The cyber battlefield has undergone a dramatic transformation. With over 8 million DDoS attacks recorded in just the first half of 2025—including record-breaking 3.12 Tbps strikes—cybercriminals are weaponizing artificial intelligence to launch unprecedented digital assaults. From AI-enhanced platforms like WormGPT, which democratize sophisticated attacks, to hacktivist groups orchestrating hundreds of precision strikes monthly against critical infrastructure, the threat landscape has undergone a fundamental shift. CISO Forum sat down with Gaurav Mohan, VP of Sales for SAARC & Middle East at NETSCOUT, to decode how AI is supercharging DDoS campaigns, why traditional defenses are obsolete, and what organizations must do to survive in this new era of cyber warfare.
VP Sales, SAARC & Middle East
NETSCOUT
CISO Forum: How have AI tools and large language models like WormGPT and FraudGPT transformed the scale, precision, and sophistication of DDoS attacks—and what does this mean for defenders trying to keep pace?
Gaurav Mohan: The integration of AI assistants into DDoS-for-hire platforms represents an alarming evolution and near revolution in the already transformed cybercrime ecosystem. Just as large language models (LLMs) such as WormGPT and FraudGPT, priced at just USD 60 to USD 200 per month, enable non-technical criminals to generate malware and conduct sophisticated phishing campaigns, so too is AI being harnessed to launch more sophisticated DDoS attacks. In many cases, DDoS attacks are used as a smokescreen to conceal other malicious activities, such as malware/ransomware downloaders or data exfiltration.
Organizations must recognise that traditional DDoS defenses, designed for predictable signature-based attacks, are entirely inadequate against AI-coordinated campaigns. AI-coordinated campaigns and AI-enhanced attacks analyze defensive responses in real-time, identify rate-limiting thresholds, mimic legitimate traffic patterns, and coordinate multi-vector attacks that evolve faster than human defenders can respond using traditional DDoS attack methods. The integration of AI doesn’t just enhance existing attack methods but fundamentally changes the threat model.
CISO Forum: DDoS attacks are increasingly being deployed as precision-guided geopolitical weapons. Can you share examples from NETSCOUT’s visibility that illustrate how state-backed or hacktivist groups are using these tactics to destabilize critical infrastructure?
Gaurav Mohan: Hacktivist groups, such as NoName057(16), orchestrated hundreds of coordinated strikes each month, targeting the communications, transportation, energy, and defense sectors. DDoS-for-hire services have democratized attack tools, enabling novice actors to execute sophisticated attack campaigns. AI-enhanced automation, multi-vector attacks, and carpet-bombing techniques pose significant challenges to traditional defenses. Botnets compromising tens of thousands of IoT devices, servers, and routers, deliver sustained attacks and cause considerable disruption.
While each of these elements is dangerous on its own, in aggregate, they have formed a perfect storm, creating unprecedented cyber risk for organizations and service provider networks worldwide. In the first half of 2025, NETSCOUT observed more than 8 million DDoS attacks. 50 attacks greater than a terabit-per-second (Tbps), including a 3.12 Tbps attack in the Netherlands and a 1.5 Gbps attack in the United States. The India-Pakistan conflict saw hacktivist groups target the Indian government and financial sectors in May, while the Iran-Israel conflict generated more than 15,000 attacks against Iran and 279 against Israel in June. More than 880 bot-driven DDoS attacks occurred daily in March, peaking at 1,600 incidents, with attack durations increasing to an average of 18 minutes. Leveraging DDoS-for-hire infrastructure, DieNet orchestrated over 60 attacks since March, while Keymous+ launched 73 attacks across 28 industry sectors in 23 countries. NoName057(16) claimed more than 475 attacks in March alone, 337% more than the next most active group, and targeted government websites in Spain, Taiwan, and Ukraine.
CISO Forum: With DDoS-for-hire services becoming more accessible and affordable, what’s the new risk calculus for enterprises and governments—and how do you see this “as-a-service” model reshaping the threat environment?
Gaurav Mohan: DDoS-for-hire services have become increasingly powerful, utilizing AI for bypassing CAPTCHA, with approximately nine in ten platforms now offering this capability. AI is supercharging DDoS-for-hire attacks with real-time adaptation, intelligent evasion, and adjusted traffic flows. Industries such as finance, healthcare, and cloud services are frequent targets, but no organization or sector is immune.
The new risk calculus is that “hope” is not a winnable strategy. Leaders know that no industry, sector, company, or organization is immune to sophisticated DDoS attacks, which can be launched easily and for any reason, or no reason at all. The real question is whether the damage it causes, or does not cause, depends on the type of defenses you have deployed to protect your critical infrastructure.
The legal concept of negligence is rooted in what a reasonable person or entity should do, knowing all the things they knew or should have known. As DDoS continues to rapidly evolve and create irrevocable damage to service availability, brand, and reputation, the new risk calculus may turn to finding a way to explain to shareholders that even though one knew DDoS attacks were coming, they failed to do enough, or worse yet, anything to prevent it from hurting the organization.
CISO Forum: Your research highlights activity across 28 industries in 23 countries. Which sectors and regions are facing the highest concentration of attacks today, and why are adversaries zeroing in on these particular targets?
Gaurav Mohan: The key industries targeted by DDoS attacks included telecommunications carriers, computing infrastructure providers, data processing and web hosting services, employment placement agencies, telecommunications resellers, web portals and other information services, commercial banking, and colleges, universities, and professional schools. These attacks occurred across North America, the Asia Pacific, Europe, the Middle East, Africa, and Latin America.
Geopolitical events triggered unprecedented DDoS activity. As mentioned earlier, during the India-Pakistan conflict, hacktivist groups targeted the Indian government and financial sectors in May, while the Iran-Israel conflict generated more than 15,000 attacks against Iran and 279 against Israel in June. We cannot comment on the motivations behind the actions of adversaries. Regardless of the intention or motivation behind DDoS attacks, if sectors, regions, and industries are critical to maintaining high service availability, individuals responsible for protecting their critical infrastructure need to take steps to deploy intelligence-driven, proven DDoS defenses that can defeat sophisticated attacks and mitigate the damage they cause.
CISO Forum: Given the record-breaking 3+ Tbps strikes and over 8 million attacks already this year, what immediate, actionable steps should organizations take to harden their infrastructure against the next wave of DDoS campaigns?
Gaurav Mohan: Organizations should build a resilient defense strategy with AI-powered, Adaptive DDoS protection by deploying systems that evolve dynamically, adjusting to shifting attack tactics mid-incident. Real-time threat intelligence, powered by AI, is crucial for detecting patterns early and anticipating emerging threats. Last but by no means least, strengthening infrastructure visibility ensures comprehensive monitoring across all network layers.
NETSCOUT is a Leader and distinguished Ace Performer in the QKS Q3 2025 SPARK Matrix ranking. We believe that leveraging NETSCOUT’s Arbor DDoS Attack Protection Solution is the best option for protection from advanced DDoS attacks. Our solution is an AI and ML-powered, intelligently automated combination of on-premise and in-cloud DDoS attack protection, continuously backed by our ATLAS global threat intelligence.
The on-premises NETSCOUT Arbor Edge Defense (AED) is an in-line, always-on solution that can automatically detect and stop all types of DDoS attacks, including Volumetric Attacks of up to 200 Gbps, TCP State Exhaustion Attacks, Application Layer Attacks, and Encrypted Traffic Attacks. NETSCOUT Sightline and Arbor Threat Mitigation System (TMS) are the acknowledged leaders in DDoS protection for complex networks. More service providers, cloud providers, and large enterprises use Arbor Sightline & TMS for DDoS mitigation than any other solution. Arbor Cloud is a 24/7, fully managed DDoS attack protection service offering over 15 Tbps of mitigation capacity via 16 worldwide scrubbing centers.
All these solutions are continuously powered by the AI-powered ATLAS Intelligence Feed (AIF), which leverages unparalleled internet visibility on a global scale. The AIF collects, analyzes, prioritizes, and disseminates data on DDoS attacks from 205 countries and territories, 398 industry verticals, and 15,612 autonomous system numbers (ASNs).
CISO Forum: With hacktivist campaigns escalating and AI-driven automation only getting more advanced, what does NETSCOUT see as the next frontier of DDoS threats—and how should policymakers, enterprises, and security leaders prepare for it?
Gaurav Mohan: We see DDoS attackers getting smarter, faster, and more dangerous by the day, pushing traditional defenses to their breaking point. Attackers now wield AI, automation, and reconnaissance tools to strike with surgical precision. We don’t have a crystal ball for the next frontier of DDoS threats, but we can foresee constant and rapid change as AI is increasingly embraced and leveraged in DDoS attacks. Static, reactive solutions are ineffective today and will likely be useless in the future, given the advanced AI-driven automation and tactical development of new, sophisticated attacks. Policymakers, enterprises, internet communication providers, cloud service providers, and security leaders must opt for adaptive, intelligence-driven defenses that evolve in response to these threats, regardless of their growth. The key to survival lies in solutions that detect, analyze, and respond to attacks in real-time, focusing not only on blocking traffic but also on understanding its behavior and intent.
