Average Number of Daily API Attacks Up 113% Annually
Summary:
According to Akamai's 2026 State of the Internet (SOTI) report, APIs have become the dominant attack surface for global organizations, with 87% of organizations registering an API-related security incident in 2025. The average number of daily API attacks per organization reached 258 in 2025, a 113% increase from 121 in 2024.
Notably, 61% of API attacks last year involved unauthorized workflows and abnormal activity, up from 30% in 2024, indicating a shift from traditional web-based to behavior-based attack methodologies. The growth of agentic AI is compounding the problem: an average of 3,000 APIs per customer contained sensitive data, with 12% showing security weaknesses and a quarter of those issues tied to sensitive data exposure.
Akamai also flagged a rise in blended attack campaigns, noting that web application attacks surged 73% between 2023 and 2025, while Layer 7 DDoS attacks increased 104% over the same three-year period.
Security Officer Comments:
The convergence of AI with API ecosystems introduces a compounding risk, as enterprises integrate AI tooling, the APIs powering those integrations become high-value targets carrying exponentially larger volumes of sensitive data. Attackers are increasingly focused on degrading performance, driving up infrastructure costs, and exploiting AI-driven automation at scale, and automation is making these campaigns cheap, repeatable, and fast.
The emergence of coordinated blended attacks combining API abuse, web application exploitation, and Layer 7 DDoS further raises the difficulty of detection and response, as defenders must correlate activity across multiple vectors simultaneously.
Suggested Corrections:
Organizations should treat API security as foundational to their broader security posture rather than a siloed capability. Gaining comprehensive visibility into the API environment, including discovery of shadow and undocumented APIs, is the prerequisite step before any defensive controls can be effectively tuned.
Security teams should prioritize remediation of the top OWASP API risks, particularly misconfigurations and authentication weaknesses, and leverage the OWASP framework to inform red and blue team exercises and control validation.
Akamai recommends deploying an integrated platform of security controls adjustable to leadership's risk tolerance, coordinating protections across DDoS mitigation, WAF, API security, bot and abuse prevention, and identity-aware controls rather than treating these as isolated capabilities.
Given the scale at which AI is accelerating attacker automation, organizations with active AI transformation initiatives should conduct specific threat modeling against the APIs supporting those pipelines, applying behavioral analysis controls capable of detecting the unauthorized workflow patterns that now account for the majority of API attack activity.
Link(s):
https://www.akamai.com/resources/infographic/app-api-ai-security-report-2025
According to Akamai's 2026 State of the Internet (SOTI) report, APIs have become the dominant attack surface for global organizations, with 87% of organizations registering an API-related security incident in 2025. The average number of daily API attacks per organization reached 258 in 2025, a 113% increase from 121 in 2024.
Notably, 61% of API attacks last year involved unauthorized workflows and abnormal activity, up from 30% in 2024, indicating a shift from traditional web-based to behavior-based attack methodologies. The growth of agentic AI is compounding the problem: an average of 3,000 APIs per customer contained sensitive data, with 12% showing security weaknesses and a quarter of those issues tied to sensitive data exposure.
Akamai also flagged a rise in blended attack campaigns, noting that web application attacks surged 73% between 2023 and 2025, while Layer 7 DDoS attacks increased 104% over the same three-year period.
Security Officer Comments:
The convergence of AI with API ecosystems introduces a compounding risk, as enterprises integrate AI tooling, the APIs powering those integrations become high-value targets carrying exponentially larger volumes of sensitive data. Attackers are increasingly focused on degrading performance, driving up infrastructure costs, and exploiting AI-driven automation at scale, and automation is making these campaigns cheap, repeatable, and fast.
The emergence of coordinated blended attacks combining API abuse, web application exploitation, and Layer 7 DDoS further raises the difficulty of detection and response, as defenders must correlate activity across multiple vectors simultaneously.
Suggested Corrections:
Organizations should treat API security as foundational to their broader security posture rather than a siloed capability. Gaining comprehensive visibility into the API environment, including discovery of shadow and undocumented APIs, is the prerequisite step before any defensive controls can be effectively tuned.
Security teams should prioritize remediation of the top OWASP API risks, particularly misconfigurations and authentication weaknesses, and leverage the OWASP framework to inform red and blue team exercises and control validation.
Akamai recommends deploying an integrated platform of security controls adjustable to leadership's risk tolerance, coordinating protections across DDoS mitigation, WAF, API security, bot and abuse prevention, and identity-aware controls rather than treating these as isolated capabilities.
Given the scale at which AI is accelerating attacker automation, organizations with active AI transformation initiatives should conduct specific threat modeling against the APIs supporting those pipelines, applying behavioral analysis controls capable of detecting the unauthorized workflow patterns that now account for the majority of API attack activity.
Link(s):
https://www.akamai.com/resources/infographic/app-api-ai-security-report-2025