Kenya Detects 3.3 Billion Cyber Threats in 2026 Led by System Attacks

Kenya’s cyber threat monitoring body detected over 3.3 billion threat events between January and March 2026, a 26% drop from the previous quarter but still an enormous volume driven almost entirely by attacks on system infrastructure.

The National KE-CIRT/CC, the government’s cybersecurity coordination center housed at the Communications Authority of Kenya, released its 41st quarterly cybersecurity report covering the first three months of 2026.

Of the 3.37 billion threats, 3.23 billion (~96%) were classified as system attacks, meaning attempts to exploit vulnerabilities in network devices, operating systems, databases, and critical infrastructure.

READ: Mobile Finance Has Become Kenya’s Biggest Cybercrime Target

The remaining threats were spread across malware (68.7 million), brute force attacks (46.4 million), web application attacks (12.1 million), DDoS attacks (8.2 million), and mobile application attacks (219,549).

Something interesting shows up when you compare detections to advisories. Web application attacks generated the most advisories (10.4 million) despite being the third-lowest category by volume.

System attacks, despite making up the vast majority of detections, generated 8.1 million advisories, fewer than web application attacks. Web app vulnerabilities tend to be more exploitable and more damaging per incident, so they warrant more direct guidance to organizations.

What’s Driving the Numbers?

Three root causes keep appearing in the report.

Across almost every category, the report points to the same underlying problems: organizations running software that hasn’t been patched or updated, staff who aren’t trained to recognize phishing or social engineering attempts, and the growing use of AI tools by attackers to automate and scale their operations.

System misconfigurations specifically (things like cloud environments set up with weak access controls, exposed databases, or default credentials left unchanged) were flagged as a persistent entry point.

The report notes that many organizations, particularly in rapidly digitizing sectors, lack visibility over their own cloud and hybrid systems. That’s a known problem: if you don’t know what you’re running, you can’t secure it.

READ: Cyber Attacks in Kenya Jump 441% in Just Three Months

Brute force attacks rose 8.41% from the previous quarter, partly attributed to expanded remote working and the continued targeting of RDP (Remote Desktop Protocol) configurations.

Attackers are also going after IoT devices through exposed Telnet ports, as smart devices with no password changes are effectively open doors.

Government, ISPs, and Cloud Providers Remain the Main Targets

Internet Service Providers, cloud service providers, and government systems were the most targeted across nearly every threat category.

This makes sense since they hold large volumes of user data and often manage infrastructure that other organizations depend on, making them high-value targets.

Financial services including banks, cryptocurrency platforms, and online trading platforms were also regularly listed among affected industries.

For DDoS attacks specifically, the health sector and government were the top targets. The report notes hacktivists and politically motivated groups (Advanced Persistent Threats, or APTs) were behind much of this activity, with the goal of disrupting public services rather than stealing data.

DDoS Attacks Dropped 86%, But Don’t Read Too Much Into It

The single most dramatic change in the report is the 85.93% drop in DDoS detections, from a much higher figure in October-December 2025 to 8.2 million this quarter. That sounds like progress, but the report doesn’t attribute this to improved defenses.

DDoS campaigns tend to be cyclical, often tied to specific events, geopolitical tensions, or hacktivist campaigns. A large drop in one quarter often simply reflects that the specific campaigns driving the previous spike have run their course.

Kenya Trained 85 People From 25 Organizations on Threat Intelligence Sharing

Beyond the threat data, the quarter included meaningful institutional activity. In partnership with the UK’s Foreign, Commonwealth and Development Office (FCDO), the KE-CIRT/CC ran a 5-day training program from March 2-6, 2026, in Nairobi for members of the National KE-CIRT/CC Cybersecurity Committee.

85 participants from 25 organizations attended, including government agencies, critical infrastructure operators, and academia.

The training covered threat intelligence platforms, specifically the MISP Threat Sharing platform and the PinPoint analytical tool, and focused on how organizations can share threat data with each other in a structured, timely way without getting tangled in legal or trust issues.

READ: KICTANet Pushes for Changes to Kenya’s Draft Cybersecurity Strategy

This was the final program under Phase II of the Africa Cyber Programme (ACP), a UK-funded initiative to build cybersecurity capacity across the continent.

Kenya also sent a delegation to the InCyber Forum Europe 2026 in Lille, France (March 30-April 2), and participated in the Africa CISO Summit in Nairobi (March 11-12), where the central themes were Africa’s cybersecurity skills gap and the need for better public-private collaboration.

A Threat Intelligence Platform Training is Planned for Q2

For the next quarter (April-June 2026), the KE-CIRT/CC plans to run a training program on a Threat Intelligence Sharing Platform (TISP) in collaboration with Expertise France.

The focus will be on getting key national bodies, including sectoral CIRTs and cybersecurity operations centers, to actually use standardized platforms for sharing threat data, rather than relying on ad hoc communication channels.

The goal is to close the gap between having a national cybersecurity framework on paper and having one that functions in practice.