Cyber Threat Index Score by Country
Cyber Threat Index Score by Industry
Country
Insights and Recommendations
Imperva’s cloud networks, the same network that gathers the data behind our Cyber Threat Index, also powers the suite of products that protects our customers from those attacks every day. Start by reading our expert analysis on this month’s most significant insights, and then click to take action below.
A Thailand-based travel company experienced a sharp surge in business logic abuse against its public API, highlighting how economically motivated automation can rapidly escalate. Beginning mid-month, attackers launched large-scale automated scraping of pricing and availability endpoints, likely to support competitive intelligence, resale, or pricing arbitrage, driving traffic to peaks of approximately 70 million requests per day over a four-day period- over 500% higher than average daily traffic. After the initial spike, activity declined but stabilized at a still-elevated baseline of roughly 10 million daily requests, consistent with attackers shifting from aggressive discovery to persistent data harvesting. The traffic was overwhelmingly sourced from Singapore-based IP addresses, suggesting centralized, cloud-hosted automation rather than organic customer demand, and reinforcing how travel platforms remain high-value targets for business logic attacks focused on monetization rather than disruption.
Take action:Imperva provides Advanced Bot Protection that prevents business logic attacks from all access points – websites, mobile apps and APIs.
A US-based sports retail site was subjected to sustained API-driven automation throughout January, indicating attacker interest in abusing high-risk application functionality rather than generating disruptive traffic. The activity averaged 1.5 million requests per day and was attributed to moderate and advanced bots, consistent with controlled tooling designed to probe application behavior and bypass validation controls. While the campaign relied on just 17 IP addresses over the month, the narrow infrastructure footprint suggests deliberate, low-and-slow testing rather than broad scanning. The focus on file-handling logic indicates attackers were likely probing upload workflows to identify opportunities for malicious file delivery, content validation bypass, or the introduction of payloads that could later support fraud, defacement, or deeper application compromise. This pattern reflects reconnaissance-driven abuse, where attackers methodically test upload and processing logic before escalating to more impactful exploitation.
Take action:
Imperva API security provides comprehensive protection for common and multi-vector attacks.
A Turkish cybersecurity company was hit with a high-intensity application-layer DDoS attack in early January, reaching nearly 10 million requests per second, underscoring how a small amount of well-engineered infrastructure can generate outsized impact. Despite the extreme request rate, the activity originated from just 54 distinct IP addresses, indicating the use of high-capacity nodes or amplification through efficient request generation, rather than a traditional botnet. Attackers attempted to exploit React2Shell (CVE-2025-55182), among other vulnerabilities. Targeting a cybersecurity vendor suggests motivations beyond disruption alone, including stress-testing defensive controls, probing rate-limiting thresholds, or attempting to degrade trust and availability during critical operations. The attack’s concentrated nature and brief but intense profile are consistent with attackers seeking to validate tooling effectiveness or demonstrate capability, rather than sustain prolonged downtime.
Take action:Imperva DDoS Protection secures all your assets at the edge for uninterrupted operation.
A US-based entertainment site experienced two large-scale account takeover (ATO) attempts in January, both driven by credential stuffing, highlighting the stark difference in attacker capability. The first campaign peaked at 4.7 million malicious login requests and was carried out by more advanced bots impersonating legitimate browsers, suggesting an effort to bypass bot detection and rate-limiting controls while validating stolen credential sets. This attack originated from a relatively small pool of 43 US-based IP addresses, consistent with high-throughput, carefully managed automation. The second attack, which reached 3.4 million login attempts, shifted to simpler bot infrastructure distributed across nearly 15,000 US-based IPs, indicating a broader, noisier approach aimed at maximizing coverage after initial probing. The first attack is far more sophisticated, able to create massive attack numbers with a small number of IPs. On the other hand, the second attack is comparatively less advanced, requiring thousands of IPs to create a smaller attack.
Take action:
Imperva Account Takeover prevention uses multi-layered detection to block fraud.
Application Security Threats
Understand how applications are attacked globally. Learn the types of attacks and the vulnerabilities exploited.
Application Security Highlights
With visibility into global web application traffic from different industries, the Cyber Threat Index is a comprehensive look at application security.
Total Number of Requests Analyzed
Total Number of Application Attacks Blocked
Origin of Web Threats
This map reflects the relative amount of attacks per country, after normalizing the number of attacks with legitimate traffic. Hover mouse over the countries to see data.
Country vs Country Heatmap
This heatmap shows attacks where countries are the source (attackers) or destination (attacked) of application security attacks. The number represents a relative, normalized value.
Cyber Attack Types
Breakdown of attack attempts seen in our network, split by attack types.
Cyber Attacks by Source
Breakdown of attack attempts seen in our network, split by the source of the attacking traffic.
Automated vs Human Attacks
Shows the proportion of bot and human traffic identified as performing attacks within all observed traffic.
Attacks Observed by Tool Used
Shows the breakdown of attacks in our network by the type of tool used by attackers.
Vulnerabilities by Severity
Shows the number of disclosed vulnerabilities for every day of the month. These vulnerabilities are separated by severity. Includes both CVE (Common Vulnerabilities & Exposure) and ‘Non-CVEs’.
Vulnerabilities by ‘Exploitability’
Breakdown of vulnerabilities disclosed by the “exploitability” (e.g. whether there is a published exploit) of the disclosed vulnerability.
Vulnerabilities by Attack Type
Shows the breakdown of attack types for the published vulnerabilities.
Data Security Threats
Understand how databases are attacked and make sense of the vulnerabilities on different platforms.
Vulnerabilities by Severity
In the following chart you can see the disclosed vulnerabilities for every day of the month. We separate them by their severity. This includes both CVE (Common Vulnerabilities & Exposure) and ‘Non-CVEs’.
Low Severity
Vulnerabilities
Medium Severity
Vulnerabilities
HIGH Severity
Vulnerabilities
DDoS Threats
Distributed denial of service (DDoS) attacks take a business offline. Understand which industries and countries suffer the most and the different types of DDoS attacks. Learn about the duration, size, and volume of DDoS attacks.
DDoS Attacks Highlights
Understand the duration of the longest attack. Know the size and volume of the largest DDoS attacks. Learn more about DDoS here.
Longest DDoS
attack
Largest Web Application
DDoS attack
Largest Bandwidth Network
Layer DDoS Attack
Highest Volume Network
Layer DDoS Attack
Application Layer DDoS Attack
Shows the volume of Application Layer attacks for each day of the month by the maximum total requests per second (RPS) blocked by our DDoS mitigation service.
DDoS Attacks by Attacked Country
Breakdown of DDoS attacks by the attacked country.
DDoS Attacks by Attacked Industry
Breakdown of DDoS attacks by the attacked industry.
Network Layer DDoS Attack
Network layer attacks look to overwhelm the target by exhausting the available bandwidth. Shows the attacks by their bandwidth and by volume.
Network Layer Attack Volume (Gbps) by Vector
Breakdown of bandwidth volume (Gigabits per second) by the vector used in network layer DDoS attacks.
Network Layer Attack Rates (Mpps) by Vector
Breakdown of attack rates (Mega packets per second) by the vector used in network layer DDoS attacks.
Take The Next Step
Every month we update the Cyber Threat Index with the latest data and charts. Please contact us for additional insight or to interview the threat researchers from the Imperva Research Lab.
Media InquiriesSubscribe to our threat intelligence newsletter
What is the Cyber Threat Index?
The Cyber Threat Index is a monthly measurement and analysis of the global cyber threat landscape across data and applications.
The Cyber Threat Index provides an easy-to-understand score to track cyber threat level consistently over time, as well as observe trends. The data is (when applicable) also analyzed by industry and by country, to provide further analytics and insights.
The Cyber Threat Index is calculated using data gathered from all Imperva sensors across the world including over:
- Over 25 monthly PBs (Peta Bytes1015) of network traffic passed through our CDN
- 30 billions (109) of monthly Web application attacks, across 1 trillion (10¹²) of HTTP requests analyzed by our Web Application Firewall service (Cloud WAF)
- Hundreds of monthly application and database vulnerabilities, as processed by our security intelligence aggregation from multiple sources
Viewers of the global Cyber Threat Index can dive deeper into the score & drill-down for individual industries and countries, and also view historic Index scores.
On a monthly basis, our security experts are analyzing the data, to create insights about events and trends in data & application security based on the data we see. When applicable, we may also suggest recommendations for enhancing the security posture against the threats we see.
How is the index calculated?
The index is based on a number of ingredients: network traffic, attack traffic and vulnerabilities.
We store attack data, as well as statistics about the network traffic we see from our Cloud WAF. This data is sent from our Cloud WAF proxies to our data warehouse, where it is enriched & aggregated.
On a daily basis, we run analytics on the data we collect, to calculate a daily risk score per site, per industry & per country.
Vulnerabilities
When calculating the vulnerabilities’ risk, our assessment is that:
- The more severe the vulnerability – the higher the risk (Impact can be larger, for example: taking over a server vs disclosing system information)
- The more recent the vulnerability – the higher the risk (The assumption is that patching of systems takes time, therefore there will be more vulnerable systems accessible)
- If there is a public exploit, the risk is higher as more attackers has the ability to exploit the vulnerability, and the more wide-spread it is the higher the risk.
DDoS Attacks
We store statistics on both network DDoS attacks and application DDoS attacks.
Network DDoS attack statistics include details about the duration of the attack, the volume of the attacks, number of sources and their proportion in the attack, different ports and methods (e.g. SYN flood, amplification etc.). These statistics are calculated and stored for attacks both in terms of packet per second and in terms of bytes per second.
Application DDoS (Layer 7 DDoS attacks) statistics include information about the duration of the attack, the volume of the attack, the tools that were used and the different countries it originated from in terms of requests per second.
We normalize all DDoS attacks statistics against the statistics we have about legitimate traffic, to prevent bias for increased/decreased amount of assets we protect (Globally or for a certain industry/country).
Application Security Attacks (As seen in the wild)
At first, instead of dealing with a huge amount of daily attacking requests, we aggregate them into attacks (Each attack can have a very large number of HTTP requests as part of it). For each attack, we check:
- The highest risk level of triggered rule within that attack (For example: an SQL Injection attack has more weight than an information disclosure attack).
- The higher the intensity of the attack, the higher the risk.
- The newer the mitigation, the riskier the attack (We constantly add mitigations to our cloud WAF, and the assumption is that newer attacks has more success ratio than older ones).
For the analytics and insights we provide, we also enrich the data, for example:
- Adding target industry classification for the applications being attacked.
- Adding source & target countries.
- Adding source network types (For example: public cloud, TOR, etc).
The risk is then calculated by removing the lowest-risk attacks, as they’re meaningless in terms of added risk, and determining the risk is done by normalizing attack traffic against normal traffic. The logic to this normalization is that we don’t want the index to be affected by increased/decreased traffic (For example: if we have 20% more traffic due to new customers in a certain month, we don’t want it to affect the risk index).
