Forecast for 2026: Botnets, AI, and Emerging DDoS Trends

In 2025, the global number of DDoS attacks increased nearly threefold. There are currently no signs that the situation will improve. Attackers are using increasingly sophisticated tactics, attack volumes continue to grow, and more companies and government organizations are becoming targets.

What should we expect in 2026? Which types of DDoS attacks will pose the greatest threat? Our forecast breaks it down.

What should we expect in 2026? Which types of DDoS attacks will pose the greatest threat? Our forecast breaks it down.

DDoS in 2026 — Key Takeaways:

  • Up to 85% of websites may be targeted
  • Primary risk: stealth reconnaissance before an attack
  • Dominant attack type: multi-vector DDoS
  • Peak attack capacity: over 3 Tbps
  • Main drivers: botnet growth and AI adoption
  • DDoS attack protection in 2026

Up to 85% of Websites May Be Targeted

According to our analysts, the total number of DDoS attacks increased by 198% in 2025. In the first half of the year, attacks were most often driven by hacktivism. In the second half, financial motives, extortion, and profit-driven attacks became dominant.

Overall, 70% of websites experienced at least one DDoS attack during the year.

Forecast for 2026: StormWall expects to mitigate up to 58 million DDoS attacks — nearly three times more than in 2025. The share of attacked websites may exceed 85%. In practical terms, this means that becoming a DDoS target is now almost inevitable.

Reconnaissance DDoS Attacks: Intelligence Before the Strike

Reconnaissance DDoS attacks are designed not to cause immediate damage, but to gather intelligence. They usually last up to 15 minutes and have relatively low intensity. Since they often remain below filtering thresholds, monitoring systems may fail to detect them. During this phase, attackers analyze the target’s infrastructure and identify weaknesses. Once vulnerabilities are found, they launch a much stronger attack to disrupt the victim’s services.

In 2025, the number of reconnaissance DDoS attacks worldwide increased fourfold, representing a 300% year-over-year growth. Attacks conducted specifically for reconnaissance purposes accounted for 25% of all incidents — meaning every fourth DDoS attack now starts with probing.

Forecast for 2026: Reconnaissance attacks will remain a core part of attackers’ toolkits, as they are among the most efficient and cost-effective methods available.

Multi-Vector Attacks Take the Lead

Multi-vector DDoS attacks target infrastructure simultaneously across several layers of the OSI model (L3, L4, and L7) and combine multiple attack techniques.

These attacks are particularly difficult to protect against for several reasons:

  • Securing all OSI layers is resource-intensive and often costly.
  • Organizations frequently rely on multiple protection tools that operate on different protocols and technologies, making them hard to manage during an active attack.
  • Multi-vector attacks often serve as cover for other malicious activity, such as intrusions or data theft, which may go unnoticed while defenses focus on mitigating large-scale traffic floods.

In 2025, the number of multi-vector attacks increased by 83%. In nearly one-third of all DDoS incidents, attackers combined two or more vectors.

Forecast for 2026: Multi-vector DDoS attacks may account for up to 65% of all incidents.

Read more: Multi-Vector DDoS Attacks: What They Are and How to Stay Protected

Peak Attack Capacity Surpasses 3 Tbps

DDoS attacks exceeding 1 Tbps are no longer exceptional. In 2025, we recorded an attack with a peak capacity of 4.8 Tbps. It belonged to the carpet bombing category, where attackers distribute malicious traffic across IP ranges and subnets rather than concentrating on a single vector.

Forecast for 2026: Peak attack capacity will increasingly exceed 3 Tbps. The threat is driven not only by higher traffic volumes, but also by greater adaptability and tactical sophistication. Many attacks are manually controlled rather than fully automated. Operators monitor mitigation results in real time, identify which vectors are blocked, and immediately switch to others.

Botnets Are Expanding in Scale

A botnet is a network of compromised devices controlled by attackers and used to launch cyberattacks. These networks can include virtually any internet-connected device running an operating system.

Botnet expansion is the primary driver behind rising attack power. In 2025, the average botnet attack capacity increased by 2.5 times. Several extremely large botnets emerged globally.

The most notable was AISURU, which appears to control between 1 and 4 million infected devices. Another major botnet, Kimwolf, utilizes at least 2 million tablets, TV boxes, and other devices running Android TV OS worldwide.

Forecast for 2026: The average botnet size is expected to grow to at least 200,000 devices.

AI-Powered DDoS Attacks

Automated DDoS attacks are increasingly orchestrated using AI. Attackers apply artificial intelligence to:

  • Generate attack scripts.
  • Identify vulnerabilities in defenses.
  • Analyze traffic and select the most disruptive timing for attacks, such as peak usage hours or maintenance windows.
  • Mimic legitimate user behavior.
  • Increase tactical complexity, including during multi-vector attacks.

Forecast for 2026: The cyber threat landscape will undergo a fundamental shift. Effective DDoS protection will require intelligent behavioral analysis capable of identifying rapidly changing attack vectors and patterns.

How Can Organizations Prepare for DDoS Attacks in 2026?

Today, any organization with public visibility — from banks and retailers to ISPs and government services — can become a DDoS target. Traditional, reactive defense measures are no longer sufficient.

Effective protection requires strategies built on predictive analytics, machine learning, and distributed traffic filtering networks.

We recommend adopting a comprehensive DDoS mitigation that combines:

When choosing a solution, it is essential to ensure it can:

  • Scale as traffic and attack volumes grow.
  • Deeply analyze traffic across all OSI layers.
  • Respond automatically to threats.
  • Adapt to evolving attacker tactics.

“We continuously improve our solutions in response to the evolving threat landscape by expanding our scrubbing network and refining early detection algorithms. Our goal is not only to block attacks, but to anticipate them — providing proactive protection and guaranteed service availability even under the most challenging conditions.”

Ramil Khantimirov, CEO and Co-founder of StormWall

Network Protection from DDoS Attacks

  • Activate protection within 10 minutes
  • 24/7 technical support
Get a 10-day free trial