Kenya absorbed 4.6 billion cyber threat events in the three months to December 2025, marking its sharpest quarterly spike in at least three years, according to a Communications Authority of Kenya (CA) report.
The figure is up from 842 million in the previous quarter a 441% jump in just one reporting period signalling mounting pressure on the country’s cybersecurity systems as its digital economy expands.
Threats surged across all categories. System vulnerabilities dominated at 4.37 billion events, rising 463%, while mobile application attacks climbed 303%. Distributed Denial-of-Service (DDoS) incidents recorded the steepest increase, jumping over 1,100% in the quarter.
Despite the spike, response levels lagged. DDoS-related advisories accounted for just a small fraction of the 21.8 million total alerts issued, highlighting a growing gap between threat levels and regulatory response capacity.
The CA linked the surge partly to the growing use of AI-powered tools by attackers, alongside weak software patching and low awareness of phishing and other social engineering tactics.
The escalation has been building. Kenya’s incident response centre had already flagged 657.8 million threats in mid-2024, followed by 2.54 billion in early 2025, showing a steep upward trend before the latest spike.
The rising attacks come at a time when Kenya’s digital infrastructure is becoming more critical to the economy, with platforms like M-PESA processing over 100 million transactions daily.
Authorities have urged stronger protections, including multi-factor authentication, better firewall configurations, regular system updates, and improved user awareness as cyber risks continue to grow.