In February 2026, DigiCert’s UltraWAF infrastructure processed more than 1.97 billion web requests. While overall traffic declined from the prior month, the proportion of malicious traffic increased, with more than 445 million requests identified as malicious, accounting for 22.48% of all observed web traffic. Bot traffic represented 1.46% of total traffic and decreased slightly month over month, indicating that the more meaningful shift was not simply a rise in generalized automated activity, but a larger share of total traffic being associated with malicious interaction. At a business level, this reflects a more aggressive threat environment in which a greater portion of inbound activity was tied to reconnaissance, exploitation attempts, or direct abuse of exposed application functionality.
Attack activity remained concentrated in a small number of detection categories. Cookie related attacks were the most prominent, making up 60.32% of malicious traffic, followed by Command Injection at 19.40% and Field Format at 6.18%. The most notable movement in February was the sharp increase in Buffer Overflow Cookie activity, which rose by 180.39%. This trend is significant because it points to behavior that extends beyond common web application scanning or basic injection attempts. Buffer overflow related detections are often associated with attempts to stress how applications, modules, or libraries process untrusted input, and they can reflect efforts to identify weaknesses that may support memory corruption or remote code execution. This suggests that a portion of February’s activity was oriented toward discovering higher impact exploit opportunities rather than simply generating noise.
The observed payloads further support that conclusion and show a strong emphasis on payloads intended to expose credentials, identify vulnerable infrastructure, or establish code execution. Several requests attempted direct access to sensitive files, including AWS credential material and exposed environment configuration files such as env.aws. Other payloads targeted Docker Engine endpoints, JBoss management consoles, and Jira application metadata, all of which are consistent with reconnaissance designed to identify software versions, administrative surfaces, and infrastructure details that can guide follow on activity. These types of requests are especially notable because they show malicious actors attempting to quickly determine whether a target environment contains exposed services or high value configuration data that could accelerate compromise. The most concerning payloads were those that went beyond discovery and clearly attempted execution or payload delivery. UltraWAF observed requests designed to manipulate PHP runtime directives in order to force attacker supplied code execution, inject shell commands into VPN or device management interfaces, and download binaries or scripts to target devices, including ARM based systems commonly associated with routers or embedded hardware. These are not routine probes. They reflect deliberate efforts to turn exposed applications and management interfaces into execution paths for staging malware, botnet enrollment, or broader intrusion activity.
Taken together, February’s results show that web application risk was driven less by overall volume and more by the nature of the traffic being observed. The month reflects a threat environment shaped by purposeful reconnaissance, credential targeting, infrastructure fingerprinting, and repeated attempts to achieve remote execution. The concentration of these payloads indicates sustained pressure from malicious actors seeking rapid paths from initial discovery to deeper compromise.
Stats at a Glance
- Total Web Requests: 1,979,823,845
- Largest Threat Category: Cookie (60.32%)
- Total WAF Violations: 445,128,976 (a 12.49% increase from January 2026)
- Top Three Industry Targeted: Travel/Hospitality (79.07%), Financial (16.21%), Government (3.19%)
- Total Bot Violations: 28,847,250
- Top Three Source Countries: Great Britain (79.07%), United States (11.61%), France (0.97%)
