Security research

The 2026 Edge Security Report

Every day, bunny.net acts as one of the internet's primary gateways. In this report, we share in-depth findings from 149 days of attack data and what it means for the security of the modern web.

  • 119
    Points of Presence
  • 149
    Days of Telemetry
  • 42.5B
    Requests Analyzed
  • 4.99B
    Requests Mitigated

Who we are

Who we are

bunny with screens floating

bunny.net is the edge platform behind nearly 2 million websites across 119 PoPs and 250 Tbps+ of backbone capacity. With 50 trillion requests per year, our network stops attacks at scale and gives builders a fast, reliable path to their users.

bunny with screens floating

Main findings from
The 2026 Edge Security Report

Four key findings drawn from 42 billion requests, nearly 5 billion mitigations, and 17 million attacker IPs. Each one reflects a shift worth understanding for anyone building or defending applications in 2026.

log file icon01

Automated traffic is increasingly API-driven.

HTTP libraries (curl, requests, Go HTTP client, and similar API clients) generate more traffic on their own than every declared bot category combined.
robot bunny02

AI crawlers now match search-engine bot volume.

A year ago, search engines dominated automated indexing by an order of magnitude. ByteDance's Bytespider alone now holds a 48.1% share of AI crawler traffic.
siren icon03

Injection still leads WAF activity.

OWASP A03 attacks (SQLi, XSS, RCE, protocol-level) make up nearly half of all categorized WAF blocks. Log4Shell continues firing four years after disclosure.
robot bunny with exclamation mark and window04

Application-layer DDoS attacks hit record levels.

A January 20 Layer 7 attack attributed to the Aisuru botnet peaked at 16.5 million requests per second from 392,000 distributed IPs.

Download the report

See what 149 days of real-world 2026 internet data reveals about the next generation of security threats.

The 2026 Edge Security Report includes:

  • The state of web threats and the new shape of automated traffic
  • Application-layer attacks: WAF findings
  • Architectural considerations and practical mitigations
  • Real-world case studies