AI is changing the economics and speed of disruption, making downtime easier to trigger and harder to prevent. Radware’s 2026 Global Threat Analysis Report explains what this looks like in practice: DDoS campaigns are becoming more hybrid, more time-compressed, and harder to distinguish from legitimate automated traffic.
From a MazeBolt perspective, the report surfaces three findings that are particularly worth highlighting. Each one points to a different way AI is reshaping DDoS risk and reveals a readiness gap that organizations need to close.
Attackers Now Use AI in Hybrid DDoS Campaigns
The Radware report describes a dual shift: network-layer DDoS has surged, while Web DDoS has also grown sharply. It reports 168.2% growth in network DDoS attacks in 2025 and 101.4% growth in Web DDoS, with a major skew toward smaller Web DDoS events.
The insight is not “just” that attackers are using both types of DDoS. It is that they are increasingly able to coordinate them into one, hybrid campaign. With automation and AI, they can launch attacks quickly, adjust them on the fly, and keep applying pressure until they find the weakest spot.
The weakest spot is often not a single tool, but the places where defenses do not line up perfectly and protections do not kick in as expected, or where different systems behave differently under stress.
This is where many teams get trapped by a false choice. They select one of these two possibilities:
- Preparing mainly for huge traffic floods, while quieter “death by a thousand cuts” pressure can still slow down or disrupt services without setting off the alarms you expect
- Preparing mainly for website and API slowdowns, and finding out too late that the underlying Internet-facing “plumbing” is not as solid as assumed when the really heavy traffic hits
MazeBolt’s point of view is that DDoS risk lives in the gaps that develop between layers and controls. Premium mitigation solutions can still fail if protections are misaligned, drifting, or inconsistent across hybrid stacks.
AI-Driven DDoS Attacks Are Becoming Too Fast to Stop
Radware also calls out time compression, including the “five-minute problem,” and notes that many record-level DDoS attacks now last less than 60 seconds. The practical implication is that manual runbooks and human-in-the-loop intervention cannot reliably keep up.
AI accelerates this dynamic in two ways. First, it reduces the effort required to launch and adapt attacks. Attackers can iterate quickly, probe defenses, and re-launch with different parameters without waiting for humans.
Second, it shrinks the length of the impact window. If disruption can be achieved in under a minute, then the old comfort statements stop holding. “We will respond quickly” or “We tested last quarter” are no longer sufficient.
For MazeBolt, this is one of the clearest executive-level arguments in the report: DDoS resilience must be proven before an event happens and not explained after the damage has occurred.
AI Is Making DDoS Attack Traffic Harder to Detect
Radware’s report highlights an “AI identity dilemma,” where the rise of AI agents pushes platforms to allow types of automated behavior that were previously treated as suspicious. Attackers can take advantage of this by imitating “legitimate” automation to slip past weaker checks.
The report also connects this issue to a broader democratization of capability. GenAI and widely available tooling make web-layer disruption easier for more actors to execute.
The bigger point for defenders is that AI changes what you have to allow. As automation becomes normal in production environments, teams adjust rules, add exceptions, and loosen restrictions to keep the business running. Over time, those changes reduce clarity about what “good” traffic looks like. That gray area creates opportunity. Stated differently: Attackers do not always need to overwhelm defenses when they can look valid just long enough to get through, trigger strain, and cause disruption.
The result is a slow drift in trust and readiness. The environment evolves through many small adjustments, and eventually a harmless-looking exception becomes the path of least resistance. As a result, organizations can invest heavily in DDoS protection and still experience DDoS damage: not because the tools are broken, but because the reality of AI-driven change makes gaps easier to create and harder to notice.
Radware understandably emphasizes the importance of detection and verification improvements. MazeBolt’s gentle push is that even the strongest stack will drift under AI-driven change, and this is where downtime risk hides.
AI-Driven DDoS Risk Requires Proven Resilience, Not Assumptions
Taken together, these findings tell a consistent story. AI is making DDoS more coordinated across layers, faster than manual response, and more likely to exploit the gray area between legitimate automation and malicious traffic.
As Radware states: “To survive this new reality, organizations must abandon the reactive assumptions of the last decade and embrace proactive, self-defending architectures built on the pillars of automation, scale and intelligence.“
Continuous, nondisruptive DDoS testing allows enterprises to maintain their DDoS resilience, in this new reality. Continuous testing is not just another point product, and it is not a replacement for mitigation solutions. Instead, it is the mechanism that turns DDoS defense from an assumption into evidence. It helps organizations verify, continuously, that defenses are actually blocking what they should across Layer 3, 4, and 7, even as policies and environments evolve.
Mitigation vendors sell blocking power. MazeBolt sells proven DDoS readiness, continuously.
Want to learn more about how continuous DDoS validation reduces the risk of damaging downtime? Speak to an expert!
Key Takeaways on AI-Driven DDoS Risk
- AI is making DDoS campaigns more coordinated, blending Layer 3/4 floods with Layer 7 web pressure to find the weakest link between defenses.
- AI is compressing attack timelines, so disruptions can happen faster than people and runbooks can react.
- AI is changing what “normal traffic” looks like, creating gray areas attackers can imitate, and increasing drift as teams keep adjusting rules and exceptions.
- Net effect: organizations can invest in DDoS mitigation and still suffer damage if readiness is assumed rather than proven.
FAQ
How does AI make DDoS attacks more effective?
AI helps attackers launch and adjust attacks faster and cheaper, coordinate multiple attack types at once, and blend into legitimate-looking automated traffic.
Why are DDoS attacks targeting Layer 3, 4, and 7 at the same time?
Because hybrid attacks increase the chance of success. Attackers can flood infrastructure while also stressing websites and APIs, then keep pushing until something breaks.
What can defenders do if DDoS attacks last less than 60 seconds?
You cannot rely on manual response. The focus has to shift to proving defenses will trigger correctly before an attack happens, not during it.
Why do companies still experience DDoS downtime despite mitigation vendors?
Because outages often come from DDoS vulnerabilities like misaligned protections, configuration drift, and exceptions that create bypass conditions over time, especially in hybrid environments.
What is continuous DDoS validation and why does it matter today?
It is an always-on way to confirm your defenses are working as your environment changes, so you can catch hidden readiness gaps before attackers find them.
