OrganisationUS

Imperva

Application security and DDoS mitigation firm owned by Thales; provides web application firewall and API security products, and publishes exploitation telemetry.

Last refreshed: 29 May 2026 · Appears in 1 active topic

Key Question

How did Imperva detect 15,000 Drupal attacks in 65 countries within two days of a CVE being published?

Timeline for Imperva

#522 May

Logged over 15,000 attack attempts against ~6,000 sites across 65 countries within 48 hours

Cybersecurity: Threats and Defences: Drupal SQL flaw hits PostgreSQL sites

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

Who is Imperva and what do they do?: Imperva is a Thales-owned application and data security company providing web application firewalls, DDoS mitigation, bot management, and data security products. Its inline traffic sensors give it visibility into exploitation campaigns at global scale.Source: official
What Imperva data showed the Drupal SQL injection was being mass-exploited?: Imperva's sensor network recorded over 15,000 exploitation attempts against approximately 6,000 Drupal sites in 65 countries within 48 hours of CVE-2026-9082 being disclosed on 23 May 2026.Source: Imperva threat intelligence, May 2026
Is Imperva now part of Thales?: Yes. Thales Group, the French defence and aerospace firm, completed the acquisition of Imperva in 2023 for approximately $3.6 billion. Imperva continues to operate under its own brand within the Thales security portfolio.Source: Thales Group press release, 2023

Background

Imperva is an application and data security company offering web application firewall (WAF), DDoS mitigation, bot management, and data security products to enterprises globally. Founded in 2002 and publicly traded until its acquisition by Thales Group in 2023 for approximately $3.6 billion, Imperva operates a large inline traffic inspection network that gives it visibility into global exploitation patterns at scale. Its threat research team regularly publishes exploitation telemetry that informs the wider security community's response to newly disclosed vulnerabilities.

In May 2026, Imperva's sensors recorded the mass exploitation of CVE-2026-9082, the Drupal Core SQL injection vulnerability disclosed on 23 May 2026. Imperva telemetry documented more than 15,000 exploitation attempts targeting approximately 6,000 Drupal sites across 65 countries within 48 hours of the advisory's publication. This telemetry was instrumental in demonstrating the Velocity of exploitation and informing both CISA's KEV listing and enterprise patching urgency.

Imperva's role in the CVE-2026-9082 response illustrates the growing importance of large-scale inline inspection providers in the public vulnerability-response ecosystem. Because Imperva operates between attackers and web applications for thousands of customers, its sensors effectively form a distributed honeypot that surfaces exploitation campaigns in near-real time. Under Thales ownership, Imperva has expanded its European footprint, positioning itself as a sovereign-friendly security option for EU enterprises navigating the NIS2 compliance landscape.

Source Material

Imperva — Wikipedia Imperva — official website

How the World Sees Them

United States

Imperva's WAF customer base provides CISA with early-warning exploitation telemetry; the company's data-sharing with government bodies has become a de facto part of the US vulnerability-response infrastructure.

European Union

Under Thales ownership, Imperva is positioned as a European-sovereign-adjacent security option; NIS2-driven demand for EU-controlled WAF services strengthens its competitive position against US-only vendors.