Notifications
Clear all
Topic starter
25/06/2026 2:45 pm
TL;DR: Two DDoS events peaking at 2.4 Tbps and 3.7 Tbps, an estimated 3,000 hours of prevented downtime, and malicious web activity rising from 51% to 73% show that scale and automation are now core attack variables, according to DigiCert. The security implication is that resilience planning must account for identity, DNS, and infrastructure interdependence, not just traffic volume.
NHIMG editorial — based on content published by DigiCert: its inaugural RADAR brief on Q3 2025 threat trends
By the numbers:
- Malicious web activity rose from 51% in July to 73% in September.
Questions worth separating out
Q: How should security teams protect identity services during large DDoS events?
A: Treat identity services as control-plane assets, not ordinary web workloads.
Q: Why do large DDoS attacks matter to IAM and access governance?
A: Because identity depends on services that attackers can indirectly destabilise.
Q: What do teams get wrong about automation-driven attack traffic?
A: They often treat automation as a pure volume problem.
Practitioner guidance
- Map identity-critical dependencies Identify which DNS, certificate, admin, and privileged-access services must remain reachable during attack conditions, then classify them as protected control-plane assets rather than ordinary infrastructure.
- Separate bot and privileged-access telemetry Ensure automated abuse signals, API traffic, and privileged login events are monitored in different pipelines so machine-paced attacks do not obscure access anomalies.
- Exercise degraded-mode access Test whether administrators can still verify identity, issue changes, and rotate trust services when edge capacity is constrained or DNS is impaired.
What's in the full analysis
DigiCert's full press release covers the operational detail this post intentionally leaves for the source:
- Quarter-by-quarter RADAR methodology and how DigiCert aggregates trillions of network events across its platform
- The full list of month-by-month DDoS pattern shifts, including the highest-risk regions and sectors
- Operational detail on the UltraDDoS Protect observations behind the prevented downtime estimate
- The press release context around DigiCert's broader digital trust platform and threat intelligence positioning
👉 Read DigiCert's RADAR brief on record-scale DDoS and automation →
Multi-terabit DDoS and automation: what IAM teams should watch?
Explore further
25/06/2026 3:52 pm
Internet-scale abuse is no longer separable from identity resilience: once DDoS reaches multi-terabit scale, the control question shifts from bandwidth alone to which trust services remain reachable under pressure. DNS, certificate validation, admin portals, and privileged access paths all become part of the attack surface. Practitioners should treat edge resilience as a prerequisite for identity continuity, not as a separate network concern.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: How do organisations know whether their DDoS resilience is actually working?
A: Look beyond uptime alone. A resilient programme preserves access to identity, DNS, and administrative control paths while absorbing or filtering abusive traffic. If the business stays online but admins cannot verify, rotate, or recover trust services, resilience is only partial.
👉 Read our full editorial: Internet tsunami DDoS attacks expose the limits of resilience models
