Cyber Security Cloud, Inc. (Representative Director, President and CEO: Toshihiro Koike, hereafter "the Company"), a global security manufacturer, announces the "Cyber Attacks on Web Applications Detection Report (hereafter "the Report")" covering the period from January 1, 2025 to December 31, 2025. This report is based on the analysis and calculation of cyber attack logs observed by "Shadankun" of Cloud-based WAF, which visualizes and blocks cyber attacks on web applications provided by the Company, and "WafCharm (WAF Charm)", an automated operation service for public cloud WAF.

<Report Summary>

・The total number of attacks in 2025 will be 2,021,376,349 (approximately 2.02 billion attacks)

・Detects approximately 5.54 million cyber attacks per day, or approximately 64 attacks per second

- Multiple observations of request trends targeting specific vulnerabilities

・Increase in attacks confirmed immediately after vulnerability in globally used library was disclosed

■Total number of attacks and trends: Approximately 2.02 billion attacks per year, approximately 64 attacks per second

The total number of cyber attacks against web applications detected in 2025 was 2,021,376,349 (approximately 2.02 billion). This equates to approximately 5,538,017 attacks (approximately 5.54 million attacks) per day, or approximately 64 attacks per second.

Additionally, 136,516 attacks were confirmed per host (*1) in one year. This represents an increase of approximately 182% compared to the previous year, reaching a record high. (2020: approximately 43,000, 2021: approximately 42,000, 2022: approximately 42,000, 2023: approximately 48,000, 2024: approximately 75,000, 2025: approximately 136,000)

Attacks have not just increased temporarily, but have remained at a continuously high level, and the threat environment surrounding web applications remains severe. Attacks have been observed regardless of industry or company size, so all companies and organizations that publish web services are required to take constant measures.

(※1) Estimated using the total number of hosts protected by "Shadankun" (Web type: number of FQDNs, Server type: number of IPs) and the total number of hosts protected by "WafCharm" (WebACLs) as the denominator.

■Composition ratio and trends of attack types

In terms of attack type, web scanning (vulnerability detection) remained the most common. Attackers continue to use automated tools to conduct wide-ranging searches and search for weaknesses in publicly available web applications. A certain number of detections related to SQL injection and directory traversal were also confirmed. However, these detections also include requests during the detection phase, and cannot be clearly distinguished from actual intrusion attempts.

Indiscriminate, wide-ranging searches and targeted attacks on specific vulnerabilities coexist, and attacks are becoming more efficient and automated. These efforts continue to improve.

■Attack trends that emerged between October and December 2025

1.Checking request trends that focus on specific vulnerabilities

Between October and December 2025, multiple trends were observed in which a large number of requests were concentrated in a short period of time for a specific vulnerability.

In particular, in October, while the total number of daily attacks remained around 5 million, there was a sudden increase in the number of detections targeting a single rule on a specific day.

In the middle and latter half of the month, detections for the same rule increased significantly above normal levels, and concentrated accesses were observed in a short period of time. These showed trends different from the increase and decrease in the total number of daily attacks, and it is possible that they were concentrated attempts targeting specific vulnerabilities rather than scanning attacks that search a wide area.

In late December, during the early hours of the morning Japan time, attacks against a single rule occurred at a rate of approximately 50,000 per hour, continuing for several hours. The number of attacks detected on that day reached approximately 400,000.

These behaviors differ from traditional scans that broadly search for vulnerabilities. Although they do not identify the background or perpetrator of the attack, they suggest the possibility of concentrated attack activities targeting specific vulnerabilities.

2.Increase in attacks linked to disclosure of vulnerabilities in major libraries

In December 2025, information about a serious vulnerability related to React, a JavaScript library widely used worldwide, was made public.

After the vulnerability was made public, we also observed an increase in attacks targeting the vulnerability. Attacks were not limited to a specific region, but were simultaneously attempted in multiple major regions around the world.

The tendency for attacks to become more active immediately after vulnerability information is made public is becoming stronger every year. In particular, widely used OSS and major libraries tend to be subject to widespread scanning immediately after their release, and this case once again demonstrates the importance of quickly understanding information and applying countermeasures.

■Trends in attacking countries

When the IP addresses from which attacks originated were classified by country, the United States accounted for the largest number, followed by Japan, European countries, and Asia.

Particularly notable for 2025 is India's significant rise in ranking from 20th place the previous year to 8th place.
While the source IP address of an attack does not necessarily indicate the location of the attacker, various surveys have pointed out that distributed attacks exploiting botnets and malware-infected devices have become common in recent years. Considering this, along with the changes in rankings observed in our Cloud-based WAF services "Shadankun" and "WafCharm," it is possible that some infected devices are being used as springboards or part of botnets.

■Comment from Yoji Watanabe Representative Director, CTO Cyber Security Cloud, Inc.

In 2025, while the total number of attacks remained at a high level, concentrated attacks targeting specific vulnerabilities and attempts to immediately exploit vulnerability information immediately after it was made public became apparent.

This suggests that attackers are moving from a stage of simply searching indiscriminately to a stage of "efficiently targeting" targets based on technological trends and publicly available information. As attacks become more automated and specialized, the entire Internet is being scanned constantly.

In particular, vulnerabilities in large-scale OSS and major libraries become targets of attacks on a global scale immediately after they are made public, making it essential for companies to quickly identify vulnerabilities and continuously optimize their defense systems.
Cyber attacks are not just a problem for a few companies, but a structural issue facing the entire digital society. We will continue to promote the sophistication and automation of defenses using threat intelligence, and contribute to creating an environment in which digital services can be provided with peace of mind.

Cyber Security Cloud, Inc. (https://www.cscloud.co.jp)
Address: JR Tokyu Meguro Building 13th Floor, 3-1-1 Kami-Osaki, Shinagawa-ku, Tokyo 141-0021
Representative: Toshihiro Koike Representative Director, President and CEO
Established: August 2010
With the mission of "creating a safe and secure cyberspace for people all over the world," we are a Japanese security manufacturer that provides vulnerability information collection and management tools and fully managed security services for cloud environments, centered around web application security services that utilize the world's leading cyber threat intelligence. As one of the global cybersecurity companies, we will contribute to solving social issues related to cybersecurity and providing added value to society.