What 1.2B Requests Look Like: Anomaly Patterns from the SecureNow Firewall Fleet

This is an annotated data dump — what 1.2 billion requests across the SecureNow customer fleet looked like over the 30-day window ending May 1, 2026. The numbers are real, anonymized at the customer level, and meant for engineering teams trying to understand what their own traffic patterns probably look like.

The dataset

So out of every 100 requests, 18 were flagged as suspicious. That's high; the fleet skews toward public-facing apps which attract more bot traffic than private B2B SaaS.

Hour-of-day patterns

Average anomaly rate by UTC hour, smoothed over 30 days:

00:00 UTC  ████████████████████████ 22%
03:00 UTC  ███████████████████████████ 26%   ← peak
06:00 UTC  █████████████████████ 20%
09:00 UTC  ████████████████ 15%
12:00 UTC  ███████████████ 14%
15:00 UTC  █████████████ 13%
18:00 UTC  ███████████████ 14%   ← second peak (US business hours)
21:00 UTC  █████████████████ 16%

The 03:00 UTC peak corresponds to peak attack volume in our dataset. This doesn't mean your app is being targeted at 3 AM your time — it means automated scanners run on schedules, and the most active scanners run from time zones that put them at 03:00 UTC during business hours.

The 18:00 UTC bump corresponds to US business hours (10 AM PT to 2 PM ET) — likely human-operated scraping and reconnaissance.

Day-of-week patterns

Anomaly rate by day-of-week, normalized:

Monday    ████████████ 1.0× (baseline)
Tuesday   ████████████ 1.0×
Wednesday █████████████ 1.05×
Thursday  ████████████ 0.98×
Friday    ████████████ 0.95×
Saturday  ███████████ 0.85×
Sunday    ███████████ 0.80×

Weekends are quieter, but only by 15–20%. The "attackers don't work weekends" myth doesn't really hold up — automated traffic doesn't care about the calendar. The Sunday dip is from a slight reduction in human-operated scanning.

Top 10 anomaly types

Notable: known-bad IP filtering catches nearly a third of all anomalies on its own. The cost is approximately $0 (the AbuseIPDB feed is free for blocklist usage). Skipping this layer means accepting 30% more anomaly volume into your application.

Top 10 path patterns probed

(Excluding the noise from #2 above; this is the complete list of paths most-probed by scanners.)

The "fundamentals" of scanner reconnaissance are stable year over year. The same paths probed in 2020 are probed in 2026.

Geographic distribution of anomalies

Top 10 source countries by anomaly volume (note: the top sources aren't necessarily the source countries of attackers — many use VPNs/proxies):

The US-led concentration reflects US-based cloud and VPS providers that attackers rent compute from, more than US-based attackers per se.

Authentication failure patterns

Auth-failure anomalies (8.9% of all anomalies) break down as:

• Single-IP credential stuffing: 47% — easy to detect, blocks per-IP
• Distributed credential stuffing: 31% — many IPs, residential-proxy networks
• Token replay attempts: 14% — using leaked tokens against multiple targets
• Slow-rolling brute force: 8% — under per-IP thresholds, requires AS-level detection

The distributed credential stuffing share has grown from 12% in 2024 to 31% in Q2 2026. This is the trend most worth watching: per-IP rate limits are progressively less effective.

What you should do with this data

Three concrete observations for engineering teams:

1. Known-bad IP filtering catches a third of anomalies. Install it. Cost: $0. The AbuseIPDB feed plus simple middleware is the highest-yield single intervention you can make.

2. Distributed credential stuffing requires AS-level detection. Per-IP rate limits alone leave you exposed. See the per-AS rate-limit pattern.

3. Path-probe alerts catch CVE exploitation early. When a new CVE drops, scanner traffic spikes against the relevant path within 24 hours. An alert on "new path probe pattern" gives you a 24-hour heads-up to patch.

Related

• Free SecureNow Firewall
• The 3.2M malicious IPs report
• The $3,400 egress bill scraping post-mortem