TL;DR: Sustained internet demand, higher DNS noise, and longer, more automated DDoS activity defined the end of 2025, with attackers increasingly using prolonged pressure rather than brief spikes to stress infrastructure, according to DigiCert. That shifts resilience from burst handling to continuous operations across DNS, network, and application layers.
NHIMG editorial — based on content published by DigiCert: Q4 2025 RADAR Threat Intelligence Brief
Questions worth separating out
Q: How should security teams defend against sustained DDoS pressure instead of short spikes?
A: Security teams should design for prolonged saturation, not just burst absorption.
Q: Why do sustained DNS anomalies matter for IAM and trust services?
A: DNS anomalies matter because authentication, certificate validation, and service discovery depend on reliable name resolution.
Q: What do security teams get wrong about low-and-slow application probing?
A: They often focus on volume thresholds and miss the value of repeated, small tests.
Practitioner guidance
- Harden DNS monitoring for persistent abuse Track NXDOMAIN spikes, automated lookup failures, and repeated scanning as steady-state indicators, not just incident spikes.
- Test long-duration DDoS playbooks Run exercises that last long enough to stress staffing, escalation, and mitigation handoffs.
- Tune application-layer detection for low-and-slow probing Look for repeated cookie manipulation, small request variations, and sustained request patterns that test application behaviour over time.
What's in the full analysis
DigiCert's full report covers the operational detail this post intentionally leaves for the source:
- Quarter-by-quarter DNS and application telemetry that shows how sustained load evolved across Q4.
- The underlying network-event analysis used to distinguish traffic growth from hostile probing.
- Examples of attack patterns observed across DNS, UltraDDoS Protect, and UltraWAF.
- The vendor's supporting discussion of Aisuru and Kimwolf botnet pressure.
👉 Read DigiCert's Q4 2025 RADAR brief on sustained DDoS and DNS pressure →
DDoS and sustained DNS pressure: what security teams need now?
Explore further
Continuous pressure is becoming the default operating condition for internet-facing services. The brief’s most important signal is not just that traffic rose, but that the old distinction between peak and off-peak is breaking down. That means control designs based on short recovery windows are increasingly misaligned with how attackers and users now behave. For identity and access teams, the lesson is that availability, detection, and enforcement must be designed for steady-state stress, not exceptional events.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who is accountable when prolonged internet pressure disrupts identity-dependent services?
A: Accountability usually sits across infrastructure, security operations, application owners, and identity teams because the failure crosses control boundaries. If DNS, web protection, or certificate services break under load, the programme failed at coordination as much as configuration. Governance should assign ownership before the next sustained attack, not during it.
👉 Read our full editorial: Q4 traffic and DDoS pressure are reshaping internet resilience