Methodology

Transparent explanation of how we measure and calculate our statistics. Because numbers mean nothing without context.

Our Sensor Network

WF SecurityCloud is powered by a global network of strategically placed sensors that continuously monitor cyberattacks in real time. Each sensor acts as an observation post and collects threat indicators from its geographic area.

63 Active sensors
54+ Countries
10.50 ms Median response time
99.99% Uptime (SLA)

Geographic Coverage

Strong coverage: Europe, North America, East Asia, Oceania
Growing coverage: South America, Middle East, India
Limited coverage: Parts of Africa and Southeast Asia

We are transparent about where our sensors are located and where coverage is weaker. This does not affect protection — global threats are detected wherever they originate.

Statistics Definitions

Total blocked attacks since 2018

Cumulative count of cyberattacks blocked by WF SecurityCloud since product launch in February 2018.

SUM(all blocked threats from 2018-02-01 to NOW)

Includes: All attack types (phishing, malware, port scans, brute force, DDoS, etc.)
Excludes: False positives (filtered out via AI validation)

Current value: 749 305 963 attacks

Blocked attacks last 24 hours

Number of attacks blocked in the last 24 hours. Updated in real time every 30 seconds.

SUM(threats WHERE timestamp >= NOW() - INTERVAL 24 HOUR)

Rolling window: Exactly 24 hours backwards from current time
Real-time update: The number changes continuously as new attacks are blocked

Current value: 937 100 attacks

Blocked threats per minute

Average attack frequency calculated from the last 24 hours.

attacks_per_minute = last_24h_attacks / 1440 minutes

Example: 937 100 attacks / 1440 minutes = ≈651 attacks per minute

Current value: ≈651 per minute

Response time (median)

Median response time from when a client/sensor requests threat intelligence until a response is received.

MEDIAN(response_times WHERE timestamp >= NOW() - INTERVAL 1 HOUR)

Measurement method: Time from API request to first-byte received
Update frequency: Calculated every hour from the last hour
Why median: Median is more robust against temporary spikes than average

Current value: 10.50 ms

Uptime (SLA)

Percentage availability for WF SecurityCloud API and threat intelligence distribution.

uptime = (total_minutes - downtime_minutes) / total_minutes × 100%

Measurement period: Rolling 30-day window
Definition of "down": API returns HTTP 5xx or timeout > 30 seconds
Planned maintenance: Does NOT count as downtime (announced in advance)

Current value: 99.99%

99.99% uptime = max 4.32 minutes downtime per month

Data Collection and Classification

Data Types We Collect

WF SecurityCloud collects threat indicators from multiple sources:

  1. Network threats from sensors:
    • IP addresses performing port scanning
    • Brute force attempts against SSH, RDP, SMTP
    • DDoS attack traffic
    • Exploits against known vulnerabilities
  2. Email artifacts via honeypots:
    • Phishing links and domains
    • Malware attachments (analyzed in sandbox)
    • Spam patterns and sender signatures

    NOTE: These emails come from our own honeypots and spam traps, NEVER from customer mailboxes.

  3. WordPress telemetry from WF Sentinel:
    • Attack attempts against WP login pages
    • Exploits against plugins/themes (anonymized)
    • Aggregated statistics (no site-specific data)
  4. External threat feeds:
    • Security researchers and partner sources
    • Public threat intelligence feeds
    • Malware databases and signature repositories

Threat Classification

All collected threats are automatically classified by our AI engine:

  • Threat type: Phishing, Malware, Brute Force, Port Scan, DDoS, Exploit, etc.
  • Severity: Critical, High, Medium, Low (based on potential damage)
  • Target vector: Email, Web, Network, Application-level
  • Geographic origin: Country and region (when detectable)

Anonymization and Privacy

Data Retention

Threat indicators: Stored for 90 days. After that, only aggregated statistics are archived.
Attack logs: Anonymized after 30 days. IP addresses are replaced with hashed values.
WordPress telemetry: Anonymized at collection. No connection to specific sites.
User data: We do not collect personal data — so there is nothing to anonymize.

What We DO NOT Measure

  • Individual users' browsing history
  • Email content from customer mailboxes
  • Files or documents from customer machines
  • Personal data (names, addresses, etc.)

See our Privacy & Data page for more information.

Verification and Transparency

How You Can Verify Our Numbers

  1. Public API: Statistics are available via /api/public-metrics.php
  2. Real-time update: Numbers update every 30 seconds — see for yourself that they change
  3. Historical data: Compare numbers over time to see consistency
  4. Open source: WF Sentinel (WordPress plugin) is open source

Third-Party Validation

Security audits: Available for Enterprise customers
Transparency reports: Published quarterly at /transparency
SLA reports: Monthly uptime reports for all customers

Methodology Updates

This methodology is updated when we make changes to how we measure or calculate statistics. All changes are documented and announced in advance.

Last updated: 2026-05-13
Version: 1.0
Change history: See all changes

Questions about our methodology?

We are happy to answer technical questions about how we measure and calculate our numbers.

Contact us Privacy & Data

Frequently asked questions

Answers to the most common questions about this page

How large is the margin of error in your numbers?
AI validation filters out the majority of false positives before they are counted. For threat frequency measurements we use median instead of average to be robust against temporary spikes.
How often is the statistics updated?
Real-time numbers update every 30 seconds. SLA uptime is calculated on a rolling 30-day window. You can see the numbers change live on the threat intelligence page.
Do you count the same attack multiple times?
No. We deduplicate attacks based on unique threat signatures (IP + target port + time window). A distributed scan from one attacker counts as one attack, not hundreds.
How do you define a "blocked attack"?
An attack counts as blocked when our client or sensor identifies and stops a known threat signature (IP, domain, exploit pattern) before it reaches its destination.
Can I verify your numbers independently?
Yes. Statistics are available in a public API (/api/public-metrics.php), update live, and WF Sentinel (WordPress plugin) is open source. Third-party audits available for Enterprise customers.
Where is your statistics data stored?
In Sweden, on our own servers. Anonymized and GDPR compliant. See Privacy & Data for full transparency.