-impact incidents. API-centric businesses absorbed approximately 150 billion API attacks. Retail and ecommerce were the highest-volume targets through bot traffic — bots exceeded 51 percent of total traffic for the first time.

What were the DDoS records of 2025?

Q3 2025 set multiple records, with the Aisuru botnet's 29.7 Tbps attack in October establishing the new ceiling for volumetric attacks. Layer 7 DDoS surged 550 percent year-over-year, reflecting attackers' preference for harder-to-mitigate application-level pressure.

What is OWASP Top 10:2025 and why does it matter?

OWASP released the 2025 edition in November 2025. It introduced two new categories — A03 Software Supply Chain Failures and A10 Mishandling of Exceptional Conditions — and reshuffled rankings to elevate Security Misconfiguration to #2.

What architectural shifts began in 2025?

Three shifts gained momentum: Remote Browser Isolation moved from niche to mainstream; defense-in-depth replaced single-product reliance; forensic recording became baseline rather than premium add-on. Zero trust operationalized for more organizations.

What carries from 2025 into 2026?

AI attack capability will continue widening; the architectural pivot to containment-by-default will accelerate; regulatory pressure (DORA, NIS2, AI Act) tightens through 2026. Organizations that treated 2025 as a wake-up call enter 2026 prepared.

2025 Web Attack Landscape: 6.29 Billion Attacks, +56% YoY

Why 2025 Was Different

In web security, attack volume rises every year. More applications go on the internet, more APIs are published, more automation tools reach attackers. So "there were more attacks" is not, on its own, a new story. What made 2025 different was not just volume.

Web attacks rose from roughly 4 billion in 2024 to 6.29 billion events in 2025 — about a 56 percent increase in a year. In the same period, AI-assisted attacks grew noticeably, Layer 7 DDoS volume jumped, bot traffic began to exceed human traffic, and a sequence of high-impact vulnerabilities surfaced in critical infrastructure components.

The real change ran deeper. 2025 was the year attacker automation stopped being just "a bot sending more requests" and started adding decision capacity to the attack chain. AI-driven tools produced payload variants, probed WAF rules to bypass them, accelerated vulnerability discovery, and in some scenarios advanced attack chains without a human operator.

So reading 2025 only as a volume year would be incomplete. A more accurate reading: 2025 was the year the scale increase in web attacks turned into an architectural security problem. WAF, DDoS protection, bot management, identity-aware access, isolation, and forensic recording are no longer separate product topics; they have become complementary answers to the same threat landscape.

Indusface — 2026 Vulnerability Statistics OWASP Top 10:2025

Headline Numbers

The overall picture of 2025 can be read through a few large numbers. Each is important on its own; read together, they show a larger picture.

6.29B

Total Web Attacks 2025

Up from 4B in 2024 — 56% year-over-year growth

Indusface 2026 Vulnerability Statistics

+89%

AI-Enabled Attack Growth

Year-over-year increase in AI-augmented incidents

Microsoft Security Blog, 2026

29.7 Tbps

Largest DDoS Attack

Aisuru botnet, October 2025 — new volumetric ceiling

TR7 Analysis — Aisuru Botnet

+550%

Layer 7 DDoS Growth

Application-layer attacks year-over-year

TR7 Analysis — Layer 7 DDoS Surge 2025

The Aggregate Message

Attack volume rose. Attack automation matured. DDoS became not just a network-volume problem but an application-logic problem. Bots stopped being the exception — they crossed 51 percent of total traffic for the first time. AI accelerated attack production and variation. Critical CVEs clustered in widely deployed infrastructure layers. The message 2025 sent to security teams was clear: a single defense layer cannot answer this landscape alone.

Attack Volume: What Sits Behind the 56% Increase?

The number of documented web attacks reached 6.29 billion in 2025. Against the roughly 4 billion baseline of 2024, that is a serious increase. But explaining that increase only as "more applications went on the internet" is not enough. The attack surface grew; but the growth rate of attack volume is too high to be explained by new applications and services alone.

Three main factors sit behind that growth. First, automation became the default — bot traffic crossing more than half of total traffic changed the security assumption. It is no longer reliable to assume by default that there is a human behind an incoming request. This change was felt especially in credential stuffing, API abuse, content scraping, price/inventory tracking, fake account creation, click fraud, automated vulnerability scanning, and account takeover attempts.

Second, AI made attack automation more adaptive. In 2024, automation usually ran on fixed script logic. In 2025, AI-driven attacks extended that model — producing payload variants, preparing new attempts based on error messages, generating alternative encodings for WAF bypass, and accelerating exploit chains. The attacker is no longer just repeating the same attack; they can change the attack in response to the defense.

Third, critical CVEs hit widely deployed infrastructure layers. Some critical vulnerabilities disclosed in 2025 affected very broad enterprise surfaces — network edges, document infrastructure, frontend frameworks, document-parsing services, and email systems. Large attack volume grew further as these CVEs combined with automated scanning and exploitation attempts.

The Critical CVEs of 2025

Many vulnerabilities were disclosed in 2025. But some carried disproportionate weight in the year's threat landscape due to the surface they affected and their exploitation potential.

High-Impact CVEs of 2025

CVE	Period	Target	Why It Mattered
CVE-2025-7775	August 2025	NetScaler ADC	Unauthenticated RCE risk in infrastructure widely deployed at the enterprise edge
CVE-2025-53770	July 2025	SharePoint	Zero-day RCE in document and collaboration infrastructure deployed widely in large organizations
CVE-2025-55182	December 2025	React 19 / Next.js RSC	RCE-class risk creating broad surface across the modern frontend ecosystem
CVE-2025-66516	Late 2025	Apache Tika	SSRF/XXE risk in document-parsing flows
CVE-2025-52691	Late 2025	SmarterMail	RCE risk through file upload in email infrastructure

What the CVE Table Says

What these vulnerabilities shared was a wide deployment surface. ADC components like NetScaler sit at the enterprise network edge. Systems like SharePoint are tied to documents, identity, and internal workflows. Frameworks like React and Next.js touch most of modern web applications. Document parsers like Apache Tika interact directly with user uploads. Email servers have long been high-value targets. These vulnerabilities should not be seen only as technical flaws — each one showed how much critical enterprise workflows depend on widely shared common components. 2025 reminded us that vulnerabilities at the supply chain and framework level pose direct risk not just to developer teams but to application delivery and security architecture teams.

The AI Shift: From Support Tool to Attack Instrument

One of the most important changes in 2025 was the change in AI's role on the attacker side. In previous years, AI was seen more as a support tool — writing phishing text, producing code fragments, preparing simple scripts, or summarizing attack documentation. In 2025, that role expanded.

AI became a more active part of the attack chain. It was used more visibly in payload generation, variation trials, vulnerability discovery, exploit adaptation, credential abuse, and autonomous-agent flows. That change produced three consequences.

Three Consequences of the AI Shift

Payload Variation Accelerated

WAF and IDS detection logic tied to specific patterns is still valuable, but AI-driven payload generation made it easy for the attacker to produce many variants reaching the same goal. When a payload is blocked, the attacker can try a different encoding, parameter shape, syntax, nesting, or request form — faster and broader than manual variation. This strained regex-based WAF approaches especially.

Attack Chain Became More Autonomous

Some 2025 reports showed a single autonomous agent targeting hundreds of firewalls across wide geographies without a human operator. When the human operator no longer has to run every step manually, attack capacity is not limited by team size. The agent can run reconnaissance, change strategy on failure, try exploit variants, and report results — which increases time pressure on the defense side.

2026 Mythos Was a Continuation

Anthropic's 2026 decision not to release Claude Mythos looked like a major break point. But the ground for that development was laid in 2025. Throughout the year, AI-driven attack capability rose, agentic systems took on more tasks, and classic detection approaches came under strain. The Mythos announcement was the continuation of that trend, not its start. 2025 should be read as a transformation year, not a preparation year.

DDoS Evolution: Volume and Application Layer Grew Together

On the DDoS side, 2025 drew attention in two distinct directions. Volumetric attacks reached new ceilings; Layer 7 DDoS — application-layer attacks — grew much faster. Treating the two as the same threat is a mistake. They have different impacts, different detection methods, and different mitigation strategies.

Volumetric DDoS: The 29.7 Tbps Level

The Aisuru botnet's October 2025 attack set a new ceiling for volumetric DDoS. These attacks do not target application logic — the goal is to saturate bandwidth, network infrastructure, edge capacity, or upstream links. Defense requires broad network capacity, distributed scrubbing, anycast architecture, upstream cooperation, and fast filtering at L3/L4. The volumetric attack ceiling is still rising — DDoS capacity planning should be based on more aggressive growth expectations, not prior-year statistics.

Layer 7 DDoS: Less Noise, More Damage

Layer 7 DDoS growing roughly 550% in 2025 pointed to a more important trend. These attacks target application logic — network volume can be low, but the load lands on expensive endpoints (search, login, cart, report generation, API queries). From outside they can look like legitimate HTTP traffic. Defense requires application awareness: endpoint cost analysis, behavioral detection, bot management, session-based rate limiting, identity-aware policy, cache/workload separation, WAF integration. DDoS is no longer just a bandwidth problem; it is an application resilience problem.

Impact by Sector

Web attacks in 2025 affected all sectors. But some sectors stood out in both volume and impact.

Financial Services

Highest-value target throughout the year. Banking portals, payment systems, customer authentication flows, API-based financial services, and mobile backend systems became targets of credential stuffing, DDoS, API abuse, and fraud automation. Risk is not just downtime — account takeover, financial-transaction manipulation, customer data leakage, and regulatory consequences are direct impacts.

Critical Infrastructure

Energy, telecom, transportation, public utilities, and industrial control systems stood out as high-impact targets in 2025. SCADA and ICS interfaces are managed differently from classic IT systems due to operational continuity requirements. Critical-infrastructure attacks must be evaluated not just for data security but also for operational safety and public impact.

API-Centric Businesses

For SaaS, fintech, developer platforms, and mobile application backends, the API surface became one of the main targets in 2025. API attacks show patterns different from classic web-page behavior — the attacker hits endpoints directly, abuses tokens, manipulates parameters, tests authorization boundaries. API security is not a subset of web security; it is a separate primary surface.

Retail and E-Commerce

Among the sectors most heavily affected by bot traffic. Credential stuffing, price scraping, inventory hoarding, fake-account creation, coupon abuse, and click fraud all rose throughout the year. The goal of these attacks is often not direct system compromise — it is to extract economic value. Depleting stock, stealing price data, abusing promotions, or burning ad budgets are serious security and revenue problems.

Healthcare

Came under pressure from ransomware, patient-portal attacks, PHI disclosure, and credential abuse. Healthcare data remains attractive to attackers because it is long-lived and high-value. As patient portals and online services expand, the web surface grows with them. The core issue is not just privacy — service continuity and patient safety can also be directly affected.

Government and Public Sector

Sat at the center of campaigns targeting espionage, disruption, and public trust. The attacker profile is more varied — cybercrime groups, state-sponsored actors, hacktivist groups, and opportunistic bot networks can attack the same surface for different goals. One important trend: the line between cybercrime and state-aligned activity continued to blur.

What OWASP Top 10:2025 Says

The 2025 edition of OWASP Top 10 reflected the change in web security at the methodology level too. Two new headings drew particular attention.

A03 Software Supply Chain Failures is now one of the official main categories of web application security. This is not just about open-source packages — build processes, CI/CD systems, container images, signing chains, AI coding assistants, and third-party service integrations should all be considered part of this heading.

A10 Mishandling of Exceptional Conditions makes the way applications behave under error, load, latency, missing data, unexpected state, and edge cases — not just normal flow — a security topic.

One of the most striking ranking shifts is the rise of security misconfiguration. Misconfigured cloud storage, missing security headers, overly permissive defaults, wrong CORS settings, and open admin interfaces were at the root of many incidents in 2025. This change carries an important message: in modern web security, a vulnerability is not just a code error; it is an architectural, configuration, and supply-chain error.

The decline of the injection category is meaningful in this context. Modern frameworks, parameterized queries, and SAST tools have reduced classic injection risks. But this does not mean web security has become easier. The risk has shifted to other areas.

Architectural Shifts That Started in 2025

In 2025, the security conversation began to be more architecture-centric than product-centric. Especially for high-value applications, this question was asked more often: what happens if the attacker bypasses a layer? That question placed structural controls next to detection and blocking layers.

Remote Browser Isolation Mainstreamed

RBI was long seen as a niche security control. Increased investment in RBI by major security vendors in late 2025 and early 2026 changed that perception — AI-driven attacks, prompt injection, endpoint risk, and the direct exposure of high-value applications to the client made isolation a more central control. The application does not run on the user's device; the user sees only the rendered pixel stream.

Defense-in-Depth Came Back

2025 showed once again that the era of solving security with a single product is over. WAF was necessary but not sufficient on its own. DDoS protection was necessary but incomplete without knowing the application logic. Bot management was necessary but limited without identity context. Buyer conversations shifted from "which WAF?" to "how do these layers work together?" The modern threat landscape requires not a single product barrier but layers that work together.

Forensic Recording Became Core

As breach windows tightened, post-incident reconstruction became more critical. When an attack progresses in seconds, generating alerts alone is not enough. The security team must understand: which session was affected, which user reached which screen, which requests were sent, which data was viewed, which logs were targeted for tampering. Full session recording, intelligent screenshots, request/response capture, click chains, and integrity-protected logs became foundational for high-value applications.

Zero Trust Operationalized

Zero trust was long treated as a goal sitting on architecture diagrams. In 2025, it became an operational requirement for more organizations. Each request evaluated in identity context, implicit trust between services not accepted, user not treated as trusted across the whole system because they were let in once, authority granted at minimum scope, risk context continuously evaluated. More important in an environment where AI-driven attacks accelerated and patch windows tightened.

What Carries Into 2026

Some trends that began in 2025 will accelerate in 2026. AI attack capability will keep rising — vulnerability discovery, exploit adaptation, WAF bypass, prompt injection, bot-management evasion, and agentic attack chains will all matter more. Defense teams need to model AI not just as a support tool but as attack capability. The contain-by-default approach will accelerate: detection and response will remain necessary but not sufficient on their own for high-value applications — more organizations will assume that some attacks will advance before they are detected and architect systems to limit attacker movement even after a successful initial breach. Regulatory pressure (DORA, NIS2, AI Act) will become more visible — pushing operational resilience, supply-chain risk, third-party dependencies, incident reporting, and governance to the front. Security teams must not just block attacks but be able to prove their controls.

How TR7 Layers Respond to the 2025 Landscape

The TR7 platform responds to the threat classes prominent in 2025 not with a single product barrier but with a layered WAAP approach. Each layer has a distinct role. The value comes from these layers working together.

WAF for Volume and Patterns

Base layer that handles known exploit attempts, protocol violations, common attack patterns, and scans against critical CVEs. When broad-impact vulnerabilities like React2Shell, NetScaler, SharePoint, or Tika emerge, WAF managed rules provide important risk reduction until production is patched. The WAF reduces known and common attacks; it does not solve the entire threat landscape on its own.

DDoS Protection L3/L4/L7

2025 showed DDoS grew on both the volumetric and the application-layer sides. Protection should not be limited to L3/L4 — Layer 7 attacks require application awareness, behavioral analysis, endpoint-cost reasoning, and bot distinction. TR7's multi-layer DDoS approach handles network volume and application-layer pressure together.

Bot Management for the 51% Era

When bots reach more than half of total traffic, bot management stops being optional. TR7 Bot Management — using behavioral fingerprinting, TLS/HTTP/2 signals, IP/ASN context, session flow, and intent classification — sorts automated traffic into categories. Essential bots allowed, tolerable bots throttled, hostile bots blocked, authorized AI agents evaluated in a separate policy context.

AGS for Zero-Trust Access

TR7 Access Gateway manages application access through identity, context, and risk policies. Each session evaluated with authentication and authorization context — user, device, location, application, risk level, and policy decisions become part of the access flow. Reduces the classic in-network trust assumption.

ZeroLeak for High-Value Apps

One of the most important lessons of 2025: some applications need not just to be protected but to be separated from the client surface. ZeroLeak runs sensitive web applications in an isolated environment — no DOM, JavaScript, API responses, or session tokens are sent to the user's device. Structural control where detect-first is not enough.

Forensic Recording

When breach windows collapse to seconds, post-incident reconstruction becomes critical. TR7's forensic recording layer — full session video, intelligent screenshots, click/navigation trails, word-based key recording, integrity-protected event logs — lets security teams understand what happened after the fact. Needed not just for compliance but for real incident response.

Conclusion: 2025 Was the Warning, 2026 Will Be the Execution Year

The 2025 web attack landscape brought to the front some architectural questions enterprise security had postponed. Attack volume rose. Bots became the majority. AI entered attack chains. Layer 7 DDoS grew. Critical CVEs hit widely deployed infrastructure layers. Supply-chain risk expanded. Forensic recording and isolation became more important.

This picture cannot be answered with just more rules, more alerts, or more dashboards. Organizations that want to enter 2026 prepared must approach security as layered and architectural.

The WAF reduces known attacks. DDoS protection preserves continuity. Bot management classifies automated traffic. AGS provides identity-aware access. ZeroLeak isolates high-value applications. Forensic recording makes the post-incident truth visible.

The main lesson of 2025: threats did not just grow; they accelerated and diversified enough to change the defense model.

References & Sources

Annual measurement of web application attack volumes and trends. https://www.indusface.com/blog/key-vulnerability-statistics/

Year-end summary of the most impactful CVEs. https://strobes.co/blog/top-cves-of-december-2025/

Independent ranking and attack analysis. https://socradar.io/blog/top-10-cves-of-2025-vulnerabilities-trends/

Practitioner-focused vulnerability retrospective. https://www.intruder.io/blog/top-vulnerabilities-2025

Documentation of AI moving from supporting tool to attack instrument. https://www.microsoft.com/en-us/security/blog/2026/04/02/threat-actor-abuse-of-ai-accelerates-from-tool-to-cyberattack-surface/

The 2025 edition of OWASP's flagship risk ranking. https://owasp.org/Top10/2025/0x00_2025-Introduction/

Coverage of notable supply chain compromises during the year. https://www.infosecurity-magazine.com/news-features/five-flaws-exploited-2025-software/

Official tracking of in-the-wild exploitation. https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Enter 2026 Prepared

The 2025 landscape forced the architectural conversation enterprise security has been postponing. TR7's WAAP platform provides defense-in-depth for the 2026 threat environment — from WAF and DDoS at the perimeter to ZeroLeak isolation for high-value applications.

Explore the TR7 Platform