A botnet is a group of compromised devices or systems that can be remotely coordinated to perform unwanted activity.
A botnet is a collection of compromised devices or systems that can be remotely coordinated. In plain language, it is a pool of infected machines that an attacker can direct to act together instead of as isolated individual systems.
Botnets matter because scale changes the impact of malicious activity. Many compromised devices acting in coordination can increase disruption, hide the origin of activity, or create pressure on targets that one device alone could not create.
They also matter because botnets show how apparently low-value or scattered device compromise can become significant once centralized control exists. A large number of weakly protected endpoints can become a meaningful security problem when combined.
Botnets appear in malware analysis, network monitoring, Denial of Service investigations, threat intelligence, and incident response. Security teams look for coordinated communication patterns, suspicious outbound traffic, and Command and Control behavior that suggests a device is part of a wider compromised network.
Defenders use segmentation, egress controls, endpoint monitoring, and threat hunting to reduce the chance that organizational assets become part of a botnet or are affected by one.
An organization notices that several devices are repeatedly reaching unusual external destinations and following similar communication timing patterns. Even before a full investigation is complete, the coordinated pattern may suggest that the systems are being directed as part of a larger malicious network.
A botnet is not defined by one specific malware family. The important idea is coordinated remote control over many compromised devices.
It is also different from a Worm. A worm emphasizes self-propagation. A botnet emphasizes a network of compromised devices under centralized or coordinated control.