More than 150 billion application programming interface (API) attacks were observed in the wild during 2023 and 2024, according to data released this week by cloud security specialist Akamai, with the growth of artificial intelligence (AI) powered APIs and AI-enabled attacks compounding to create a steadily expanding attack surface.
In its latest State of apps and API security 2025 report, Akamai also said it observed volumes of web-based cyber attacks up by a third over the course of 2024 to 311 billion all told, a pronounced surge that appears to correlate closely to an expansion in the scope of threats arising from AI.
“AI is transforming web and API security, enhancing threat detection but also creating new challenges,” said Rupesh Chokshi, senior vice-president and general manager of Akamai’s Application Security Portfolio. “This report is a must read to understand what’s driving the shift and how defenders can stay ahead with the right mitigation strategies.”
Akamai said the integration of AI tools with core platforms via APIs is “substantially” expanding the attack surface because the vast majority of AI-powered APIs are not only publicly accessible, but tend to rely on inadequate protections, lacking such things as authentication mechanisms, for example. This problem is now also compounded by a growing number of AI-driven attacks.
For end-users, this means that while security teams are able to enhance web application and API security by enhancing their defensive capabilities with AI-powered automation – for example, by helping to find threats, predict possible breaches and bring down incident response times – AI also helps attacks improve the effectiveness of their attacks by automating web scraping and bringing more dynamic attack methodologies to bear.
Looking ahead, Akamai said that although AI-driven API management would doubtless continue to evolve, AI-driven attacks would likely remain a significant concern, meaning organisations need to adopt more robust, defence-in-depth security strategies.
Web attacks
Turning to web attacks, Akamai said that it observed a dramatic rise in application layer (aka Layer 7) distributed-denial-of-service (DdoS) attacks targeting both web apps and APIs, with monthly volumes growing from over 500 billion at the start of 2023 to more than a trillion at the end of 2024 – bad bots and the persistence of HTTP-flooding as an attack vector seem to have driven this.
The technology sector was the most frequently targeted vertical for such attacks – more than seven trillion during the period covered by the survey.
Broken out by geography, EMEA was on the receiving end of 2.7 trillion Layer 7 DDoS attacks, 306 billion hitting targets in the UK and 369 billion in Germany.
Akamai said that safeguarding web apps and APIs would continue to be an ever more essential need for organisations. It laid out a number of key actions that security leaders should consider taking:
- To lay down an API security plan incorporating shift-left and DevSecOps techniques to integrate security from initial API design through post-production, paying particular attention to continuous discovery and visibility, authentication, rate limiting and bot mitigation;
- Implement more robust core security measures such as continuous threat monitoring and response, and use API testing tools such as dynamic application security testing (DAST);
- Be proactive against threats, using specialised DDoS protection tools, for example, and paying attention to patch management, access control and network segmentation;
- Act early to mitigate API vulnerabilities, following established guidelines, such as OWASP’s, to help ensure more robust security, and address risks associated with bad coding practice or misconfigurations;
- Pay more attention to ransomware threats, taking advantage of zero-trust architectures, microsegmentation, and the Mitre ATT&CK framework;
- Finally, prepare for AI with defence strategies that include bot defences, AI-powered cyber tools, specialist firewalls and more proactive measures such as continuous assessment and zero trust.
