Quarterly SOC Threat Trends in 2025 : BlueGrid.io

These SOC trends in 2025 are a public summary representing quarterly attack metrics for 2025 derived from our SOC team handling a number of attacks on layer 7.

When we talk about “attack volume” or “containment time,” what do we actually mean, and how are those numbers moving this year? This quarterly brief pulls from telemetry across environments we monitor and aggregates it into simple, numeric signals: how many attacks occurred, how long they lasted, how intense they were (requests per second), and which broad categories they fell into (e.g., DDoS vs. application-layer attempts).

A few ground rules up front: this is not a single customer case study or a benchmark of any single network. It’s a case study with a numbers-only view designed to show directional trends we see in adversary pressure and defender response over 2025, grouped by calendar quarter. We report total requests, average duration, p95 duration (a “typical long tail” indicator), and peak request rates, with one important caveat: the peak-rate metric hits a measurement ceiling in our telemetry, so values at the top end are shown as ~100,000 ± 100 rps (read: “at or above 100k rps”).

If your job involves deciding where to harden, how to size capacity, or whether response playbooks are getting faster, this is the high-level pulse check you can skim in a minute and reference later.

Executive Summary

Fewer attacks, heavier bursts. From Q1 → Q2, observed attacks declined 55% (80 → 36), while total requests increased ~3.5× to 5.02B; fewer incidents carried much larger volumes.
Containment improved each quarter. Average attack duration trended 45.3 → 31.9 → 23.3 minutes (Q1→Q3). The p95 duration (long-tail) fell sharply in Q3 (120 → 57.6 minutes).
DDoS/DoS remained dominant. Application-layer “Injection” events (SQLi/XSS/PHP) declined from 9 in Q1 to 0 by Q3 in this dataset.
Peak rate readings hit an instrumentation ceiling. The maximum requests-per-second metric repeatedly saturates at a telemetry cap; it is reported as ~100,000 ± 100 rps to denote a ceiling rather than a true maximum.

Data & Methods

Periodization: Incidents are grouped by attack Start Date into calendar quarters for 2025.
Metrics included: number of attacks, total requests, average duration, p95 duration, and max observed request rate (RPS).
Normalization: Where the peak-RPS field reaches its limit, values are shown as ~100,000 ± 100 rps to indicate a measurement cap.

Why p95? The 95th percentile highlights “typically bad” tails by excluding the most extreme 5% of outliers. See: Percentiles, explained (resources below).

Quarterly Snapshot (2025)

Volume & Duration

Q1 2025: 80 attacks · 1.12B total requests · avg duration 45.3 min (p95 120 min)
Q2 2025:36 attacks · 5.02B total requests · avg duration 31.9 min (p95 120 min)
- Quarter-over-quarter: attacks −55%, total requests +348%
Q3 2025 (to date):30 attacks · 1.04B total requests · avg duration 23.3 min (p95 57.6 min)
- Quarter-over-quarter: attacks −17%, total requests −79%

Peak Request Rate (RPS)

Q1–Q3 2025: ~100,000 ± 100 rps (telemetry ceiling; interpret as “at or above 100k rps” rather than a literal maximum).

Attack Composition (Incident Counts)

Quarter	DDoS/DoS	Enumeration / Scanning	Injection (SQLi/XSS/PHP)	Web Scraping
Q1 2025	67	6	9	2
Q2 2025	76	4	2	5
Q3 2025	35	0	0	0

Observations (descriptive):

DDoS/DoS constitutes the majority of incidents across all quarters in this dataset.
Injection-class events appear early and are not present in Q3 entries.
Web scraping remains comparatively low, with a modest rise in Q2.

Reading the Trends

Intensity vs. frequency: The Q1→Q2 pattern, fewer incidents with much higher total request volume, is characteristic of campaigns that favor impact per event over raw frequency.
Containment trajectory: Shorter average and p95 durations quarter-to-quarter align with maturing response processes (e.g., faster triage and mitigation).
Category shifts: The disappearance of injection-class entries by Q3 (in this dataset) suggests either improved controls in that layer or detection/categorization changes.

Notes on Measurement

Peak-rate ceiling. The max-RPS metric saturates at ~100,000 ± 100 rps due to instrumentation limits; true maxima may be higher. Interpret capped values as “≥ 100k rps.”
Taxonomy caution. Attack-type labels can vary by source and time; grouped categories here are intended for high-level trend visibility rather than forensic classification.