Kenya’s 2025/26 cyber security report
Kenya’s Cybersecurity Landscape: Key Threats, Trends and National Response
An analysis of the National KE-CIRT/CC Cybersecurity Report (July–September 2025)
Kenya’s digital ecosystem continues to expand at speed, driven by cloud adoption, mobile connectivity, digital government services and increased reliance on online platforms across critical sectors. Alongside this growth, however, the country’s exposure to cyber threats has deepened, reflecting broader global trends in cybercrime, espionage and digital disruption.
The National Kenya Computer Incident Response Team – Coordination Centre (National KE-CIRT/CC), domiciled at the Communications Authority of Kenya (CA), has released its 39th Cybersecurity Report covering the period July to September 2025. The report provides a detailed account of the cyber threat landscape affecting the country, outlines response measures undertaken by the Authority, and highlights capacity-building initiatives aimed at strengthening national cyber resilience.
This article distils the key findings of the report, offering insight into the scale of cyber threats detected, the most affected sectors, emerging attack techniques, and Kenya’s evolving cybersecurity posture.
Mandate and Institutional Context
The Communications Authority of Kenya derives its cybersecurity mandate from the Kenya Information and Communications Act (KICA) of 1998, which empowers the Authority to facilitate the investigation and prosecution of cybercrime. This mandate has been reinforced by the Computer Misuse and Cybercrimes Act (CMCA) of 2018 and subsequent regulations, including the 2024 Critical Information Infrastructure and Cybercrime Management Regulations.
The establishment of the National KE-CIRT/CC in 2014 marked a critical milestone in Kenya’s cybersecurity governance. Designed as a multi-agency coordination framework, the Centre brings together technical personnel from the Authority and law enforcement agencies to respond to cybersecurity incidents at a national level, while collaborating with regional and international partners.
Under the CMCA framework, the Authority has also assumed responsibility for operating the Cyber Security Operations Centre (CSOC) for the ICT and telecommunications sector, further centralising threat detection, analysis and response capabilities.
Director General’s Perspective: A Threat Landscape in Flux
In his foreword, Communications Authority Director General and CEO, Mr. David Mugonyi, EBS, underscores the growing sophistication of global cyber threats and their direct implications for Kenya. Ransomware, distributed denial-of-service (DDoS) attacks and social engineering campaigns remain prevalent, while more complex risks such as advanced persistent threats (APTs), supply-chain compromises, zero-day exploitation and AI-enabled deception are becoming more common.
Critical Information Infrastructure (CII) across sectors including government, telecommunications, banking, finance and academia continued to be prime targets. Attackers increasingly leveraged vulnerabilities in systems and user behaviour to disrupt services and undermine business continuity.
During the July–September 2025 period, the National KE-CIRT/CC detected over 842 million cyber threat events. In response, the Authority issued nearly 20 million cyber threat advisories, a 15.5 per cent increase compared to the previous quarter. These advisories focused on practical risk mitigation measures such as system patching, strong authentication, firewall configuration and improved cyber hygiene.
Overview of the Cyber Threat Landscape
The report demonstrates a strong alignment between global and national cyber threat patterns. Techniques and tactics observed internationally are increasingly replicated within Kenya, adapted to local infrastructure and sectoral vulnerabilities.
While the total number of detected threat events declined significantly compared to the previous quarter, this reduction does not necessarily indicate lower risk. Rather, it reflects improved filtering, better detection capabilities and changes in attacker behaviour. System attacks, malware and web application exploits remained dominant threat vectors.
Ransomware and Extortion Campaigns
Ransomware activity continued to intensify globally and nationally, with attackers increasingly targeting public services and critical infrastructure. Ransomware-as-a-Service (RaaS) models lowered the barrier to entry for attackers, while AI-assisted extortion techniques enabled more personalised and coercive campaigns.
In several cases, ransomware attacks were combined with DDoS activity, using service disruption as leverage to pressure victims into payment. The National KE-CIRT/CC advised organisations to maintain secure offline backups, adopt zero-trust network segmentation and regularly update threat intelligence to improve resilience and recovery.
Social Engineering and Phishing
Social engineering attacks became more targeted and convincing during the reporting period. Threat actors used AI-generated content, voice deepfakes and synthetic video to impersonate trusted individuals and institutions. Business Email Compromise (BEC) schemes, multi-channel phishing campaigns and tailored credential-harvesting kits were widely observed.
The Authority emphasised the adoption of phishing-resistant authentication methods, including hardware tokens and passkeys, alongside mandatory multi-factor authentication and continuous user awareness training.
Distributed Denial-of-Service (DDoS) Attacks
The National KE-CIRT/CC detected nearly 4.8 million DDoS attacks during the quarter, representing a substantial decrease from the previous period but still posing a significant risk to service availability. Many attacks leveraged IoT botnets and amplification techniques using protocols such as NTP and DNS.
Healthcare and government systems were particularly affected, with attackers aiming to disrupt access to public services. The Authority recommended scalable cloud-based traffic scrubbing, AI-driven anomaly detection and improved network visibility to mitigate such attacks.
System Misconfiguration and Cloud Weaknesses
Misconfigured systems remained a major contributor to breaches and data exposure. Rapid cloud adoption, unsecured APIs, default credentials and weak access controls created exploitable gaps across many organisations.
Attackers exploited publicly exposed databases, poorly secured storage and misconfigured serverless environments. The Authority advised organisations to adopt secure-by-default configurations, enforce least-privilege access, conduct regular configuration audits and use Infrastructure-as-Code (IaC) scanning tools to reduce exposure.
Advanced Persistent Threats and Emerging Risks
Advanced Persistent Threat groups continued to target government and critical infrastructure systems, focusing on long-term espionage rather than immediate disruption. These actors relied on spear-phishing, zero-day vulnerabilities and supply-chain compromises to gain and maintain access.
The National KE-CIRT/CC highlighted the importance of behavioural monitoring, threat intelligence sharing and network segmentation, noting that traditional antivirus tools alone are often insufficient to detect such operations.
Sectoral Impact and Attack Vectors
System attacks accounted for the largest proportion of detected threats, with over 776 million incidents, primarily targeting operating systems, databases and network devices managed by Internet Service Providers and cloud service providers. Outdated software, weak credentials and insecure IoT deployments were common enablers.
Malware attacks increased by 7.7 per cent, with more than 31 million attempts detected. These attacks sought to encrypt data, deploy backdoors and exfiltrate sensitive information. Web application attacks, while declining, remained significant, often exploiting known vulnerabilities in widely used libraries and frameworks.
Brute force attacks targeted authentication systems, databases and remote access services, while mobile application attacks, though fewer in number, focused on harvesting personal and financial data from end-user devices.
Capacity Building and Strategic Partnerships
Beyond threat detection and response, the report places strong emphasis on capacity development. In August 2025, the Authority, in partnership with the UK Foreign, Commonwealth & Development Office and KPMG UK, hosted a four-day Cyber Threat Intelligence training programme for members of the National KE-CIRT/CC Cybersecurity Committee.
The programme combined technical and strategic exercises, including penetration testing, crisis simulations and post-incident reviews, aimed at strengthening both operational readiness and executive decision-making.
The Authority also hosted the inaugural Cybersecurity Youth Forum in September 2025, focusing on misinformation, digital responsibility and ethical technology use. With over 75 per cent of Kenya’s population under 35, youth engagement was highlighted as critical to building long-term cyber resilience.
Additional initiatives included professional cybersecurity bootcamps, regional benchmarking visits, bilateral exchanges with other national CERTs, and collaboration with sector regulators to strengthen cybersecurity oversight.
Outlook
Looking ahead, the Authority plans to deepen multi-stakeholder collaboration through national and regional forums, including the 2025 Annual Cyber Security Conference and the African Forum on Cybercrime. These initiatives aim to strengthen collective preparedness, improve incident response coordination and advance digital trust across the ecosystem.
As Kenya’s digital transformation continues, the report underscores a clear message: cybersecurity is no longer a purely technical concern but a national resilience issue requiring sustained investment, cooperation and vigilance.