Traditional protection systems, such as antivirus programs and firewalls installed on devices, remain useful, but they are no longer sufficient in the face of increasingly complex cyberattacks. In this landscape, Internet Service Providers (ISPs) become key players: by managing enormous volumes of traffic, they have the capability to detect irregular behaviors on the network that go unnoticed by users. This grants them an essential role in defending citizens and organizations against threats operating invisibly.
The current scenario reinforces this need: in 2024, traffic from automated bots surpassed that generated by humans for the first time, accounting for 51% of total web traffic. Of this amount, 37% was identified as malicious, according to the Imperva Report on Malicious Bots 2025. This data underscores the urgency of strengthening security directly within the Internet’s infrastructure.
Detecting the invisible: botnets, AI, and traffic patterns
Botnets, formed by compromised devices controlled by cybercriminals, have proliferated in the current era of hyperconnectivity. These networks operate stealthily and are capable of executing large-scale DDoS attacks, spreading ransomware, or stealing information without detection. A notable example was the Grandoreiro banking trojan campaign, whose infrastructure was dismantled in 2024 during an international operation involving ESET, Europol, Interpol, and the Brazilian Federal Police.
In this context, Internet Service Providers (ISPs) play a crucial role, acting as true digital control towers by managing vast traffic flows. From their position, they can identify statistical anomalies in the network, such as unusual volume spikes, repetitive communications to suspicious destinations, or connection attempts to command and control (C2) infrastructures.
Achieving this level of detection relies heavily on automation supported by artificial intelligence (AI). These technologies enable the recognition of deviations in global traffic patterns, differentiation between legitimate behaviors and potential incident indicators, and the generation of alerts related to botnet activity or distributed attacks. Additionally, threat intelligence enhances this work by allowing ISPs to proactively block connections to malicious domains, infrastructures with algorithmically generated domains (DGA), or fraudulent services. All of this can be done without inspecting the content of communications, thereby ensuring user privacy.
“A Security Operations Center (SOC) is essential for ISPs to make a qualitative leap in incident detection and response,” explains Alejandro Aliaga, CTO of Ontinet.com, an official ESET distributor in Spain. “A SOC combines different capabilities: AI-based systems capable of identifying patterns beyond human perception, threat intelligence through blocklists, malicious domains, and IP addresses, along with analyst expertise to coordinate responses. Thanks to this combination, the ISP becomes the first line of defense against cybercrime.”
Collaboration as a key strategy
Beyond technology, collaboration among ISPs is crucial to curb the expansion of cybercrime. Sharing threat indicators and indicators of compromise allows for anticipation of global campaigns, containment of attacks before they spread, and reinforcement of the resilience of the entire digital infrastructure. Sectoral collaboration and joint efforts with specialized agencies are thus essential elements for creating a safer communication ecosystem.
“The adoption of managed security services, such as SOCs, is increasingly necessary for ISPs to anticipate attacks and protect their own infrastructures from campaigns led by cybercriminals, as was seen in 2024 with the operator FREE in France,” adds Aliaga. “The combined efforts of all actors in the Internet ecosystem, working in coordination and sharing knowledge, will help move toward a safer and more resilient network for everyone.”
Ontinet.com, represented by its CTO, will participate in the 7th Edition of the ISP Business Meeting, scheduled for September 12 at the Alcoy Industrial Circle. During the event, they will deliver the presentation “Sniffing Bad: Traffic Always Leaves Traces”, which will explore the role of ISPs as the first line of defense against cybercrime.