A botnet is a collection of compromised devices that an attacker can remotely coordinate to carry out an attack. In DDoS scenarios, the devices act as distributed traffic generators, which makes the attack harder to block by source alone.
Expanded Definition
A botnet is not just a large number of infected devices. In NHI security terms, it is a remotely controlled fleet of compromised endpoints, cloud workloads, or embedded systems that act under attacker command and can be repurposed for spam, credential attacks, malware delivery, or distributed denial of service. The core security issue is coordinated misuse at scale, which makes a botnet operationally different from a single compromised host.
Definitions vary across vendors when the term is applied to IoT, mobile, and cloud-native environments, but the common pattern is the same: a controller issues instructions to many unwilling participants. That coordination is what makes botnets relevant to identity governance, because the attacker often leverages stolen credentials, weak device trust, or exposed secrets rather than brute force alone. NIST Cybersecurity Framework 2.0 is useful here because it frames the need for asset visibility, protective controls, and rapid recovery across distributed environments.
The most common misapplication is treating a botnet as only a DDoS problem, which occurs when organisations ignore credential abuse, persistence, and lateral movement inside the compromised fleet.
Examples and Use Cases
Implementing botnet detection rigorously often introduces monitoring and response overhead, requiring organisations to weigh broad visibility against the operational cost of continuous telemetry, anomaly analysis, and remediation.
- IoT cameras or sensors are enrolled into a botnet after default passwords or exposed management interfaces are exploited.
- Cloud workloads are hijacked through stolen API keys, then used to launch spam, scrape data, or proxy malicious traffic.
- Compromised developer endpoints pivot into CI/CD tooling, where attacker-controlled automation can amplify the scale of an attack.
- Service accounts with excessive privilege are abused to keep a botnet operational even after individual devices are cleaned.
- The Schneider Electric credentials breach illustrates how stolen credentials can become an entry point for wider compromise and coordinated misuse, not just a one-off intrusion.
For implementation guidance, practitioners often map botnet-related controls to visibility, containment, and recovery practices in NIST Cybersecurity Framework 2.0, while NHI operators should also review the patterns described in the Ultimate Guide to NHIs and the Schneider Electric credentials breach.
Why It Matters in NHI Security
Botnets matter in NHI security because the same weaknesses that create compromised device fleets also create compromised non-human identities: exposed secrets, unmanaged service accounts, and overly broad access. NHI Mgmt Group research shows that 79% of organisations have experienced secrets leaks and that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. That overlap is critical because botnet activity often begins with stolen credentials, then expands through automation and weak lifecycle controls.
A botnet can also conceal identity abuse inside otherwise legitimate automation. If a cloud workload, script runner, or device credential is compromised, the attacker may blend malicious traffic with normal service activity, making detection slower and containment harder. In that sense, botnet readiness is partly an identity governance problem: rotate secrets, remove standing privilege, and maintain accurate service-account inventory. The Ultimate Guide to NHIs provides the baseline NHI control context, while the NIST Cybersecurity Framework 2.0 supports broader detection and response planning.
Organisations typically encounter the full operational impact only after abnormal traffic, credential abuse, or third-party compromise reveals that multiple systems were already under attacker control, at which point botnet response becomes unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM | Botnets are detected through continuous monitoring and anomaly identification across assets. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Compromised non-human identities are a common enabler of botnet control and persistence. |
| OWASP Agentic AI Top 10 | A-04 | Autonomous abuse patterns can resemble botnet coordination when agents are hijacked. |
Monitor traffic and endpoint behavior for coordinated abuse, then isolate compromised systems quickly.
