We will publish the "Web Application Cyberattack Detection Report" fromJanuary to March 2026.

≪Report Summary≫

Cyberattacks remain at a high level, with peak surges of up to approximately 13 million attacks per day observed.

- Attack density is increasing. The number of attacks per host has nearly doubled compared to the previous quarter.

- Indiscriminate DDoS attacks across multiple data centers were observed.

- DDoS attacks occurring intermittently and for short periods of time are increasing.

 

Cyber Security Cloud, Inc. (Headquarters: Shinagawa-ku, Tokyo; Representative Director, President and CEO: Toshihiro Koike; hereinafter referred to as "the Company"), a global security manufacturer, is pleased to announce its "Web Application Cyber Attack Detection Report" (hereinafter referred to as "this Report"), covering the period from January 1st to March 31st, 2026.
This report aggregates, analyzes, and calculates cyberattack logs observed by "Shadankun," Cloud-based WAF (Web Application Firewall) provided by our company that visualizes and blocks cyberattacks on web applications, and "WafCharm," an automated operation service for public cloud WAFs.

 

■ Total number of attacks and trends

From January to March 2026, the cumulative number of detected cyberattacks reached approximately 710 million, which translates to an average of about 90 attacks per second. Attacks remained at a high level throughout the period, and corporate and organizational web services continue to be constantly exposed to cyberattacks.

Furthermore, the average number of attacks per day remained at approximately 7.85 million, with a minimum of approximately 5.92 million and a maximum of approximately 13.93 million. At its peak, this corresponds to approximately 160 attacks per second, and multiple instances of a significant increase in attacks over a short period compared to normal levels were observed.

These results suggest that cyberattacks are evolving from a state of constant high activity to one characterized by a surge in short-term, event-based attacks. Simply monitoring access volume is insufficient to grasp the full scope of these attacks; a multifaceted monitoring system, including pattern analysis, is required.

 

■ Composition ratio and trends of attack types

Looking at the breakdown of attack types, web scans account for the largest proportion at approximately 46%, indicating that many cyberattacks are reconnaissance activities aimed at checking for vulnerabilities. This suggests that attackers are indiscriminately scanning publicly available services on the internet to identify targets that can be compromised.

Next, SQL injection accounted for approximately 11%, and access using malicious User-Agents (Bad User Agent) accounted for approximately 10%, suggesting that attacks are becoming increasingly automated. These indicate that automated attacks using scripts and bots are being carried out on a widespread basis.

Furthermore, attacks targeting vulnerabilities in specific software or frameworks, such as cross-site scripting (XSS), PHPUnit, and the Spring Framework, account for a certain percentage. Similar to the React and Log4Shell cases discussed later, it was confirmed that open-source software and widely used software are persistent targets of attacks. Attacks classified as "other" account for approximately 15%, indicating that attack methods are becoming increasingly diverse.

Thus, cyberattacks are carried out in a combination of "reconnaissance (scanning)," "automated attacks," and "intrusion attempts targeting vulnerabilities," requiring a multi-layered defense rather than a single countermeasure.

 

■ Changes in attack trends (comparison with October-December 2025)

Comparing attack trends from January to March 2026 with those of the previous quarter (October to December 2025), a clear shift in the nature of cyberattacks was observed.

In the previous quarter, attacks primarily targeted vulnerabilities in web applications, but this quarter, the structure of the attacks themselves has changed.

1. Expansion of attack range: The emergence of indiscriminate DDoS attacks

Indiscriminate DDoS attacks targeting multiple data centers simultaneously have been detected. Unlike traditional methods that target specific web services, these attacks may be carried out across a wide range of IP addresses within the cloud infrastructure.

Our observations indicate that concentrated traffic originates from specific IP ranges in SYN flood attacks, with a particularly large number of communications originating from the Brazilian IP address range. These traffic sources sometimes consist of multiple consecutive IP addresses, suggesting that the attacks may not be from a single device, but rather utilize multiple nodes or networks.

Several factors could explain this concentration of traffic from specific regions. For example, the availability of relatively low-cost cloud infrastructure and network resources, or network environments that are easily exploited for attacks, may be contributing factors. It's also possible that attackers are using infrastructure in specific regions to distribute traffic and make it harder to track.

These types of attacks are thought to be indiscriminately targeting data centers in Japan or around the world, rather than focusing on a single target, and thus have different characteristics from targeted attacks that target specific applications or services.

*Note that these observed IP addresses of attack sources do not directly indicate the location of the attackers. Attackers may intentionally use low-cost cloud infrastructure or network environments that are difficult to trace, and it is important to note that these may be selected based on available infrastructure and network conditions.

 

2. Changes in attack patterns: Increase in short-duration, intermittent attacks

A tendency for attacks to occur intermittently every few minutes was observed, along with a characteristic traffic pattern characterized by a series of short bursts of activity.

Unlike traditional attacks that continuously apply load over extended periods, these types of attacks may aim to circumvent detection thresholds and mitigation mechanisms of defense systems. By repeatedly launching short-duration attacks, they are considered a novel method that aims to circumvent simple rate limiting (request limits) while maintaining a continuous load on the system.

Furthermore, these attack patterns are likely being carried out by automated tools or bots, suggesting that attacks are becoming more sophisticated and efficient.

 

■ Status of vulnerability attacks

Attacks exploiting vulnerabilities disclosed in the past are still being observed. In particular, Log4Shell (CVE-2021-44228), disclosed in 2021, has not seen a decrease in attacks even several years after its discovery, and remains a major target of attacks.

The graph showing the trend over the past 15 months also shows that the number of attacks increases and decreases at regular intervals, indicating that the attacks are not one-off occurrences but are being carried out continuously. This suggests that a certain number of systems remain unprotected, leaving attackers with ongoing opportunities to target them.

Regarding the React-related vulnerability disclosed on December 4, 2025, attacks surged immediately after disclosure, and our monitoring environment also observed a significant peak in a short period. Although the trend has since decreased, attacks are still continuing at a certain level.

Thus, in recent years, cyberattacks have increasingly shown a tendency for explosive attacks immediately following vulnerability disclosures to occur in parallel with long-term, persistent attacks targeting past vulnerabilities. In particular, open-source software (OSS) and major libraries with a large user base are targeted for extensive scanning immediately after disclosure, while systems that are slow to respond tend to be subjected to attacks that continue for extended periods.

This situation suggests that a certain number of systems may exist that have not adequately addressed vulnerabilities, meaning that attackers will continue to target them. For companies and organizations, it is important to not only quickly grasp vulnerability information and take initial action, but also to continuously review and implement countermeasures for past vulnerabilities.

 

■ Trends of the attacking country

The trends in attacking countries from January to March 2026 were as follows:

Compared to the same period last year, there was a clear shift in the geographical composition of the attack sources. In particular, the rise in rankings of European regions such as Germany (7th to 2nd) and France (5th to 3rd) was remarkable, indicating a growing presence of traffic from these areas.

On the other hand, Japan's ranking dropped from 2nd last year to 6th, indicating a relative decrease in the proportion of domestic traffic. We also observed improvements in the rankings of countries that were not previously among the top contenders, such as India (25th → 8th), Ukraine (12th → 9th), and Singapore (28th → 10th).

Behind these changes, we have observed a trend towards attacks that intensively utilize specific IP ranges and a combination of traffic from multiple regions, suggesting that the attack infrastructure is being used in a distributed and dynamic manner.

Furthermore, it has been pointed out that certain regions observed as the source of attacks may be more susceptible to attacks due to factors such as infrastructure costs and network environments. These do not necessarily indicate the location of the attackers, but rather may be selected based on available resources and environmental conditions.

*This ranking is based on traffic detected by our WAF and does not directly indicate the location of attackers.

 

■Comment from Yoji Watanabe Representative Director, CTO Cyber Security Cloud, Inc.

This report clearly indicates that the targets of cyberattacks are expanding to a wider range of areas. In particular, the indiscriminate DDoS attacks observed across multiple data centers appear to differ from traditional "attacks targeting specific services" and are intended to have a broader impact.

Furthermore, the increase in attack patterns that involve repeated attacks over short periods of time suggests that attack designs may be evolving to rely on detection and mitigation mechanisms on the defensive side. As attacks become more automated and efficient, it is likely that there will be an increasing number of cases where conventional countermeasures are insufficient.

Furthermore, the fact that attacks like those on React, which surge immediately after release, and attacks like those on Log4Shell, which persist for a long period, are occurring in parallel succinctly illustrates the characteristics of current cyberattacks. This means that attackers are simultaneously targeting both "short-term opportunities" and "long-term unprotected areas."

In this situation, security measures based on continuous visualization and operation are essential, rather than one-off countermeasures. We will continue to work to provide more effective security measures based on insights gained from actual attack data.

 

Cyber Security Cloud, Inc. (https://www.cscloud.co.jp)

Address: JR Tokyu Meguro Building 13th Floor, 3-1-1 Kami-Osaki, Shinagawa-ku, Tokyo 141-0021

Representative: Toshihiro Koike Representative Director, President and CEO

Established: August 2010

With the mission of "creating a cyberspace that people all over the world can use safely and securely," we are a Japanese security manufacturer that provides vulnerability information collection and management tools and fully managed security services for cloud environments, centered on web application security services that utilize the world's leading cyber threat intelligence. As one of the global companies in cybersecurity, we will contribute to solving social issues related to cybersecurity and provide added value to society.