DigiCert’s Q4 2025 RADAR brief highlights rising internet load and more persistent cyber threats

DigiCert has released its Q4 2025 RADAR Threat Intelligence Brief, offering a detailed snapshot of how global internet demand and cyber threats converged during the final quarter of the year. Based on analysis of trillions of network events across DigiCert’s global security platform, the report underscores a clear shift: sustained peak traffic and prolonged attacks are becoming the new normal for internet infrastructure.

The findings point to mounting pressure on DNS, network and application layers during the year-end period, when seasonal surges in commerce, travel, business activity and device activations collided with a measurable increase in malicious behaviour. According to DigiCert, this convergence reinforces the need for layered, always-on security strategies rather than defences designed only for short-lived spikes.

Sustained demand replaces traditional peak periods

One of the most striking trends in the Q4 brief is the persistence of high internet traffic throughout the quarter. DigiCert’s DNS data shows that what were once short bursts of heavy demand around major events have stretched into weeks of consistently elevated load. The notion of an “off-peak” period during busy seasons is rapidly disappearing.

Alongside this growth, the report highlights unusually high levels of background DNS signals, including NXDOMAIN requests—failed lookups—and queries generated by automation tools. These patterns indicate continuous internet scanning, repeated requests from misconfigured systems, and ongoing reconnaissance by bots.

For organisations, this shift carries significant implications. Systems can no longer depend on brief recovery windows between peaks, while the constant background noise increases the risk of outages or exploitation. DigiCert notes that manual or reactive approaches struggle to scale in an environment where pressure is sustained rather than episodic.

DDoS attacks grow longer and more demanding

The report also documents an escalation in distributed denial-of-service (DDoS) activity as the quarter progressed. Rather than short, disruptive bursts, attackers increasingly launched longer and larger campaigns designed to place prolonged strain on infrastructure and defences.

This evolution marks a move away from probing attacks towards strategies aimed at wearing systems down over time. As a result, the risk is no longer limited to outright outages; extended attacks can degrade performance, inflate operational costs and erode customer experience even when services remain technically online.

Application-layer attacks stay quiet but persistent

At the application layer, DigiCert observed continued reliance on automated tools, with attackers repeatedly testing how applications respond to different requests. Techniques such as cookie manipulation were used to probe for weaknesses gradually, rather than through noisy, one-off attacks.

While overall volumes fluctuated, the behaviour itself remained consistent: quiet, persistent testing that can be difficult to detect. DigiCert warns that this increases the likelihood that small configuration issues could escalate into more serious security incidents if left unchecked.

Michael Smith, AppSec CTO at DigiCert, said the findings reinforce a broader shift in how resilience must be defined. “Resilience is no longer about absorbing isolated spikes in traffic and attacks,” he noted. “With the ever-increasing scale of internet bandwidth and the emergence of large botnets, organisations must be prepared to operate under prolonged demand and sustained attack pressure across DNS, network and application layers simultaneously.”

Taken together, the Q4 2025 RADAR Brief paints a picture of an internet environment where continuous load and long-running threats are the baseline. For enterprises, DigiCert’s message is clear: security and availability strategies must be designed for endurance, not just for peak moments.