Threat Intel 2026-04-30 13 min read

Telemetry Findings: 4.1M WAF Events Reveal the Top 10 Web Attack Patterns in Q1 2026

SQL injection is still #1 by volume. But the most significant Q1 2026 shift is the rise of scanner-first attacks — automated tools probing for 47 CVEs before any human operator reviews the output. Here's what 4.1M events reveal.

By Threatstealth WAF Research

Threatstealth WAF processed 4.1 million matched events across monitored environments in Q1 2026 (January 1 – March 31). This report analyses attack category distribution, source patterns, and technique shifts relevant to WAF rule tuning and SOC prioritisation.

Events represent WAF rule matches — not necessarily successful attacks. False positive rates vary by rule and environment. All source IP geographies are approximate (GeoIP accuracy ±5%).

Attack Category Distribution (4.1M Events)

Q1 2026 WAF Event Distribution by OWASP Category
Rank	Category	Event volume	% of total	Q4 2025 rank
1	SQL Injection (SQLi)	892,000	21.8%	#1
2	Scanner / Reconnaissance	781,000	19.1%	#3
3	Cross-Site Scripting (XSS)	614,000	15.0%	#2
4	Path Traversal / LFI	489,000	11.9%	#4
5	Remote File Inclusion (RFI)	312,000	7.6%	#6
6	Known CVE Exploitation (non-Log4j)	287,000	7.0%	#7
7	Log4Shell (CVE-2021-44228) remnants	201,000	4.9%	#5
8	Command Injection / RCE	198,000	4.8%	#8
9	HTTP Protocol Anomalies	187,000	4.6%	#9
10	Authentication Bypass	139,000	3.4%	#10

Key Finding 1 — Scanner-First Attacks Rose to #2

Automated reconnaissance events moved from #3 to #2 by volume, driven by mass scanning for 47 specific CVEs across exposed web infrastructure. The most-scanned CVEs were: Spring4Shell (CVE-2022-22965), Apache Struts CVE-2023-50164, PHP CGI CVE-2024-4577, and Erlang/OTP CVE-2025-32433. Scanner fingerprinting of these CVEs preceded exploitation attempts by a median of 4.2 days — making WAF-level scanner detection a useful early-warning signal.

Scanner tools identified: Nuclei (42% of scanner events), Metasploit (18%), custom HTTP clients (31%), Shodan Favicons scanner (9%)
Most-scanned CVE categories: network services (38%), PHP frameworks (24%), Java frameworks (21%), CMS plugins (17%)
Scanner → exploit conversion rate: 3.1% of scanner events were followed by an exploitation attempt on the same target

Key Finding 2 — Log4Shell Still Generates 4.9% of Events (2.5 Years Post-Disclosure)

Log4Shell (CVE-2021-44228) events accounted for 201,000 WAF events in Q1 2026 — 4.9% of total volume. This reflects two things: persistent unpatched deployments across the internet, and the fact that automated scanning tools still include Log4Shell probes in default scan profiles. The persistence of this pattern argues for keeping Log4Shell detection rules active indefinitely.

Key Finding 3 — Geographic Distribution Shift

Source IP geographies shifted in Q1 2026. Traffic from TOR exit nodes increased 34% year-over-year. VPN/proxy IP traffic increased 22%. Traffic from residential IP ranges (previously used only in targeted attacks) increased 41% — a likely indicator of botnet-infected residential devices being used to launder attack traffic.

TOR exit nodes: 8.2% of all WAF events (up from 6.1% in Q1 2025)
Known hosting/VPS ranges: 34.1% (consistent year-over-year)
Residential IP ranges: 18.7% (up from 13.2% in Q1 2025)
Enterprise/corporate ranges: 6.4% (insider threat or compromised corporate systems)

WAF Tuning Recommendations

Enable Log4Shell detection permanently — do not disable based on vulnerability age
Add Nuclei user-agent and header fingerprints to scanner detection rules
Use scanner events as leading indicators — correlate scanner hits with subsequent exploitation attempts on the same IP
TOR exit node blocking: consider deny-by-default for TOR IPs in high-security applications
Deploy anomaly scoring mode — individual rule matches are low-signal; accumulating anomaly scores per session increases detection fidelity