Every DDoS sales call starts with the same question: how many Tbps do you mitigate? It's the wrong question, and the answer doesn't predict what reaches your application.
We wanted a different yardstick. The DDoS Resiliency Score — an open standard from Red Button Ltd. — is the closest thing the industry has to one. We self-assess ZERO-PROTECT at DRS 6. Here's what that means in real attacker terms — and where the scale stops being useful.
What the DRS Actually Is
The DDoS Resiliency Score is an open standard maintained by Red Button Ltd., a DDoS-testing firm. It defines seven ascending levels of attacker capability — analogous to the Richter scale, where each step is exponentially larger than the last.
It is not a certification. There is no body that hands out a DRS-6 sticker. The standard is licensed under GFDL — the same license Wikipedia uses — which means any organization can apply it for free. Several mitigation providers publish their score; we are one of them.
You can self-assess by reading the document and walking through your defences vector by vector. You can also commission Red Button or comparable firms for an external test. The output is the same number; the difference is who signed off on it.
The Seven Levels in Attacker Terms
Each level introduces new attack vectors and more volume. The standard's nicknames describe the attacker, not the attack:
| Level | Nickname | What It Looks Like |
|---|---|---|
| 1 | Poking | A curl in a loop. Anyone with a terminal. |
| 2 | Script kiddy | Free booter services. Spoofed source IPs. Rentable for the price of a coffee. |
| 3 | Basic | Reflection amplification (NTP, DNS, memcached). Standard DDoS-for-hire fare. |
| 4 | Sophisticated | Hundreds of thousands of req/s that route around your cache. The attacker has done minimal homework on your application. |
| 5 | Persistent | Millions of req/s. Headless browsers. Modern HTTP/2 attacks (Rapid Reset, HTTP/2 Continuation). Slow POST. The attacker has tooling. |
| 6 | Extreme | 5M req/s. 50,000-bot networks. Cache-bypass. Fingerprint rotation. The attacker has discovered your origin IP and is hitting it directly. Both tooling and budget. |
| 7 | State-sponsored | 25M req/s. 1M bots. 5 Tbps. Rare in practice. |
Most real-world attacks land at Level 3 or 4 — under a million requests per second. Level 5 is the long tail; current 2025 data from Cloudflare and Radware puts it at roughly 5% of HTTP attacks. The headlines about record-breaking events typically describe Level 7-class campaigns against hyperscalers — not the threat model of the average operator.
The engineering changes at Level 6. Below that line, blocking by IP, by ASN, by geo, or by simple rate limiting solves most problems. At Level 6 those tools stop working. The attacker has rotated through enough infrastructure that you have to defend on properties that don't rotate cheaply: TLS fingerprints, request behaviour, work-proof challenges that the attacker has to actually compute.
This is where most providers either invest heavily — or quietly degrade.
Where ZERO-PROTECT Scores
We self-assess ZERO-PROTECT at DRS 6 — "Extreme". The envelope:
- Sustained attacks at 5 million requests per second
- Bot networks of 50,000+ source IPs
- Cache-bypassing patterns (randomized URLs, query parameters)
- Fingerprint rotation that defeats per-fingerprint rate limits
- Direct-IP vectors where the attacker has discovered your origin and is hitting it bypassing the edge
That is the same band "Extreme" covers across the industry's publicly listed DRS scores. It absorbs every commercially available booter service we have encountered, every extortion campaign we have observed in the field, and every typical activist-collective campaign of the last several years.
"Self-assessed" is the honest qualifier. The standard is public, so anyone can verify the reasoning against it. We have not paid Red Button for an external test. If that distinction matters to your procurement, we can talk about commissioning one.
Why Self-Assessment Beats Tbps Claims
The Tbps numbers on marketing pages describe total scrubbing capacity a provider operates globally, summed across every PoP. Useful for press releases. Useless for sizing your protection.
What actually matters when an attack hits is: how much capacity sits at the specific edge location where your traffic lands, what filtering runs in front of that capacity, and whether shared customers consume from the same pool. None of that reduces to a single number.
The DRS levels are a workable approximation, because they describe the class of attack you can withstand, not the aggregate you have installed. A provider with 200 Tbps of global scrubbing capacity and a DRS-4 ceiling will lose at Level 5 attacks far below 200 Tbps. The headline doesn't help.
If a provider cannot tell you their DRS score — self-assessed or external — they either do not measure themselves, or the answer would not fit the brochure.
Where the Scale Stops
Level 7 is "state-sponsored". 25 million requests per second, a million-bot army, 5 terabits per second on the wire. Rare in practice, and not the threat model of a mid-market operator, a Mittelstand company, or a regional utility.
We do not claim Level 7. Anyone who claims Level 7 with their own edge infrastructure alone is overstating the case — sustained 5 Tbps absorption requires a multi-Tbps scrubbing federation, and even that takes seconds to converge. If your real threat model includes Level 7, you need a different architecture — and we will be the first to tell you that.
For everyone else: Level 6 is the band that matters. It is the practical ceiling of commercially available attack tooling.
The One Question Worth Asking
Use the DRS as a sanity check when you talk to any DDoS provider. Three questions are enough to surface most marketing exhaust:
- What is your DRS score?
- Self-assessed or externally tested?
- What attack vectors fall outside it?
The answer tells you more about the provider than a fifty-slide deck. The standard itself lives at ddosresiliencyscore.org — the document is under 30 pages.
ZERO-PROTECT runs on our own network (AS215197), in Germany, BSI-qualified, with self-assessed DRS 6. If you want to discuss your threat model and what fits, the team that operates the platform takes the call.