Security

DigiCert releases Q4 2025 RADAR Brief

DigiCert has released its Q4 2025 RADAR Threat Intelligence Brief, delivering data-driven insights into how global internet demand and cyber threats converged during the fourth quarter. Drawing from trillions of network events across DigiCert’s global security platform, which includes UltraDNS, UltraDDoS Protect, and UltraWAF, RADAR provides one of the most comprehensive views of today’s evolving threat landscape.

The Q4 RADAR Brief shows that the year-end period continues to place unique and sustained pressure on internet infrastructure. Seasonal increases in online activity, driven by business cycles, consumer commerce, travel, and device activation coincided with a measurable escalation in malicious activity, reinforcing the need for resilient, layered security strategies.

Key Findings from the Q4 2025 RADAR Brief

Demand for online content remained elevated throughout the quarter.

Internet traffic exhibited consistently high growth during the entire quarter with a few short spikes around major events. DigiCert’s DNS usage data shows what used to be brief periods of heavy demand have turned into longer stretches of sustained load, lasting weeks instead of days. There is no clear “off-peak” anymore during busy seasons.

At the same time, certain DNS signals like NXDOMAIN requests (failed lookups) and queries from automation tools stayed higher than normal. This suggests a constant level of:

· Internet scanning

· Misconfigured systems repeatedly making bad requests

· Automated probing or reconnaissance by bots and tools

Why it matters:

· Peak demand is becoming the norm, not the exception: Systems can’t rely on short recovery windows anymore.

· Background “noise” is higher all the time: Even when nothing obvious is happening, DNS infrastructure is under continuous pressure.

· Manual or reactive approaches don’t scale: Because load is sustained vs. spiking and dropping.

· Security and availability risks increase quietly: Persistent scanning and misconfiguration create more opportunities for outages or exploitation.

2. DDoS activity intensified and evolved.

DDoS attacks increased in frequency, scale, and duration as Q4 progressed. Rather than brief disruptions, attackers increasingly ran longer and larger attacks designed to place sustained pressure on systems and defenses.

This reflects a shift from short, probing attacks to prolonged strain, with attackers aiming to wear down infrastructure over time.

Why it matters:

· DDoS is no longer a quick disruption; attacks are lasting longer and demanding sustained response.

· Prolonged attacks increase the risk of degraded performance, not just full outages.

· Defenses built for short spikes may fall short against extended pressure.

· Longer attacks quietly raise operational costs and customer impact.

3. Application-layer threats remained highly automated but more focused.

Web application attacks continued to be driven largely by automated tools with attackers repeatedly testing how applications respond to different requests. Rather than launching loud, one-time attacks, activity focused on ongoing probing, using techniques such as cookie manipulation, to quietly look for weaknesses over time.

While overall volumes fluctuated, the behavior itself remained consistent: persistent, automated testing instead of obvious disruption.

Why it matters:

· Applications are under constant background testing, even when traffic appears normal.

· These quieter attacks are harder to spot and can persist longer.

· Repeated probing increases the risk that small misconfigurations turn into real security issues.

· Defenses must operate continuously, not just react to spikes.

“What Q4 reinforces is that resilience is no longer about absorbing isolated spikes in traffic and attacks,” said Michael Smith, AppSec CTO at DigiCert. “With the ever-increasing scale of internet bandwidth and the creation of the Aisuru and Kimwolf botnets, organizations must be prepared to operate under prolonged demand and sustained attack pressure across DNS, network, and application layers simultaneously.”