CERT-In 2025: India’s Web Attack Surface Is Under Continuous Reconnaissance
Attackers are scanning first and exploiting next. For CXOs, this is no longer a technical alert — it is a business-risk signal.
India’s digital economy is expanding at speed. Banks, NBFCs, fintechs, government portals, e-commerce platforms, healthcare and education systems, SaaS products, smart-city infrastructure, and MSMEs all depend more than ever on public-facing websites, APIs, and internet-connected services.
That growth has also expanded India’s exposed digital attack surface.
The latest CERT-In data, published in the APCERT Annual Report 2025, shows a sharp rise in reported cyber security incidents. CERT-In handled 29,44,248 incidents in 2025, up from 20,41,360 in 2024 — an increase of roughly 44% in a single year.
But the bigger story is not the overall rise. It is the single category now dominating the data.
In 2025, CERT-In recorded 24,36,320 incidents of Unauthorized Network Scanning/Probing — nearly 83% of everything it handled. The report also logged 3,41,646 vulnerable services, 1,48,223 virus/malicious-code incidents, 8,386 website defacements, 1,118 website intrusion and malware-propagation incidents, and 806 phishing incidents.
For any organisation running public-facing applications, that pattern is a warning.
Attackers increasingly do not open with ransomware or data theft. They open with reconnaissance — scanning websites, APIs, exposed services, login pages, admin panels, outdated software, and misconfigured infrastructure. Once they find a weakness, the next move can be exploitation, defacement, malware injection, phishing, credential theft, or a full breach.
The message for leadership is simple: web application security is now a board-level cyber-resilience priority.
Executive Takeaway India’s 2025 CERT-In data shows attackers operating in a reconnaissance-first model. With scanning/probing up roughly 51% year-on-year and website defacements up roughly 53%, public-facing applications and APIs need continuous visibility, WAF protection, virtual patching, secure configuration, and faster response readiness. For CXOs this isn’t only a cyber-operations issue — it is a matter of business continuity, customer trust, regulatory confidence, and brand risk. |
The 2025 Web Risk Equation
The CERT-In data points to a simple risk equation: 24.36 lakh scans + 3.41 lakh vulnerable services = high exploitation probability.
Scanning tells us attackers are actively looking. Vulnerable services tell us they are likely to find something. When both appear together at national scale, scanning stops being background noise — it becomes the first visible indicator of intent.
For a CISO, that is an early-warning signal. For a CIO, it is an exposure-management problem. For a CEO or board member, it is a question of business continuity and customer trust.
Why this matters now Palo Alto Networks’ Unit 42 reports that attackers begin scanning for a newly disclosed vulnerability within about 15 minutes of the CVE going public, with the first exploitation attempts often arriving within hours — frequently before a security team has finished reading the advisory. At national scale, CERT-In’s 24.36 lakh scans are that 15-minute clock running continuously across India’s exposed estate. |
The 2025 Web Risk Equation — reconnaissance plus exposure equals business risk.
CERT-In 2025 Data: A Web Application Security View
CERT-In Incident Category | 2025 Incidents | Web Application Security Relevance |
Unauthorized Network Scanning / Probing | 24,36,320 | Early-stage reconnaissance against exposed websites, APIs, web servers, admin panels, and internet-facing services |
Vulnerable Services | 3,41,646 | Exposed or unpatched services: web servers, CMS platforms, frameworks, APIs, middleware, databases, backend systems |
Virus / Malicious Code | 1,48,223 | May involve compromised web infrastructure, malicious scripts, infected downloads, web shells, or malware delivery |
Website Defacements | 8,386 | Direct evidence of compromise — weak credentials, unpatched CMS/plugins, insecure uploads, poor access control |
Website Intrusion & Malware Propagation | 1,118 | Compromised sites used for malware hosting, redirection, phishing, web shells, or further attacks |
Phishing | 806 | Spoofed login pages, compromised websites, credential-harvesting forms, brand-impersonation pages |
Others | 7,749 | Other incident categories handled by CERT-In |
Total | 29,44,248 | National scale of reported cyber security incidents in 2025 |
CERT-In does not publish a category called “web application attacks.” But several categories in the report connect directly to the web layer. CERT-In confirms that 2025 incidents included website intrusion and malware propagation, malicious code, phishing, DDoS attacks, website defacements, unauthorized network scanning/probing, ransomware, data breaches/leaks, and vulnerable services. For web-facing organisations, these are not isolated buckets — they are connected stages of the same attack chain.
Four-Year Trend: Scanning Has Become the Dominant Pattern
Year | Total Incidents | Scanning / Probing | Vulnerable Services | Website Defacements |
2022 | 13,91,457 | 3,24,620 | 8,75,892 | 19,793 |
2023 | 15,92,917 | 4,47,720 | 9,41,592 | 10,665 |
2024 | 20,41,360 | 16,10,608 | 2,94,908 | 5,496 |
2025 | 29,44,248 | 24,36,320 | 3,41,646 | 8,386 |
CERT-In reported incidents, 2022–2025 — scanning’s rise and year-on-year growth (verified figures).
The 2022–2024 analysis had already flagged the explosive rise in scanning and probing, from 3,24,620 in 2022 to 16,10,608 in 2024. The 2025 data confirms that was no temporary spike. Scanning has gone from under a quarter of all reported incidents in 2022 to more than four out of five in 2025.
From 2024 to 2025:
Threat Signal | 2024 | 2025 | Growth |
Unauthorized Scanning / Probing | 16,10,608 | 24,36,320 | ~51% increase |
Website Defacements | 5,496 | 8,386 | ~53% increase |
Virus / Malicious Code | 1,19,763 | 1,48,223 | ~24% increase |
Vulnerable Services | 2,94,908 | 3,41,646 | ~16% increase |
Total Incidents | 20,41,360 | 29,44,248 | ~44% increase |
One nuance worth stating plainly: vulnerable services are rebounding from a sharp 2024 dip — they stood at 9,41,592 in 2023 before falling to 2,94,908 — not climbing to a new high. The signal that has genuinely broken out, and stayed out, is scanning.
The takeaway for CXOs: attackers are scaling reconnaissance faster than most organisations are scaling defense.
Why Scanning Is a Web Application Security Problem
Most security teams see scanning every day. Repeated requests to odd URLs, admin paths, API endpoints, backup files, and config files get dismissed as background noise.
That mindset needs to change.
On a typical public web server, the scan traffic is unmistakable once you look for it — a steady drip of automated probes for known weak spots:
- GET /wp-login.php
- GET /.env
- GET /.git/config
- GET /phpmyadmin/
- GET /api/v1/users
- GET /backup.zip
- GET /admin/
Each of those is an attacker, or a bot working for one, asking a simple question: is anything here exposed, outdated, or misconfigured? They may not exploit on the first pass. Often they fingerprint the stack, note the versions, test a few weak paths, and return later with a targeted exploit. For a CXO, that is the real meaning of the scanning number — the organisation’s public-facing estate is being continuously examined by adversaries.
The Web Attack Chain: From Scan to Business Impact
The 2025 data reflects a familiar flow:
Scanning / Probing → Vulnerability Discovery → Exploit Attempt → Website Intrusion / Defacement / Malware / Phishing / Data Theft
From scan to business impact — the web attack chain.
This is where web application security controls become critical. A weak application or exposed service can escalate fast: a vulnerable login page leads to credential compromise; a misconfigured API exposes customer data; an unpatched CMS plugin ends in defacement; a malicious file upload becomes a web shell; a compromised site hosts phishing or malware; and a single exploit can be the entry point for lateral movement. Each step erodes customer trust, regulatory confidence, and brand reputation a little further.
For business leaders, the question is no longer “Are we being attacked?” The better question is: can we see and stop the early signals before they become incidents?
Web Application Attacks Hidden Inside CERT-In Categories
CERT-In’s categories don’t say “web application,” but several map straight onto the web layer:
Scanning / probing (24,36,320) is the reconnaissance layer. Public web assets are favourite targets because they are always reachable, often complex, and usually wired to sensitive data or business workflows.
Vulnerable services (3,41,646) is the exposure layer. Web applications sit on a stack of services — web servers, databases, middleware, API gateways, CMS platforms, authentication systems — and outdated Apache or NGINX, old PHP, an exposed Tomcat manager, a misconfigured Elasticsearch, or a deprecated TLS configuration all widen the opening. The more they are scanned, the higher the odds one gets exploited.
Website defacements (8,386, up from 5,496) are visible proof of compromise. A defaced page usually means an attacker gained control of part of the web environment — through an unpatched CMS or plugin, a weak admin password, missing MFA, or poor file-upload validation. A defaced homepage isn’t a cosmetic problem; it’s the first thing a customer, regulator, or journalist sees.
Website intrusion and malware propagation (1,118) is where a site becomes attacker infrastructure — hosting malware, redirecting users, injecting malicious JavaScript, dropping web shells, or spreading malware to visitors. The damage spills over to customers, partners, and the wider ecosystem.
Phishing (806) is smaller in volume but high in impact, because it attacks trust directly — spoofed login pages, fake portals, credential-harvesting forms. For BFSI, e-commerce, government, healthcare, and education, that lands straight on customers and citizens.
What This Means for CXOs
For CEOs and boards: cybersecurity is a business-resilience issue. Public-facing applications are now customer, revenue, service, and trust channels at once. If they are compromised, the impact reaches well beyond IT.
For CIOs: digital transformation has to include exposure management. Every new portal, API, cloud service, and release widens the attack surface. Asset visibility and secure architecture are now baseline.
For CISOs: shift from responding to incidents toward detecting the signals that precede them. Scanning, probing, abnormal API calls, and exposed services are early warnings, not noise.
For risk and compliance leaders: web application attacks lead to data breaches, downtime, regulatory exposure, and audit findings. Map controls — WAF, VAPT, secure configuration, logging, incident-response readiness — to your compliance and resilience requirements.
Why a WAF Buys Time While Patching and VAPT Catch Up
VAPT, patching, and secure coding are all essential. All three also have practical limits. Applications change constantly. New APIs ship. Legacy systems stay in production. Business teams push rapid updates. Emergency patching may need testing, downtime windows, or a vendor’s timeline. In many organisations, the exposure window is simply longer than the attacker’s scanning window.
That gap is what a web application firewall is for. A WAF reduces risk while applications are being fixed — detecting and blocking exploit attempts, malicious payloads, bot-driven reconnaissance, injection attacks, suspicious traffic, and known-CVE exploitation. It doesn’t replace secure coding, VAPT, or patching; it provides protection and visibility while those processes run.
A WAF such as SiteWALL can help with:
- Detection of scanning and probing behaviour
- Blocking of common web attacks — SQL injection, XSS, path traversal, command injection, and malicious file upload
- Virtual patching for vulnerable applications and rule-based blocking for known CVEs
- Protection for legacy applications
- API and application-layer visibility, with bot and abuse detection
- Security reporting for IT, risk, audit, and compliance teams
For CXOs, the value isn’t only technical blocking. It is reduced exposure, faster response, better visibility, and more confidence in public-facing digital operations.
Web Application Security Action Plan for Indian Organisations
If you do only three things 1. Build and maintain a live inventory of every internet-facing asset — IPs, domains, subdomains, APIs, admin panels, and staging environments. 2. Implement an AI Powered WAF with virtual patching in front of your critical public-facing applications and APIs. 3. Treat scanning and probing as a monitored early-warning signal, not background noise. |
The fuller programme:
- Treat scanning as an early-warning signal. Repeated hits on login pages, admin paths, APIs, backup files, config files, and unusual URLs should be monitored and investigated.
- Maintain a live inventory of internet-facing assets. Know every public IP, domain, subdomain, API endpoint, admin panel, staging environment, and exposed service. Unknown assets are unmanaged risk.
- Deploy a web application firewall. Protect critical public-facing applications, APIs, portals, and legacy systems — for both blocking and visibility.
- Secure APIs, not just websites. Monitor APIs for abnormal traffic, broken-authentication attempts, excessive requests, parameter manipulation, and unauthorized access.
- Use virtual patching where immediate patching isn’t possible. WAF-based virtual patching reduces exposure until permanent fixes are deployed.
- Harden CMS platforms and admin panels. Update CMS platforms, remove unused plugins, enforce MFA, restrict admin access, monitor file changes, and disable unnecessary services.
- Conduct regular VAPT. Annual testing is no longer enough for high-risk applications — test after major releases, new API deployments, architecture changes, and plugin updates.
- Correlate WAF, web server, API, and SIEM logs. Attackers rarely create only one signal; correlation across logs, EDR alerts, and SIEM events improves detection.
- Prepare for web-compromise scenarios. Incident-response plans should cover defacement, web-shell detection, malicious uploads, phishing-page hosting, credential compromise, API abuse, and data leakage.
Final Thoughts: Web Application Security Is Now a Business Priority
CERT-In’s 2025 data shows India’s cyber threat landscape entering a reconnaissance-first phase. The dominant signal isn’t malware, phishing, or ransomware — it’s the sheer scale of scanning and probing.
For organisations, that means attackers are continuously examining public-facing websites, APIs, portals, and exposed services. Find a vulnerable service or a weak path, and the next step can be exploitation, defacement, malware injection, phishing, data theft, or disruption.
The rise from 20.41 lakh incidents in 2024 to 29.44 lakh in 2025 isn’t just a bigger number. It reflects mounting pressure on India’s digital infrastructure.
The organisations that come through best will be the ones that treat web application security as a strategic layer of cyber resilience: continuous visibility, WAF protection, API monitoring, virtual patching, secure configuration, regular VAPT, log correlation, and faster incident response.
In 2025, web application security isn’t a technical add-on. It is a requirement for business continuity, customer trust, regulatory confidence, and national cyber resilience.
Call to Action Is your web application being scanned right now? Most attacks begin before the breach — with scanning, probing, and vulnerability discovery. SiteWALL helps organisations protect websites and APIs against reconnaissance, exploit attempts, malicious bots, application-layer attacks, and virtual-patching gaps. Protect your public-facing applications before attackers move from scanning to exploitation. |
Data Sources
CERT-In 2025 figures: APCERT Annual Report 2025, CERT-In section, Table 2 — “Breakup of Security Incidents handled” , published April 2026.
Historical 2022–2024 figures: APCERT Annual Report 2024, 2023, 2022 (CERT-In section).
CVE scan-to-exploit timing: Palo Alto Networks, Unit 42 — 2026 Global Incident Response Report; figure originally reported in the 2022 Unit 42 Incident Response Report (attackers begin scanning within ~15 minutes of CVE disclosure; first exploitation attempts within hours).