Pro-Russia hacktivists are targeting local government and critical infrastructure in the UK, the National Cyber Security Centre (NCSC) has warned.

In an advisory this week, the security agency issued an alert over increased DDoS attacks by state-aligned groups. These attacks are driven by ideology over Western support for Ukraine, rather than financial gain, and aren't directly controlled by the state.

"We continue to see Russian-aligned hacktivist groups targeting UK organizations, and although denial-of-service attacks may be technically simple, their impact can be significant," said NCSC director of national resilience Jonathon Ellison.

“By overwhelming important websites and online systems, these attacks can prevent people from accessing the essential services they depend on every day."

In particular, the NCSC cites the NoName057(16) group, active since March 2022, and operating mainly through Telegram channels. It uses GitHub, along with other websites and repositories, to host the proprietary DDoS tool, DDoSia, and to share tactics, techniques, and procedures (TTPs) with its followers.

NoName057(16) has carried out numerous attacks against government bodies and the private sector in countries perceived as hostile to Russian geopolitical interests, including frequent DDoS attempts against UK local authorities.

“NoName057(16) consistently targets organisations where availability is closely tied to public trust, particularly local government websites, civic services, and other public-facing infrastructure," said Christiaan Beek, senior director of threat intelligence and analytics at Rapid7.

"While the group presents itself as a grassroots hacktivist collective, the timing of its campaigns and the close alignment of its targeting with Russian geopolitical objectives mean we cannot rule out some level of state encouragement, coordination, or tacit approval."

Russian hacktivists are an ever-present threat

Russian hacktivism isn't a new problem. In 2023, the NCSC published an alert on the risk posed by state-aligned adversaries following the Russian invasion of Ukraine.

In December, alongside international partners, it co-sealed an advisory which called out pro-Russian hacktivist groups for targeting government and private sector entities.

The NCSC advises organizations to take preventative action – with the first steps being to discover weak points and look for help from upstream service providers.

To deal with attacks which can’t be handled upstream – or only once detected and blocked – they should make sure their service can rapidly scale.

Similarly, the agency said organizations should define a response plan, covering graceful degradation of services, dealing with changing tactics, retaining administrative access during an attack and having a scalable fallback plan for essential services.

Gary Barlet, public sector CTO at Illumio, welcomed the focus on mitigation as well as prevention.

"We need a new way of dealing with DoS attacks. For too long, we have focused solely on prevention, and this approach has not worked," he said.

"The NCSC’s advice signals a change by recommending that plans include retaining administrative access and implementing full-scale backup plans. However, there needs to be an entire mindset shift within critical infrastructure organizations to focus on prioritizing impact mitigation and maintaining service and operational uptime.”

FOLLOW US ON SOCIAL MEDIA

The availability of AI tools is behind a record-breaking increase in the use of DDoS botnets, according to Qrator Labs.

Cybercriminals are increasingly using AI, with a recent report from Darktrace revealing 78% of CISOs say AI-powered threats are already having a significant impact on their organizations.

Earlier this summer, NetScout warned that the use of AI assistants and chatbots was starting to 'democratize' DDoS attacks by allowing lower-level hackers and those lacking technical expertise to wage highly effective attacks.

According to Qrator, this is really starting to show, as AI tools become more readily available, enhancing the effectiveness of automated attacks.

The Qrator research reveals a shift in the location of bot networks, too. The researchers put this down to accelerated digitalization in developing regions, resulting in a surge of devices with low cybersecurity awareness and numerous vulnerabilities.

Brazil has recently overtaken Russia and the US as the largest source of application-layer (L7) DDoS attacks, now accounting for 19% of all malicious traffic observed in the third quarter of this year.

Vietnam, meanwhile, has shown the fastest growth, climbing from 15th to fourth place in just one year.

In one example this month, the company recorded an attack by a multi-million-device botnet that it has been tracking for six months. This network is made up of 5.76 million infected devices, most of which were located in Brazil, Vietnam, the US, India, and Argentina.

“The sheer number of vulnerable devices is nothing new – we’ve seen this before in previous years. What has changed in 2025 is that attackers can now find and capture them much faster and more efficiently, thanks to AI,” said Andrey Leskin, chief technology officer at Qrator Labs.

“To put it in perspective, last year, the largest DDoS botnet we recorded included around 227,000 devices. As you can see, using AI tools, attackers have increased the scale by about 25 times in just one year.”

During the third quarter, DDoS attacks most frequently targeted the fintech sector, which accounted for 26% of attacks. Ecommerce was next, at 22%, followed by media at 16%, and information and communication at 15%.

The most intensive L3-L4 DDoS attack of the quarter was aimed at the eCommerce sector, peaking at 1.15 Tbps – slightly higher than the 2024 record of 1.14 Tbps.

Meanwhile, the longest bot attack took place on 4 September, also targeting the eCommerce sector and lasting 14 hours and 33 minutes.

MORE FROM ITPRO

• Critical networks face unprecedented threat as DDoS attacks are getting shorter and more intense
• Application layer DDoS attacks are skyrocketing – here's why
• How to recover from a DDoS attack – and what they can teach businesses

The number of DDoS attacks on critical networks has reached an all-time high, fuelled by vast numbers of compromised home internet connections.

Attackers have stepped up their intrusions into core networks, according to Nokia's 11th annual Threat Intelligence Report.

In some cases, attackers are accessing sensitive systems such as subscriber data and lawful interception platforms – for example, in the high-profile Salt Typhoon case.

"Connectivity powers everything from public safety and financial transactions to digital identity," said Kal De, senior vice president, product and engineering, cloud and network services at Nokia.

"Recent attacks have reached lawful interception systems, leaked sensitive subscriber data, and disrupted emergency services."

Most telecom operators, 63%, dealt with at least one 'living off the land' attack last year, with 32% seeing four or more.

And these attacks are getting shorter and more intense. Terabit-scale DDoS attacks are now happening five times more frequently, and with greater peak strength than last year. DDoS peaks in the 5 to 10Tbps range are 'the new normal', said Nokia.

And with 78% of DDoS attacks now ending within five minutes – up from 44% in 2024 – and 37% wrapping up in under two minutes, detection and mitigation need to be fast.

Nearly 60% of high-cost breaches take place thanks to insider actions or mistakes, with complex supply chains further increasing exposure to credential misuse, privilege escalation and physical access breaches.

Meanwhile, 76% of vulnerabilities stem from missing patches, and application‑layer issues, including poor access controls and exploitable software flaws, are common too.

Organizations are fighting back with AI, with more than seven-in-ten telecom security leaders saying they now prioritize AI- and ML-based threat analytics, and with more than half planning to deploy AI for detection in the next 18 months.

However, warned Nokia, despite upcoming quantum security compliance deadlines from governing bodies – particularly in the EU – the industry doesn't have the sense of urgency that it should. Quantum computing risk ranked second to last among concerns for network security professionals.

Meanwhile, the timespan in which digital certificates remain valid is shrinking dramatically, from a current year or more to just 47 days by 2029 – highlighting a need for automated certificate management.

In all, said Nokia, around 100 million residential endpoints are compromised – 4% of the world total – making DDoS protection essential.

"In light of the rise of industrialized attack tools, millions of insecure IoT endpoints and organized botnets employing residential proxies, network owners must act now to protect their assets and customers from massive, complex and highly variable DDoS attacks in the 10-plus terabit range," said Jeff Smith, vice president and general manager, Deepfield, at Nokia.

"Security should not be an afterthought; rather, DDoS protection must be built into the network itself, ensuring critical network functions continue uninterrupted."

An Oregon man has been arrested and charged amid allegations they coordinated the Rapper Bot botnet, believed to have caused huge outages on X.

Ethan Foltz, 22, has been charged in the District of Alaska with developing and administering the DDoS-for-hire botnet, which has conducted a series of large-scale cyber attacks since at least 2021.

Campaigns in August 2022 and December 2022 focused on brute-forcing devices with weak or default SSH and Telnet credentials to expand the botnet’s footprint for launching DDoS attacks.

The following year, analysis from Fortinet shows it started branching out into cryptojacking, specifically for Intel x64 machines.

At first, the attackers deployed and executed a separate Monero cryptominer alongside the usual Rapper Bot binary, later combining both functionalities into a single bot.

Also known as Eleven Eleven Botnet and CowBot, Rapper Bot mainly targeted devices like digital video recorders or Wi-Fi routers at scale, exploiting them for DDoS attacks in more than 80 countries around the world.

Victims included a US Department of Defense network and several US tech companies - most notably the X social media platform, which was hit in March this year.

Rapper Bot has been on a rampage

According to authorities, Rapper Bot has been responsible for more than 370,000 attacks since April, targeting 18,000 unique victims.

It used between 65,000 and 95,000 infected victim devices to regularly conduct DDoS attacks that amounted to between two to three terabits per second, with the largest attack believed to have topped six terabits per second.

Even the smallest of these could cost the victim up to $10,000, according to the Department of Justice (DOJ).

Foltz allegedly provided paying customers with access to what the DOJ called “one of the most sophisticated and powerful DDoS-for-hire botnets currently in existence”.

Some Rapper Bot customers, including Chinese gambling operations, extorted victims globally.

Earlier this month, law enforcement officials carried out a search warrant on Foltz’ residence in Oregon and shut down Rapper Bot’s attack capabilities, gaining administrative control. There don't appear to have been any attacks since.

“Rapper Bot was one of the most powerful DDoS botnets to ever exist, but the outstanding investigatory work by DCIS cyber agents and support of my office and industry partners has put an end to Foltz’s time as administrator and effectively disrupted the activities of this transnational criminal group,” said US attorney Michael J. Heyman for the District of Alaska.

“Our office remains committed to disrupting and dismantling cyber criminals that threaten internet security and infrastructure in the District of Alaska and across the United States.”

Amazon Web Services (AWS) contributed to the takedown by identifying Rapper Bot’s command and control (C2) infrastructure, and reverse engineering the IoT malware to map its operations and activities.

Foltz is charged with one count of aiding and abetting computer intrusions, for which he could face up to ten years in prison.

MORE FROM ITPRO

• Europol just took down 27 DDoS-for-hire sites
• Think DDoS attacks are bad now? Wait until hackers start using AI assistants to coordinate attacks
• NCA takes down world’s most prolific DDoS-for-hire website

Cyber criminals are increasingly relying on AI chatbots and automation tools to wage devastating DDoS attacks, according to analysis from Netscout.

Research as part of a multi-series report on the DDoS-for-hire landscape, first published in December 2024, highlighted a “three-year transformation” in this area of the cyber crime ecosystem as a result of automation.

In a recent follow-up blog post, Richard Hummel, director of threat intelligence at NetScout, said this has already “democratized sophisticated cyber attacks” by giving threat actors easier access to an array of powerful tools.

“The services evolved from simple point-and-click interfaces to automated platforms featuring API integration, reconnaissance tools, and adaptive attack capabilities,” Hummel noted.

Now, the company has warned that the influx of AI assistants and chatbots represents the next step in the evolutionary path for DDoS attackers - and it’s a problem many organizations are completely oblivious to.

“The DDoS-for-hire ecosystem already has embraced automation extensively,” Hummel wrote.

“NETSCOUT’s research revealed services offering automated attack scheduling, real-time parameter adjustment, and sustained campaign management with minimal human oversight.”

Platforms used by hackers are now capable of executing “multi-vector attacks” that are able to adapt to and circumvent defensive countermeasures, Hummel noted, and enable them to wage “carpet-bombing attacks across entire subnets”.

With the addition of AI assistants, threat actors may be able to take things up a notch, transforming capabilities from “automated to truly intelligent”.

For example, he suggested that rather than users being forced to understand attack vectors or network protocols, they can use AI assistants to detail their objectives and plans using natural language prompts.

“I want to take down my competitor’s website during their Black Friday sale,” Hummel cited as an example prompt. Thereafter, researchers noted that the AI assistant could hypothetically conduct target reconnaissance and vulnerability assessments.

AI tools could also be used for “optimal timing selection” to ensure an attack hits a target organization when it’s most vulnerable.

AI will further democratize DDoS-for-hire

Hummel warned that the influx of AI assistants in this cyber criminal domain will likely have a democratizing effect, enabling lower-level hackers and those without the technical expertise to wage highly effective attacks.

DDoS-for-hire services have already lowered the bar in this regard, researchers noted, but adding conversational AI tools would “eliminate remaining barriers entirely”.

There have been notable examples of threat actors using AI tools to ramp up operations. Earlier this year, research from Abnormal Security showed hackers were using a chatbot dubbed ‘GhostGPT’ to help write malware.

Other ‘Hackbot as a Service’ offerings, such as WormGPT, were already on the scene in 2023 offering subscription services for hackers to help write phishing emails and conduct business email compromise (BEC) attacks.

What this means for defenders

The evolution of the DDoS-for-hire landscape means enterprises across a range of industries could be facing a looming onslaught of attacks, Hummel warned.

“Organizations must recognize that traditional DDoS defenses designed for predictable, signature-based attacks will prove inadequate against AI-coordinated campaigns,” he wrote.

“AI-enhanced attacks could analyze defensive responses in real time, identify rate-limiting thresholds, mimic legitimate traffic patterns, and coordinate multi-vector attacks that evolve faster than human defenders can respond.”

With this in mind, Hummel said security teams will be forced to update defensive strategies – and it’s something they should be preparing for ahead of the first wave of confirmed AI-based attacks.

Naturally, fighting AI with AI in this instance will likely be the go-to approach for many security teams.

Hummel specifically highlighted machine learning-based detection and response systems as a key tool in the armory for cyber practitioners here, largely due to the speed advantage that they will provide teams responding to incidents.

Teams will also have to “rethink incident response” and improve threat intelligence sharing across the cybersecurity community to raise awareness of potential risks or incidents.

“Traditional playbooks assuming human-speed attacks must be replaced with autonomous response capabilities that can adapt at machine speed,” Hummel noted.

MORE FROM ITPRO

• DDoS attackers are pouncing on unpatched vulnerabilities
• How to recover from a DDoS attack – and what they can teach businesses
• Application layer DDoS attacks are skyrocketing – here's why

The second quarter of 2025 saw a massive rise in application layer DDoS attacks, new research shows, with financial services firms the biggest target.

Application-layer attacks target web applications and are hard to detect, with malicious traffic closely resembling legitimate user requests. According to researchers at Qrator Labs, the second quarter of this year saw a 74% surge compared to the same period last year.

Thanks to their reliance on uninterrupted online services and real-time digital transactions, financial organizations accounted for 43.6% of these attacks, with eCommerce firms the victim in 22.6% of cases and ICT services accounting for 18.2%.

Meanwhile, the second quarter also saw the emergence of the largest DDoS botnet ever recorded, consisting of 4.6 million infected devices. To put this in context, this is more than 3.5 times larger than the previous record and nearly 20 times larger than the biggest botnet identified in all of 2024.

“The explosive growth of application-layer DDoS attacks is a direct consequence of the rapidly expanding number of vulnerable devices with fast internet connections,” said Andrey Leskin, chief technology officer at Qrator Labs.

“The size of botnets we observe today would have been unimaginable just a year ago. An attack launched by a botnet of this scale, if not properly mitigated, can generate tens of millions of requests, overwhelming online services until websites become inaccessible, critical transactions fail, and entire digital operations come to a halt."

DDoS attacks targeting the network and transport layers - layers 3 and four - got bigger, with 43% more attacks exceeding 1 Gbps than in the same period last year.

The longest targeted online gambling providers and lasted just over four days.

Typical application layer DDoS attack methods

As for the application layer, layer 7, most attacks were classified as Request Rate Patterns.

The top three countries from which layer 7 DDoS attacks originated during the quarter were the same as last year: Russia accounted for 17%, the US for 16.6%, and Brazil for 13.2%.

Researchers noted that the longest Layer 7 DDoS attack in Q2 2025 lasted 65.5 hours.

Qrator Labs said organizations should enhance their incident response plans, invest in advanced DDoS mitigation services and conduct regular infrastructure stress testing to ensure resilience.

"Not every DDoS protection provider is equipped to handle an assault of this magnitude, which means that even businesses with defenses in place may find themselves unprepared for the impact,” said Leskin.

Last month, research from Akamai Technologies and FS-ISAC, a not-for-profit cybersecurity organization for the financial sector, found that application layer DDoS attacks against the financial sector rose by 23% between 2023 and 2024.

The sector remained the leading target for volumetric DDoS attacks year over year, with a major spike in October last year.

MORE FROM ITPRO

• How to recover from a DDoS attack – and what they can teach businesses
• DDoS attackers are pouncing on unpatched vulnerabilities
• A disgruntled ex-Disney employee targeted former colleagues with DDoS attacks

IoT manufacturers are failing to help prevent DDoS attacks by fixing known vulnerabilities, allowing criminals to launch years-long campaigns.

Unpatched or poorly secured devices, purpose-built to keep costs down, allowed attackers to launch over 27,000 botnet-driven DDoS attacks during March alone. New figures from NetScout reveal that service providers were hit with an average of one attack every two minutes.

Overall, there were around 880 confirmed DDoS attacks per day, peaking on March 10 with more than 1,600 incidents.

The average event lasted about 18 minutes and 24 seconds - slightly longer than in previous months, and much longer than the five-to-fifteen-minute global average for DDoS attacks. This, said the firm, indicates a trend towards smaller, more persistent targeting.

NoName057(16) was behind more than 475 claimed attacks in March, more than three times as many as the next most active group.

The group's particularly involved in politically motivated DDoS campaigns targeting governments, infrastructure and organisations.

"We observed more than 26,000 attack configurations linked to the group’s infrastructure, representing variations in vector combinations, targets, and timing," NetScout said.

"In total, more than 500 IP addresses and more than 575 domains were targeted, indicating a substantial volume of unclaimed activity and sustained command-and-control operations throughout the month."

The most common TCP port combo, NetScout found, was 80 and 443, used in more than 850 attacks. For UDP, 443 and 80 dominated, reflecting a focus on encrypted and web-facing services.

Top attack vector was TCP SYN floods, appearing in more than 5,500 attacks, and accounting for one-in-five of all DDoS events in March. Multi-vector attacks were common, including combinations such as TCP SYN + DNS Flooding and TCP ACK + TCP SYN.

There were a number of sources for these attacks: Mongolia led with more than 2,900 attacks, mainly traced to localized IoT and router infections.

But there were also a number of multi-country combinations, the top one being Germany and the US, which were involved together in more than 600 attacks.

"This pairing likely reflects attacker interest in leveraging reliable infrastructure — such as cloud-hosted resources or enterprise devices — alongside continued abuse of under-secured networks in other regions," said NetScout.

Many of the vulnerabilities exploited are old, public, and well-documented. They include CVE-2017-16894, CVE-2019-17050, and CVE-2021-41714, often seen in bot clusters focused on service-provider infrastructure. Meanwhile, CVE-2021-27162 and related exploits showed up across thousands of events, pointing to broader exploitation campaigns.

"Service providers are still squarely in the crosshairs, and March made that even more obvious," said the firm, advising service providers to be vigilant.

"It’s not just about stopping traffic; it’s about understanding where that traffic is coming from, why it’s happening, and what it could become. March’s activity shows that DDoS attacks are still growing in sophistication and intent."

MORE FROM ITPRO

• Surging DDoS attack rates show no sign of slowing down
• How to recover from a DDoS attack – and what they can teach businesses
• NCA takes down world’s most prolific DDoS-for-hire website

With the festive period traditionally a time for hackers to mount Distributed Denial-of-Service (DDoS) attacks, Europol has moved to preempt them with a sweeping takedown campaign.

The agency has seized 27 of the most popular platforms, known as booter and stresser websites, used to carry out these attacks. These include zdstresser.net, orbitalstress.net, and starkstresser.net.

Three administrators have been arrested in France and Germany, and more than 300 users have been identified for action in the future, the agency confirmed.

Over the last quarter, research from Cloudflare shows the number of DDoS attacks globally has soared, up by 49% on the previous quarter, with the banking and financial services industry subject to the most attacks.

"The festive season has long been a peak period for hackers to carry out some of their most disruptive DDoS attacks, causing severe financial loss, reputational damage and operational chaos for their victims," said Europol.

"The motivations for launching such attacks vary, from economic sabotage and financial gain to ideological reasons, as demonstrated by hacktivist collectives such as Killnet or Anonymous Sudan."

Operation PowerOFF was coordinated by Europol and involved law enforcement agencies from 15 countries. Frank Tutty of the UK's National Cyber Crime Unit, said the takedown will help to “undermine trust” among cyber criminals.

"DDoS-for-hire services are a key component of cyber crime, and enable individuals with limited technical capability to offend with ease due to their ease of access and perceived anonymity," he said.

"Operation Power OFF helps to undermine trust in this criminal marketplace and make cyber criminals think twice before unleashing DDoS attacks, which can have serious consequences."

As well as taking down the websites, Europol said it was planning to launch an online ad campaign aimed at deterring people from taking part in these types of attacks.

The campaign will include Google search ads, to be displayed to young people searching for DDoS-for-hire tools on Google, as well as preventative messages aimed at young people watching YouTube tutorials on DDoS-for-hire tools.

Along with this, Europol plans to carry out ‘knock-and-talks’ and send more than 250 warning letters and 2,000 emails to users of illegal services.

"We know that Booter services are an attractive entry-level cyber crime, and users can go on to even more serious offending. Therefore, tackling this threat doesn't just involve arresting offenders, it includes steering people away from straying into cyber crime and helping them make the right cyber choices," said Tutty.

"This is why our Google ad campaign is such a crucial part of this overarching operation, preventing would-be offenders from engaging with them in the first place, in tandem with enforcement action undertaken by law enforcement partners around the world."

In October, US authorities charged two Sudanese nationals involved in a major DDoS cybercrime network known as Anonymous Sudan, following an international investigation.

The group's DDoS tool was used to launch more than 35,000 DDoS attacks over the space of a year, causing more than $10 million in damages to victims in the US alone.

Microsoft has revealed that threat actor group Anonymous Sudan was behind a recent spate of outages that affected cloud services earlier this month. 

In an advisory published at the weekend, the tech giant revealed that a series of outages were caused by highly effective distributed denial of service (DDoS) attacks. 

Azure, Outlook, and OneDrive customers were left in the dark for hours due to the incidents, prompting a rapid investigation by Microsoft’s threat analysts. 

“Beginning in early June 2023, Microsoft identified surges in traffic against some services that temporarily impacted availability,” Microsoft said in its advisory. 

“Microsoft promptly opened an investigation and subsequently began tracking ongoing DDoS activity by the threat actor that Microsoft tracks as Storm-1359.”

Microsoft noted that, to date, it has seen no evidence that customer data has been accessed or compromised.

The investigation by Microsoft revealed that the attacks specifically targeted level 7 web traffic using a number of methods. These included cache bypass, slowloris, and HTTP(S) flood attacks.

The latter of these attacks, Microsoft explained, aims to exhaust system resources by leveraging a high volume of SSL/TLS ‘handshakes’ and HTTP(S) requests processing. 

“In this case, the attacker sends a high load (in the millions) and HTTP(S) requests that are well distributed across the globe from different source IPs. This causes the application backend to run out of compute resources (CPU and memory),” Microsoft’s advisory read. 

In response, Microsoft said it hardened layer 7 protections, including “tuning Azure Web Application Firewall (WAF) to better protect customers from the impact of similar DDoS attacks”.

Who is behind Anonymous Sudan?

Anonymous Sudan is one of the newcomers to the global threat landscape, having officially launched operations in January 2023, assembling on the Telegram messaging platform according to security firm CyberCX. 

CyberCX said the use of the Anonymous Sudan name was an “apparent reference to a 2019 operation by Anonymous”. 

The group, which describes itself as a ‘hacktivist’ organization has already gained notoriety through a series of major attacks. 

In March, the group threatened to disrupt Melbourne Fashion Week shows, citing opposition to a clothing line that displayed the term ‘God walks with me’. 

While this preceded a broader spate of attacks against Australian organizations, at the time the move against Melbourne Fashion Week suggested that the group may have had religious motivations. 

The group is also behind an apparent attack on the European Investment Bank (EIB). Anonymous’ DDoS attack against EIB follows recent threats made against the bank. 

EIB confirmed the attack in a statement via Twitter on 19 June, adding that the incident was affecting the availability of the EIB and EIF websites. 

At present, there is no clear-cut information on the scale or severity of the attack. However, security researcher Kevin Beaumont commented on Twitter that it has “absolutely no financial impact whatsoever”. 

“What Killnet and Anonymous Sudan tend to do is look at things like share price changes and market moves and link them to their actions incorrectly,” he said. “Eg they linked MSFT share price moves to DDoS. No real link.”

However, analysis by CyberCX suggests that the group is unlikely to be a legitimate hacktivist group. Similarly, the firm said that the group is unlikely to be geographically linked to Sudan itself. 

“Anonymous Sudan has no known overlap with the original membership of the 2019 Sudan operation, which was anti-Russia and pro-Ukraine, and has been denounced by a prominent Anonymous account,” the firm said. 

CyberCX said that, based on current assessments of the group’s operations, Anonymous Sudan is likely affiliated with the Russian state. 

The group is publicly aligned with pro-Russian threat actors, and is known to be a member of the pro-Russian Killnet hacker collective. 

Observations of the group’s tradecraft also align with Russian-style tactics, CyberCX added, including the targeting of Western organizations in the government, healthcare, transport, and media sectors. 

“CyberCX assesses that there is a real chance that Anonymous Sudan is affiliated with the Russian state,” the firm said. “Persistent low-level disruption of Western countries is consistent with established Russian information warfare strategies.”

“Anonymous Sudan also primarily posts in English and Russian, with its first Arabic post more than a month after its creation.”

Anonymous Sudan has been highly aggressive since emerging earlier this year, and CyberCX said it expects the group to continue ramping up operations in the months ahead. 

“Anonymous Sudan is likely to continue to increase its tempo of operations over the next three months,” the firm said. “Anonymous Sudan now has more than 60,000 followers on its Telegram channel and reactions to its post have dramatically increased through May.”

“The group’s apparent access to significant resources and its dubious ideological associations means that it poses an atypical threat.”

Cloudflare has revealed details of its new One Partner Program, which it says presents a new way for the channel to integrate and extend its Cloudflare One platform.

The initiative builds on the solution’s comprehensive zero trust, network as a service, and cloud email security services, providing architecture designed to help customers to stay secure and efficient.

Cloudflare said the new programme bundles together the tools and services that partners need to ensure swift deployment, fast performance, as well as robust security across endpoints, networks, and email.

“In order to keep today’s business environment protected and productive, organisations need a unified solution to secure their distributed workforces and at the same time accelerate employee systems,” explained Matthew Prince, co-founder and CEO of Cloudflare. “But another key piece is broad adoption, and that’s why we’ve been working to seamlessly layer this into organisations without interruptions.

“Critical architectures like Zero Trust shouldn’t be complex, yet we hear every day from businesses that don’t know where to start. That’s why we have modernised how partners can fully implement and deliver what organisations of all sizes need most today.”

One of the most interconnected networks on the market, Cloudflare One spans 270 cities in over 100 countries. Over the last twelve months, the number of customers using the platform has grown by 100%, while daily average traffic has increased sixfold.

The platform boasts a number of integrated products such as ZTNA, Secure Web Gateway, CASB, DLP, Browser Isolation, IoT Security, and now Cloud Email Security.

With its new partner programme, Cloudflare says partners will now be able to better guide customers, deliver comprehensive solutions, protect users from phishing attacks, as well as secure every connection with zero trust controls.

“With this new Cloudflare One Partner Program for Zero Trust, Cloudflare has launched a first-of-its-kind set of integrated product suites and partner services packages that will give our Trusted Advisors a compelling set of solutions to take to market,” commented Shane McNamara, EVP of Engineering and Operations at AVANT Communications.

The news comes just days after a Cloudflare outage resulted in a number of major websites being knocked offline for around two hours, including those operated by Shopify, NordVPN, and gaming platform Steam.

An HTTP Error 503, also known as the "Service Unavailable" error, typically occurs when a website's server cannot handle a request, either due to being overloaded or undergoing maintenance, and there may not be anything you can do to resolve the problem, similar to the 502 bad gateway.

Unlike errors such as HTTP 400, which usually stem from user-side issues, HTTP 503 is a server-side issue, often requiring intervention from the website administrator. However, there are some steps users can take to troubleshoot and confirm whether the issue lies with their own connection or with the server itself.

Understanding HTTP Error 503

An HTTP Error 503, or "Service Unavailable" error, indicates that the server is temporarily unable to handle the request. This issue can be due to a variety of reasons, such as server overload, maintenance work, or technical difficulties on the hosting side. Unlike client-side errors, a 503 error is primarily a problem with the server itself, meaning that users have limited control over resolving it.

In 2021, a lot of popular websites experienced 503 errors as a result of the Fastly outage. A list of the afflicted sites included eerie gov.uk site, online retailers Amazon and eBay, internet forum Reddit, and news outlets such as CNN, Bloomberg, and The Guardian.

However, while the error typically stems from the server, there are steps you can take to confirm whether the issue is truly server-side or related to your own connection.

• Server overload: If too many users are trying to access the site simultaneously, the server may not be able to handle all the requests. This is often seen during peak traffic periods, such as during sales events on e-commerce websites.
• Server maintenance: Website administrators may schedule maintenance during off-peak hours, but if you're trying to access a site during that time, you may encounter a 503 error until the server is back online.
• DNS misconfiguration: If there’s an issue with how the server’s DNS is configured or if there’s an error in the server’s DNS records, users may be blocked from accessing the site.
• DDoS attacks: In some cases, a Distributed Denial of Service (DDoS) attack can overwhelm the server with traffic, causing it to crash or block legitimate requests with a 503 error.

• Check for server overload: During times of high traffic, such as flash sales or major events, your server might become overwhelmed with requests. To fix this, consider increasing your server capacity or using load balancing to distribute the incoming traffic more efficiently across multiple servers.
• Scheduled maintenance: If the error is caused by routine server maintenance, ensure that the downtime is scheduled during off-peak hours to minimize disruption. Use a maintenance mode page to alert users that the site will be back soon, so they know it's a planned outage.
• (DDoS) attack, ensure that your security infrastructure includes DDoS protection. Services like Cloudflare and other security tools can help mitigate attacks by filtering malicious traffic and protecting the website from overload.
• Fix DNS issues: A misconfigured DNS can also result in a 503 error. Double-check that your DNS settings are correct and that your server's DNS records are current. If necessary, consult your hosting provider or DNS provider to resolve any configuration errors.

If you find your website frequently shows an HTTP Error 503, it could be time to consider alternative hosting providers. Whether you or your company seeks free web hosting, cheap web hosting, or anonymous web hosting, good options are available.

A 502 Bad Gateway is a common error message users can encounter while browsing the web. This error indicates that a server on the internet received an invalid response from another server it was trying to communicate with. It's a frustrating message to run into, as it's usually impossible to tell what has caused the issue or what you can do to fix it. 

The 502 Bad Gateway is one of a number of HTTP status codes that can appear, preventing users from accessing content across that particular domain.

Understanding the root cause of a 502 Bad Gateway error can be challenging because the problem could stem from various issues, including server overload, network errors, or misconfigurations. 

This error might be temporary, caused by a sudden spike in traffic, or it could indicate a more persistent problem requiring technical intervention. Knowing some common troubleshooting steps can help users and administrators address this issue more effectively and restore access to the affected websites.

What does a 502 Bad Gateway error mean?

An Error 502 Bad Gateway appears when a browser is unable to connect to a website's host server, blocking access to content across that particular domain. This type of error will not be unique to one user and instead will appear for anyone trying to access the website's content.

To quickly check if there is a problem with your own PC or device, you can try visiting a completely different website. If you can access other websites without any issues, then you can be assured that your internet connection is functioning correctly, and the problem lies with the website experiencing the 502 error.

A 502 Bad Gateway error rarely lasts very long and is usually in the process of being resolved by the site administrator by the time you see the error message. Since the ‘Error 502 Bad Gateway’ message has been around for many years, website administrators have become quite adept at fixing them quickly. Often, the issue might be due to temporary server overloads or minor configuration errors that can be swiftly addressed.

Depending on the web server that's hosting the content you're trying to access, you may see additional letters or codes appear alongside the 502 Bad Gateway message. For example, you might see '502 bad gateway nginx' if the website uses the Nginx open source platform to handle load balancing. 

Despite these variations, the core problem remains the same regardless of the server being used: a disruption in communication between servers that prevents access to the website.

What causes a 502 Bad Gateway error?

Server overload: An overloaded server is one of the most common causes of a 502 error. This is where the server has reached its memory capacity, often activated by an unusually high number of visitors trying to access the same website. This can just be a coincidence or driven by a big event, but it can also be a targeted DDoS attack.

Request blocked by a firewall: Firewalls play a crucial role in protecting networks from cyber threats. However, they can sometimes overreach and inadvertently block legitimate traffic. This can happen when a firewall misinterprets a large influx of legitimate users as a potential DDoS attack. Additionally, certain DDoS protection layers may block requests from content delivery systems, causing network slowdowns and resulting in a 502 error.

Faulty programming: Errors in a website's code can also lead to 502 Bad Gateway errors. Glitches or bugs within the code might prevent the server from responding correctly to requests. When this happens, the server may return invalid responses, triggering the 502 error. Regular code audits and rigorous testing can help mitigate this issue.

Network errors: There is a multitude of potential networking errors that may occur, including potential DNS issues, routing problems, as well as issues relating to your Internet Service Provider (ISP). An ISP, for example, may have decided to block a certain web address.

Server software timeouts: Server software timeouts can also result in a 502 error. If a web server takes longer than expected to return a request and the caching tool exceeds its time values, a 502 error may be displayed. Slow queries or delays in processing requests can contribute to this problem. Optimizing server performance and ensuring efficient query handling can reduce the likelihood of timeouts.

Fixes for a 502 Bad Gateway error

There are several key steps that users can take to fix a 502 Bad Gateway error. However, it's important to note that because it's very likely the error is being caused by the website server, these solutions only work occasionally and should be thought of a last resort.

How long does it take to fix a 502 Bad Gateway error?

The time required to fix a 502 Bad Gateway error can vary significantly, ranging from a few minutes to several hours, depending on its root cause. If the issue can be resolved on the client side, such as by refreshing the browser, disabling a VPN, or clearing the cache, the problem could be fixed relatively quickly.

However, if the issue lies on the web server, the resolution might take longer. For instance, if a website owner has recently migrated their domain to a new host, a 502 Bad Gateway error might occur due to propagation delays or configuration issues. Resolving such problems could take a day or two, depending on the complexity of the migration and the efficiency of the troubleshooting process.

Diagnosing the fault quickly is also a critical factor. A 502 Bad Gateway error could be caused by various issues, including faulty network equipment, which might go unnoticed for some time. Even if hardware issues are suspected, confirming and fixing them involves additional time for testing and verification.

Overall, it is challenging to provide a precise time frame for fixing a 502 Bad Gateway error, as it largely depends on the underlying cause. The complexity of the issue, the speed of diagnosis, and the responsiveness of the involved parties all contribute to the duration of the fix.

Preventing 502 Bad Gateway errors

Regular server maintenance and monitoring are crucial for preventing 502 Bad Gateway errors. By routinely checking server health, applying necessary updates, and performing scheduled maintenance, administrators can identify and resolve potential issues before they lead to significant problems. 

Utilizing tools such as server monitoring software, which provides real-time insights into server performance, can help detect anomalies early. Best practices include keeping software and hardware components up-to-date, monitoring server logs for unusual activities, and conducting regular performance audits to ensure everything runs smoothly.

Load balancing and traffic management are essential techniques for distributing network traffic evenly across multiple servers, thereby reducing the risk of server overload and preventing 502 errors. Load balancers can efficiently manage incoming requests by directing them to the least busy servers, ensuring no single server bears too much load. 

This not only enhances performance but also increases the reliability and availability of the website. Configuring load balancers involves setting up rules and policies for traffic distribution, regularly monitoring traffic patterns, and adjusting configurations as needed to adapt to changing loads.

Implementing these strategies helps create a robust and resilient server environment capable of handling high traffic volumes without interruption. By combining proactive server maintenance with effective load balancing and traffic management, organizations can significantly reduce the occurrence of 502 Bad Gateway errors, ensuring a seamless and reliable user experience.

Distributed denial of service (DDos) attacks present a devastating threat to business operations when executed successfully. This hostile methodology involves overwhelming a service with internet traffic from multiple sources, allowing attackers to take websites offline, disrupt critical infrastructure, and cause widespread operational damage.

In recent years, the scale and frequency of DDoS attacks have escalated dramatically. In 2025, Cloudflare reported mitigating over 20 million DDoS attacks in Q1 alone – a figure that nearly surpasses the total for all of 2024.

Hyper-volumetric attacks exceeding 1 Tbit/sec are no longer rare, and new tactics are making mitigation increasingly complex, even for capable IT departments.

As attack volumes surge and tactics evolve, DDoS has become more than just a blunt instrument of disruption. The past five years have seen an explosion in both the size and sophistication of these attacks – from record-breaking multi-terabit floods to targeted strikes at the application layer.

For businesses and public services alike, the need for robust, adaptive defences has never been more urgent.

How do DDoS attacks work?

At the most basic level, a DDoS attack attempts to render a website, server, or online service inaccessible by overwhelming it with traffic. Unlike traditional denial of service attacks that come from a single source, DDoS campaigns enlist thousands – sometimes even millions – of devices to flood a target simultaneously.

These devices often form part of a botnet, a network of compromised machines often including Internet of Things (IoT) such as smart cameras, routers, and even printers. Compromised devices can be used without the knowledge of their owners.

There are several types of DDoS attack, each targeting different layers of a system’s infrastructure: volumetric, protocol, and application-layer.

Volumetric attacks focus on saturating bandwidth by sending vast amounts of data to the network, while protocol attacks, such as SYN floods or ping of death, exploit weaknesses in networking protocols to exhaust server resources.

Meanwhile, application-layer attacks mimic legitimate user behaviour – such as HTTP GET or POST requests – to overwhelm a service from within, often bypassing traditional perimeter defenses.

Increasingly, attackers are combining these methods in multi-vector attacks, which strike multiple layers at once. These attacks are particularly hard to mitigate, requiring layered and automated defences that can filter traffic in real time.

Another challenge lies in the rise of amplification and reflection techniques, where attackers send small requests to misconfigured servers (like open DNS resolvers or NTP servers) that then “reflect” much larger responses to the victim. This enables threat actors to amplify their attack volume by up to 70 times, according to Cloudflare’s Q4 2024 DDoS threat report.

DDoS trends over the past five years

The past five years have seen DDoS attacks grow from blunt-force disruptions into highly targeted, strategic threats.

Attack volumes dipped slightly in 2021, with Nexusguard recording a 13% drop in attack count and a 50% decrease in average size. But this decline masked a tactical shift. Rather than relying on volume, attackers increasingly used multi-vector approaches that blended volumetric, protocol and application-layer techniques – making them harder to mitigate.

By 2022, the threat had intensified. Nexusguard observed a 75% jump in attack frequency in the first half of the year, while 2023 saw Cloudflare mitigate over 26 trillion malicious requests. HTTP-based attacks doubled, often targeting APIs and login systems. Attackers were now focusing on disruption with precision, not just scale.

In 2024, Cloudflare recorded a total of 21.3 million DDoS attacks – blocking 4,870 per hour. Halloween 2024 brought the largest yet: a 5.6Tbit/sec flood powered by a Mirai-variant botnet using 13,000 devices. Between Q3 and Q4 that year, attacks exceeding 1 Tbit/sec grew by 1,885%.

Across 2025, DDoS attacks have only worsened. Cloudflare now mitigates 5,376 DoS attacks each hour, and measured over double the number seen the previous year, for a total of 47.1 million DDoS attacks. Over the course of the year, telcos became the most-attacked industry, with the Asia-Pacific particularly heavily-targeted.

As more attacks breach the 1Tbps mark and application-layer strikes grow in intensity, the DDoS threat is more sophisticated – and relentless – than ever. In the future, researchers warn attackers could use AI to launch even larger DDoS attacks. Alarmingly, there are growing signs that threat actors may already be doing so.

What is the business impact of DDoS attacks?

It’s clear DDoS attacks are reaching new levels of scale and intensity, something that IT departments across the world are tracking closely.

On 19 December 2025, Cloudflare mitigated a record-breaking assault powered by the Aisuru-Kimwolf botnet. This is formed from an estimated 1-4 million Aisuru infected IoT devices, network devices, and virtual machines (VMs), paired with Android devices including mobile phones and smart TVs infected with the Kimwolf botnet.

The attack, launched against Cloudflare itself as well as its customers, involved 20 million requests per second and a total of 902 hyper-volumetric attacks.

Campaigns like this are designed not just to disrupt websites, but to exhaust backend systems and degrade performance silently over time.

The financial impact can be steep.

Industry estimates suggest that sustained attacks can cost mid-to-large organisations hundreds of thousands of pounds per hour, depending on the sector. In one notable case from 2023, a UK fintech firm suffered over £2 million in losses following a 12-hour outage, with costs spanning downtime, compensation, and legal recovery.

But the longer-term effects often prove more disruptive. Rebuilding trust, investigating weaknesses, and reconfiguring systems all take time – and resources. As DDoS-for-hire services proliferate and attackers refine their methods, robust mitigation is no longer optional – it’s essential.

DDoS attacks have become a constant in today’s threat landscape. No longer just blunt-force disruptions, they’ve grown in frequency, complexity and impact. while it was dealing with one.

It’s therefore more important than ever that businesses know how to effectively recover from a DDoS attack.

For businesses, the fallout goes far beyond downtime. Even brief outages can disrupt transactions, damage customer trust, and trigger lasting operational headaches. As reliance on cloud platforms grows, so does the risk of wider service interruptions and revenue loss.

This rising threat has prompted greater scrutiny from both regulators and insurers. In sectors like finance and healthcare, DDoS resilience is increasingly seen as a compliance issue. Insurers, too, are demanding proof of preparedness before underwriting risk.

Ultimately, DDoS defence now demands a proactive mindset. Scalable, layered mitigation must be built into infrastructure – not bolted on after the fact. As attackers become more agile, so too must defenses.

Cloudflare, headquartered in San Francisco, is a global technology firm known for its powerful content delivery network (CDN), cyber security services, and internet infrastructure offerings. Serving over 20% of the world's websites, the company’s portfolio includes cloud security, distributed denial-of-service (DDoS) mitigation, domain registration, and secure access service edge (SASE) solutions.

Founded by Matthew Prince, Lee Holloway, and Michelle Zatlyn in 2009, Cloudflare initially focused on fighting spam and protecting websites from cyber threats. Since then, it has grown to become a key player in digital security and network reliability, safeguarding millions of websites and digital assets worldwide.

Today, Cloudflare has evolved into one of the internet’s most significant infrastructure providers, protecting over eight million websites, APIs, and applications. The company operates through a network of more than 300 data centres across 120 countries, managing 13,000 networks globally, including all major ISPs.

When and how was Cloudflare founded?

Cloudflare’s origin story began with a pivotal meeting in 2009 at Harvard Business School, where Matthew Prince, then an MBA student, introduced Michelle Zatlyn to Project Honey Pot. This was an existing collaboration with Lee Holloway designed to track and expose the methods used by email spammers. Zatlyn recognized its business potential and the possibility to transform Project Honey Pot into a powerful security solution that could shield websites from the growing risk of distributed denial-of-service (DDoS) attacks.

With Zatlyn on board, the team — now comprising Prince, Zatlyn, and Holloway — laid out a business plan to develop what would become Cloudflare. Holloway spearheaded the technical side, building the first prototype that would not only protect websites from attacks but also enhance load times, an essential feature for a secure, efficient online experience. The plan won the prestigious Harvard Business School Business Plan Competition in 2009, lending both credibility and momentum to their ambitious project.

In the same year, the trio spent the summer refining Cloudflare’s beta version, which they released to a select group of users from the Project Honey Pot community. Early users saw significant improvements in site speed, with load times reduced by around 30% on average, along with enhanced protection from cyber threats. This dual benefit attracted interest from investors, including Ray Rothrock from Venrock and Carl Ledbetter from Pelion Venture Partners, who provided crucial funding to drive the venture forward.

Cloudflare made its official debut at TechCrunch Disrupt in San Francisco in 2010, capturing attention as a transformative approach to internet security and performance. The company quickly gained traction, attracting users seeking better protection against DDoS attacks and improved website performance.

Following years of growth and innovation, Cloudflare went public in 2019 on the New York Stock Exchange, marking a significant milestone in its journey. A year later, Zatlyn stepped into the role of president, underscoring her critical role in shaping the company’s vision and expansion.

What does Cloudflare sell?

Cloudflare provides a comprehensive range of services focused on enhancing the security, performance, and reliability of internet assets. Catering to individual site owners and global enterprises alike, Cloudflare's offerings cover a vast spectrum of web infrastructure needs.

At its core, Cloudflare's Content Delivery Network (CDN) accelerates the delivery of web content by caching data across a global network of over 300 data centres located in more than 120 countries. This reach allows users worldwide to experience reduced latency and faster loading times, regardless of their physical location. In addition to content delivery, Cloudflare is renowned for its Distributed Denial-of-Service (DDoS) mitigation. With robust protections against DDoS attacks, Cloudflare absorbs and disperses malicious traffic across its expansive network, ensuring websites remain accessible even during high-intensity cyber onslaughts.

Another key component of Cloudflare's security framework is its web application firewall (WAF), which filters and monitors HTTP traffic to safeguard web applications from common vulnerabilities, including SQL injection and cross-site scripting (XSS). Cloudflare’s WAF helps protect against some of the most critical threats identified by the OWASP Top 10, ensuring a secure online environment for users and applications alike.

To support enterprise-level requirements, Cloudflare One combines secure access with high-performance networking through a secure access service edge (SASE) architecture. This integrated solution aligns with zero trust security principles, providing secure, fast, and reliable access to applications and data, a necessity for modern enterprises. Alongside these core services, Cloudflare also offers domain registration as an ICANN-accredited registrar, emphasizing security with features like DNSSEC to protect against domain spoofing.

Cloudflare’s developer tools enhance web performance through a variety of offerings, including Cloudflare Workers, a serverless computing platform that allows developers to run JavaScript code at the network edge. By executing code closer to end-users, Cloudflare Workers significantly reduces latency, improving application performance. Argo Smart Routing further optimizes traffic flow by dynamically selecting the fastest and most reliable network paths, boosting reliability and user experience.

In addition to web acceleration, Cloudflare offers specialized tools for media management, such as Polish and Mirage for image optimization and Cloudflare Stream for video hosting and delivery. These tools ensure smooth and efficient media playback across devices while maintaining high-quality visuals.

Security remains a central focus for Cloudflare, with services that protect against a range of automated threats. Its bot management solution differentiates between human users and malicious bots, safeguarding sites from issues like credential stuffing and content scraping. Further securing internet traffic, Cloudflare provides SSL/TLS encryption at no cost and managed SSL/TLS certificates for added convenience, ensuring that data transmitted between users and websites remains private and protected.

Cloudflare mergers and acquisitions

Since its founding, Cloudflare has strategically acquired a series of companies that enhance its core capabilities in internet security, performance, and Zero Trust network architecture. These acquisitions have allowed Cloudflare to broaden its service portfolio, targeting emerging security needs and expanding its reach into critical infrastructure areas.

Early acquisitions began in 2014 with StopTheHacker and CryptoSeal, which bolstered Cloudflare's security offerings by adding advanced malware protection and VPN technology. In 2016, Cloudflare acquired Eager Platform Co. (now known as Cloudflare Apps), a platform that enables easy integration of third-party applications into websites, helping Cloudflare enter the growing ecosystem of web application services.

In 2020, Cloudflare acquired S2 Systems, a provider of browser isolation technology. This move strengthened Cloudflare’s Zero Trust offering by allowing users to browse securely, with threats isolated from users’ devices. The following year, Cloudflare acquired Zaraz, a company focused on improving website performance by managing third-party tools. Zaraz’s technology reduced client-side script load, enhancing page speed and security — two key aspects of Cloudflare’s mission.

The company's strategic expansion into email security began with the acquisition of Area 1 Security in February 2022. This acquisition marked Cloudflare's entry into email security, addressing a significant gap in its Zero Trust network strategy. At the time, CEO Matthew Prince emphasized the importance of securing email as "the largest cyber attack vector on the Internet", aiming to position Cloudflare as a leader in Zero Trust solutions. Area 1’s email security technology was integrated into Cloudflare's platform, adding layers of protection against phishing and other email-based attacks.

Also in early 2022, Cloudflare acquired Vectrix, a startup specializing in SaaS security tools. This acquisition extended Cloudflare’s reach into SaaS application security, further complementing its Zero Trust framework by offering visibility and control over third-party SaaS apps, an area increasingly critical to enterprise security.

In 2024, Cloudflare continued its expansion into Zero Trust with the acquisition of BastionZero, a company specializing in secure infrastructure access. This acquisition is expected to enhance Cloudflare's Zero Trust offerings further by strengthening infrastructure access controls, a key area of interest for enterprises managing complex IT environments.

Cloudflare's key executives

Cloudflare’s leadership team is a group of seasoned professionals dedicated to advancing internet security and performance.

• Co-founder Matthew Prince (pictured above) serves as CEO, leading the company since its inception in 2009 with a vision to enhance internet performance and security on a global scale.
• Another co-founder, Michelle Zatlyn, is president, COO, and a board member. Zatlyn has played a pivotal role in Cloudflare’s expansion, steering its operational and strategic initiatives that have bolstered the company’s international reach.
• Guiding financial strategy, CFO Thomas Seifert has been instrumental, especially during Cloudflare’s 2019 initial public offering.
• As CTO, John Graham-Cumming is responsible for driving technological development and innovation, shaping the company’s technical strategy to remain at the forefront of the industry.
• Chief strategy officer Stephanie Cohen, who joined Cloudflare in 2024 after an extensive tenure at Goldman Sachs, has been integral in refining Cloudflare’s strategic direction and partnerships.
• Mark Anderson was appointed president of revenue in February 2024, bringing over 25 years of enterprise technology experience from companies like Alteryx and Palo Alto Networks. Anderson oversees Cloudflare’s sales, marketing, and customer success operations, with a strategic focus on scaling the company’s growth toward $5 billion in annual recurring revenue.

What can customers expect from doing business with Cloudflare

Cloudflare has established itself as a leader in web performance and cyber security, with a mission focused on enhancing the speed, reliability, and security of internet properties worldwide. With a comprehensive portfolio that includes content delivery networks (CDN), distributed denial-of-service (DDoS) mitigation, advanced internet security tools, and serverless computing, Cloudflare provides solutions that cater to both individual website owners and global enterprises.

A central element of Cloudflare’s strategy is its strong commitment to partnerships. To achieve its vision of a safer and faster internet, Cloudflare offers an array of partner programmes, equipping partners with tools, resources, and dedicated support to strengthen customer relationships and drive growth. Through these initiatives, partners receive comprehensive training and tailored incentives to deepen product expertise, enabling them to effectively manage customer lifecycles and deliver optimal solutions.

Cloudflare’s approach fosters a supportive ecosystem for both customers and partners. The company places a strong emphasis on empowering businesses to meet their technology and security goals in complex, multi-layered IT environments.

With its expansive service suite and deep industry expertise, Cloudflare remains a key player in the technology sector, helping businesses achieve resilience, growth, and adaptability in today’s rapidly evolving digital landscape.