According to the latest report from Akamai, APIs are now deemed the primary attack surface for organizations worldwide, with a staggering 87% of businesses experiencing at least one security incident related to APIs in the previous year. This alarming statistic emerges from Akamai’s 12th annual State of the Internet (SOTI) report, which is based on extensive analysis of the company’s own data.
The report reveals a sharp increase in API attacks, projecting an average of 258 attacks per organization by 2025—a remarkable 113% rise from 121 attacks recorded in 2024. Notably, 61% of these API attacks last year were classified as involving unauthorized workflows and abnormal activity; this figure represents a significant increase from just 30% in 2024. The findings strongly indicate a shift in the nature of attacks, moving away from traditional web-based attacks to more sophisticated, behavior-based approaches.
Among the prominent threats outlined in the report are the OWASP Top API Security Risks. It highlights several vulnerabilities that are being frequently exploited, including security misconfigurations at 40%, broken object property-level authorization at 35%, and broken authentication processes at 19%. These statistics serve as a stark reminder for organizations to remain vigilant in addressing vulnerabilities within their API infrastructures.
Akamai further cautions that the rise of agentic AI is significantly amplifying the risks of sensitive data exposure. The analysis revealed that, on average, each customer managed approximately 3,000 APIs containing sensitive information, with 12% of these APIs exhibiting security weaknesses. Alarmingly, nearly a quarter (24%) of these vulnerabilities pertained directly to the exposure of sensitive data.
The report articulates a pressing concern: “Since AI depends on APIs for integration and data exchange, the volume of sensitive information traversing these interfaces has increased exponentially.” This denotes that a proactive approach to securing APIs is vital, especially in the context of AI’s growing prevalence in business operations. The implications are clear: protecting sensitive data in today’s AI-driven landscape begins with robust API security.
Moreover, the evolving landscape of cyber threats has seen AI become a tool for malicious actors. Akamai has noted that adversaries are increasingly employing AI to automate and accelerate their attacks, thereby generating new vulnerabilities—one such example being the emerging trend of "vibe coding," which attackers have begun to exploit. Patrick Sullivan, the CTO of security strategy at Akamai, emphasizes that today’s attackers are focusing less on eye-catching campaigns and more on degrading performance, escalating costs, and leveraging AI-driven automation.
Sullivan stated, “Automation and AI are making these sophisticated campaigns cheap, repeatable, and fast. As enterprises invest heavily in AI transformation, attackers are specifically targeting the APIs that facilitate this transformation.”
Akamai’s findings also underscore the emergence of blended attacks, which combine API abuse with web application attacks and Layer 7 DDoS activities. The volume of web application attacks surged by 73% from 2023 to 2025, while Layer 7 DDoS attacks saw a striking 104% increase over the same period. The rise in such attacks has been fueled by the availability of DDoS-for-hire services and AI-enhanced attack scripts that enable targeted assaults on APIs and web applications.
In light of these developments, Akamai has provided a set of recommendations aimed at Chief Information Security Officers (CISOs) to better protect their organizations against these growing threats:
- Visibility is Key: Establishing a robust understanding of the environment is essential for effectively combatting DDoS, application, and API-related attacks.
- Integrated Security Controls: Deploy a comprehensive security platform that can be tailored to the level of risk deemed acceptable by organizational leadership.
- Invest in Training: Development of personnel and established processes through training and validation exercises is critical to maintaining security posture.
- Leverage Industry Best Practices: When discussing security strategies with the board or information security teams, apply established frameworks such as OWASP to prioritize training, implement security measures, conduct red and blue team penetration testing, and analyze vulnerabilities effectively.
- Validate Security Controls with Reports: Utilize detailed industry analyses to assess the adequacy of current security measures.
- Holistic Protection: Ensure coordination across various security disciplines, including DDoS mitigation, web application firewalls (WAF), API security, bot prevention, and identity-aware controls, rather than isolating these as separate zones.
By following these guidelines, organizations can better safeguard their environments against the rapidly evolving threats posed by API vulnerabilities and the burgeoning risk landscape driven by AI. The pressing nature of these recommendations highlights the urgent need for elevated awareness and response strategies in the face of increasing cyber threats.