APIs now represent the “dominant” attack surface for global organizations, with 87% registering a related security incident last year, according to Akamai.
Now in its 12th year, the security vendor’s latest State of the Internet (SOTI) report was produced from analysis of its own data.
The average number of API attacks per organization in 2025 was 258, up 113% from 121 in 2024, it found. Some 61% of API attacks last year involved unauthorized workflows and abnormal activity, up from 30% in 2024. Akamai said this indicates a shift from traditional web-based to behavior-based attacks.
Of the OWASP Top API Security Risks, security misconfigurations (40%), broken object property level authorization (35%) and broken authentication (19%) were the most frequently exploited vulnerabilities.
Akamai also warned that the growth of agentic AI is amplifying the risk of sensitive data exposure. An average of 3000 APIs per customer contained sensitive data last year, with 12% showing security weaknesses and a quarter (24%) of those issues related to sensitive data exposure.
“Since AI depends on APIs for integration and data exchange, the volume of sensitive information traversing these interfaces has increased exponentially,” the report noted. “In today’s AI-driven environment, securing AI truly starts with securing APIs.”
Read more on API security: 99% of Organizations Report API-Related Security Issues.
More generally, AI is helping threat actors to automate and accelerate attacks, as well as creating new vulnerabilities (eg vibe coding) that attackers can exploit.
“Attackers increasingly focus on degrading performance, driving up infrastructure costs, and exploiting AI-driven automation at scale, rather than seeking headline-grabbing campaigns,” said Patrick Sullivan, CTO of security strategy at Akamai.
“Automation and AI are making these sophisticated campaigns cheap, repeatable, and fast. And as enterprises invest heavily in AI transformation, attackers are targeting the APIs that power that transformation.”
The Emergence of Blended Attacks
Akamai also pointed to a growth in the number of coordinated attacks that blend API abuse, web application attacks and Layer 7 DDoS activity. Web app attacks surged in volume by 73% between 2023 and 2025, while Layer 7 DDoS attacks increased 104% over the past three years.
The latter are being fuelled by easy access to DDoS-for-hire services/botnets and AI-enabled attack scripts that streamline targeting of APIs and web applications, Akamai claimed.
The vendor had the following recommendations for CISOs:
- Gain visibility into the environment as a prerequisite for tackling DDoS, app and API attacks
- Deploy an “integrated platform” of security controls that can be adjusted according to the risk tolerance of leadership
- Invest in people and processes via training and validation exercises
- Reference industry best practices when talking to the board or the infosec team – eg use OWASP to help prioritize training, deploy security controls, drive red and blue team pen testing, and analyze vulnerabilities
- Use detailed industry reports to validate that current security controls are fit for purpose
- Coordinate protection across DDoS mitigation, WAF, API security, bot and abuse prevention, and identity-aware controls – don’t treat these as isolated areas
