DDoS Attacks Surge 168% as CISA Operates at Reduced Capacity: What IT Leaders Must Do Now

As this week comes to a close, startling news has emerged that presents a serious challenge to the cybersecurity landscape. Radware has released its 2026 Global Threat Analysis Report, indicating that network-layer DDoS attacks surged by 168.2% year over year, with peak volumes nearing 30 Tbps. Just hours earlier, Germany's Deutsche Bahn confirmed that a significant DDoS attack had disrupted its booking and information systems. This is all happening while the Cybersecurity and Infrastructure Security Agency (CISA) is operating at approximately 38% staffing capacity due to an ongoing funding lapse at the Department of Homeland Security (DHS). For CISOs, IT Directors, and business executives, the message is clear: the threat landscape is evolving at a pace that exceeds many organizations' defensive capabilities, and the federal support you may have relied on is increasingly limited.

The Numbers That Should Keep You Up Tonight

Radware's report, based on data from its cloud and managed security services, presents a concerning picture of attack trends as 2025 gives way to 2026. Network-layer DDoS attacks rose by 168.2%, with the average Radware customer experiencing over 25,351 attacks in just the second half of 2025—equating to roughly 139 attacks per day. Web DDoS attacks increased by 101.4%, application and API attacks by 128%, and malicious bot activity by 91.8%. The technology sector bore the brunt of these network-layer DDoS attacks, accounting for 45% of the total, a significant increase from 8.77% in 2024. Telecommunications and financial services followed closely behind. Furthermore, North America accounted for 63.1% of the global network-layer attack volume.

What is driving this escalation? Two main factors are at play. First, the emergence of generative AI tools has lowered the entry barrier for attackers, allowing even those with minimal resources to launch large-scale automated campaigns, ranging from credential stuffing to complex multi-vector DDoS attacks. Second, ongoing geopolitical conflicts continue to stimulate hacktivist activities. The group NoName057(16) claimed responsibility for 4,693 attacks in 2025, making it the most prolific hacktivist entity on record. Notably, Europe accounted for 48.4% of all claimed hacktivist attacks, with government services being the primary target at 38.8%.

CISA at 38%: What This Means for Your Organization

The Department of Homeland Security (DHS) shutdown that began on February 14, 2026, has left the Cybersecurity and Infrastructure Security Agency (CISA) with only 888 of its 2,341 employees designated as "excepted" personnel. The remaining staff have been furloughed. This situation is compounded by the fact that approximately one-third of the agency's workforce has left over the past year.

Acting CISA Director Madhu Gottumukkala issued a clear warning to Congress: "When the government shuts down, cyber threats do not."

The practical implications of the shutdown are significant. Incident response capacity has been severely diminished, with nearly two-thirds of the staff unavailable. New cybersecurity assessments for critical infrastructure owners have been canceled. Work on finalizing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rule—a regulation that many organizations have been preparing for—is also on hold. Although CISA's 24/7 operations center and the Known Exploited Vulnerabilities (KEV) Catalog remain operational, the agency's ability to deploy services and share timely threat intelligence is materially reduced.

For organizations that have relied on CISA advisories, vulnerability scanning services, or incident response coordination, this is an important moment to critically assess your internal capabilities.

Active Zero-Days Add Fuel to the Fire

Compounding the surge in DDoS attacks and reduced federal capacity, February 2026 has witnessed a wave of actively exploited zero-day vulnerabilities. Microsoft's February Patch Tuesday addressed six zero-days that are currently under active exploitation. These include bypassing Windows SmartScreen (CVE-2026-21510), an Office OLE mitigation bypass (CVE-2026-21514), and a privilege escalation flaw in the Desktop Window Manager (CVE-2026-21519). The Cybersecurity and Infrastructure Security Agency (CISA) promptly added all six vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog.

In a separate report, Google confirmed that CVE-2026-2441, a use-after-free vulnerability in Chrome enabling heap corruption through specially crafted HTML pages, is actively being exploited in the wild. Additionally, researchers from GTIG and Mandiant have reported that a group suspected of being linked to the Chinese state has been exploiting a critical flaw in Dell RecoverPoint (CVE-2026-22769) since at least mid-2024.

These vulnerabilities are not just theoretical risks; they represent active campaigns targeting production environments right now.

A Practical Framework: Five Actions for IT Leaders This Week

Instead of waiting for the threat landscape to stabilize, something unlikely to happen, here is a practical framework for immediate action:

1. Audit your DDoS resilience today. Assess your DDoS mitigation strategies today. Relying solely on ISP-level protections is no longer sufficient, especially with peak volumes reaching 30 Tbps. Consider evaluating cloud-based DDoS mitigation services capable of absorbing large-scale volumetric attacks. Ensure you have tested runbooks for multi-vector attack scenarios.
2. Patch the February zero-days immediately. Address the six critical Microsoft zero-days and the Chrome CVE-2026-2441 immediately. If you're using Dell RecoverPoint in your environment, treat CVE-2026-22769 as a high priority. Cross-reference all patches with CISA's KEV Catalog, which remains current despite the agency's shutdown.
3. Reduce your dependency on federal cyber services. Conduct a gap analysis to identify which threat intelligence feeds, vulnerability scanning, or incident response capabilities you were sourcing from CISA. Find commercial or open-source alternatives to fill those gaps, even temporarily. Consider using threat intelligence platforms and managed detection and response (MDR) services as interim solutions.
4. Stress-test your bot and API defenses. With bot activity increasing by 91.8% and API attacks surging by 128%, it's crucial to review your web application firewall (WAF) and bot management configurations. Implement rate limiting, behavioral analysis, and challenge-based verification for high-risk endpoints.
5. Brief your executive team and board. The combination of escalating threats and reduced federal support poses a significant risk. Clearly communicate these findings in business terms: potential service disruptions, regulatory risks due to delayed CIRCIA rulemaking, and the financial implications of an incident when federal assistance is limited.

The Mistake to Avoid

The most dangerous response to today's news is to assume that your current security measures are "good enough" just because you haven't been targeted yet. Attackers are increasingly targeting organizations that haven't upgraded their defenses to keep pace with the evolving scale of threats. With AI-generated attack tools making sophisticated campaigns accessible, the real question isn't whether your organization will experience a significant attack, but when it will happen, and whether your response time will be measured in seconds or hours.

As Ron Meyran, Radware's VP of Threat Intelligence, stated in today's report, organizations must implement automated defenses that respond in seconds, not minutes.

What Comes Next

The cybersecurity landscape in 2026 will be characterized by a fundamental imbalance: while threats are growing exponentially, some organizations tasked with defending against them are operating at reduced capacity. This is not a temporary issue; it represents a structural shift that requires organizations to take full responsibility for their cybersecurity posture.

If your team is stretched thin, if your DDoS mitigation strategies have not been tested against current threat levels, or if you're uncertain about how the lapse in CISA funding affects your compliance roadmap, now is the time to seek outside expertise. A targeted assessment can help identify your highest-risk vulnerabilities and prioritize necessary remediation before the next wave of attacks hits.

Sources

• Radware 2026 Global Threat Report — DDoS Attacks Jump 168% — GlobeNewsWire, February 19, 2026
• CISA Navigates DHS Shutdown With Reduced Staff — SecurityWeek, February 2026
• CISA to Furlough Most of Its Workforce Under DHS Shutdown — Nextgov/FCW, February 2026
• 6 Actively Exploited Zero-Days Patched by Microsoft — February 2026 — SecurityWeek, February 2026
• CISA Flags Four Security Flaws Under Active Exploitation — The Hacker News, February 2026
• Top Tech News Today, February 19, 2026 — Tech Startups, February 19, 2026