


























APIs now represent the “dominant” attack surface for global organizations, with 87% registering a related security incident last year, according to Akamai.
Now in its 12th year, the security vendor’s latest State of the Internet (SOTI) report was produced from analysis of its own data.
The average number of API attacks per organization in 2025 was 258, up 113% from 121 in 2024, it found. Some 61% of API attacks last year involved unauthorized workflows and abnormal activity, up from 30% in 2024. Akamai said this indicates a shift from traditional web-based to behavior-based attacks.
Of the OWASP Top API Security Risks, security misconfigurations (40%), broken object property level authorization (35%) and broken authentication (19%) were the most frequently exploited vulnerabilities.
Akamai also warned that the growth of agentic AI is amplifying the risk of sensitive data exposure. An average of 3000 APIs per customer contained sensitive data last year, with 12% showing security weaknesses and a quarter (24%) of those issues related to sensitive data exposure.
“Since AI depends on APIs for integration and data exchange, the volume of sensitive information traversing these interfaces has increased exponentially,” the report noted. “In today’s AI-driven environment, securing AI truly starts with securing APIs.”
Read more on API security: 99% of Organizations Report API-Related Security Issues.
More generally, AI is helping threat actors to automate and accelerate attacks, as well as creating new vulnerabilities (eg vibe coding) that attackers can exploit.
“Attackers increasingly focus on degrading performance, driving up infrastructure costs, and exploiting AI-driven automation at scale, rather than seeking headline-grabbing campaigns,” said Patrick Sullivan, CTO of security strategy at Akamai.
“Automation and AI are making these sophisticated campaigns cheap, repeatable, and fast. And as enterprises invest heavily in AI transformation, attackers are targeting the APIs that power that transformation.”
Akamai also pointed to a growth in the number of coordinated attacks that blend API abuse, web application attacks and Layer 7 DDoS activity. Web app attacks surged in volume by 73% between 2023 and 2025, while Layer 7 DDoS attacks increased 104% over the past three years.
The latter are being fuelled by easy access to DDoS-for-hire services/botnets and AI-enabled attack scripts that streamline targeting of APIs and web applications, Akamai claimed.
The vendor had the following recommendations for CISOs:
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。