AI-powered APIs are introducing significant cybersecurity vulnerabilities
We’re moving fast with AI. Too fast, maybe. While it’s pushing the edge in automation and capability, it’s also quietly exposing large holes in our infrastructure, especially in APIs. These are the interfaces that bridge AI models with the real-world internet. Many companies now rely on AI-powered APIs for everything, customer interactions, decision support, automation. But most of these APIs are exposed publicly, and security hasn’t kept pace.
The problem here is fundamental. AI-powered APIs often skip basic safeguards. Things like strong authentication and proper configuration are missing, and that creates risk at scale. AI isn’t just helping us build smarter platforms, it’s also amplifying threats. Attackers using AI can probe endpoints faster, identify weaknesses in real time, and launch persistent attacks automatically.
Security can’t be an afterthought. If your product or platform depends on publicly available APIs, especially ones serving AI models, they need to be locked down. Visibility, control, and response speed are everything. We’re not talking about tiny inefficiencies, this is a real and growing attack surface.
According to Akamai’s 2025 State of Apps and API Security report, more than 150 billion API attacks were detected in 2023 and 2024. That’s a constant threat environment, driven partly by how fast organizations are deploying AI integrations without updating their security practices.
This isn’t a reason to stop progress. Quite the opposite. But smart C-suite operators will treat API security as a core business function now, not something for “later.” Because the threat already exists.
AI capabilities benefit both offensive and defensive cybersecurity efforts
AI doesn’t pick sides. It automates whatever you give it, defense or offense. While it’s helping our teams move faster, detect threats earlier, and reduce incident response times, it’s also making attackers more efficient. They’re using the same tech, just pointed in the opposite direction.
Let’s be direct: AI has improved the speed, scale, and customization of cyberattacks. Web scraping, phishing campaigns, vulnerability scanning, all automated, all adaptive. This makes attacks more frequent and harder to predict. On the flip side, security teams can now respond in near real time using AI to find anomalies and take action before damage spreads.
If you’re running a business that relies on uptime and digital access, this dual-use nature of AI means you can’t afford to stand still. Waiting to “see how AI develops” is no longer an option. It’s already developed. Security decisions now should consider whether you’re using AI internally and how it might be used against you externally.
Rupesh Chokshi, Senior Vice-President and GM of Akamai’s Application Security Portfolio, summed it up clearly: “AI is transforming web and API security, enhancing threat detection but also creating new challenges.” He’s right. This transformation is neutral, what counts is how we manage it.
Web-based attacks have risen sharply, driven by evolving attack methods
There’s been a heavy surge in advanced web-based attacks. Not just more frequent, but fundamentally smarter. Application layer distributed denial-of-service (Layer 7 DDoS) attacks are expanding fast. They’re targeting both APIs and web apps, and they’re doing it at scale. These aren’t the brute-force attacks from a few years ago. They’re persistent, automated, and often invisible unless you’re looking in the right place.
The shift in technique is worth understanding. Methods like HTTP flooding and adaptive bot attacks can overwhelm services without instantly triggering standard alarms. Bad bots now mimic legitimate behavior more closely, increasing the complexity of detection. This is harvesting real-world disruption, hitting productivity, uptime, and trust.
What matters is what this trend tells us about our systems. They’re being tested continuously. If a system lacks layered protection, if it can’t adapt in real time, it won’t stand long under this pressure. That’s what the numbers say.
Akamai reports that Layer 7 DDoS volumes jumped from over 500 billion per month in early 2023 to over a trillion per month by the end of 2024. If you’re in charge of digital infrastructure, those numbers need to shift how you allocate resources, fast.
Cybersecurity can no longer be built around the idea of static defense. Systems need to monitor behavior moment to moment and respond differently under changing conditions.
The technology industry remains the primary victim of large-scale cyberattacks
Technology companies are drawing more fire than any other sector, by a wide margin. And it’s not a surprise. These organizations manage large volumes of data, operate distributed platforms, and often move faster than security frameworks allow. As an industry, we’ve built expansive digital surfaces, and attackers are responding in kind.
Akamai’s latest data confirms this targeting pattern. The tech sector faced more than 7 trillion attacks during the 2023–2024 survey period. That’s more than any other vertical by orders of magnitude. Scale, speed, and high-value data make this space attractive to attackers, and vulnerable to oversights.
Executives in tech-first organizations need to understand this as a persistent state, not a spike. If your platforms are cloud-native, API-heavy, and always-on, then they are visible and prioritized targets. That doesn’t mean you pull back, but it does require investing ahead of attacks, not after.
No system is attack-proof. But leaders should ask: Do we discover threats in minutes, or days? Are defenses layered, or dependent on one chokepoint? Is the security team involved early, or only when something goes wrong?
Cyber risks hit customer trust and business continuity. For companies operating at scale in the tech domain, cybersecurity is a product requirement.
Europe faces a volume of web and API attacks, with the UK and Germany among top targets
The European market isn’t being overlooked by attackers, it’s being prioritized. The data makes that clear. Large economies with advanced digital infrastructure, like the UK and Germany, are receiving a disproportionate volume of web-based and application-layer attacks. These countries represent concentrated, high-value targets, and bad actors know where to focus their energy.
Akamai’s analysis shows that the EMEA region faced 2.7 trillion Layer 7 DDoS attacks during the reporting period, with 306 billion hitting the UK and 369 billion targeting Germany. Those aren’t small deviations, they are major concentrations, showing clear intent from attackers to disrupt national and enterprise-level platforms.
The maturity of the region’s infrastructure may create a false sense of resilience. Just because platforms are well-built doesn’t mean they’re impenetrable. Increasing attack volumes like this mean that systems are constantly under pressure, targeted for financial gain, data access, and operational disruption. And attackers are getting better at shifting tactics to bypass traditional defenses.
Leaders operating in these markets need to treat cybersecurity as part of broader geopolitical and economic stability. Fragmented or inconsistent controls across jurisdictions aren’t just inefficient, they create exploitable openings. Regulatory alignment remains incomplete across the bloc, which makes security enforcement uneven.
Enterprise leaders in Europe should focus on unified strategies, shared threat intelligence, and faster decision-making. The landscape reminds us that market size, digital infrastructure, and visibility mean nothing without security alignment. Delaying investment in AI-based defenses or ignoring regional coordination only drives that vulnerability further.
A multi-layered, proactive approach is critical to securing APIs and web applications
Modern web environments demand security strategies that can match their complexity. It’s no longer effective to wait for threats and respond one by one. What’s needed now is a layered, continuously active defense model, one that builds security into every stage of digital delivery.
Akamai recommends a few core steps, each of them practical and results-oriented. Start by embedding security at the beginning of the development process. That means adopting shift-left practices and DevSecOps models, where security questions are baked into both design and deployment. Then follow through with rapid, continuous discovery of all API endpoints, especially those that are undocumented or publicly accessible.
From there, prioritize authentication. If you’re exposing APIs without strong identity checks, you’re doing the attacker’s job for them. Add rate limiting and bot mitigation too, standard controls, but still often missed. Use tools like dynamic application security testing (DAST) to test APIs where they live, during operation, and adapt as findings come in.
A mature security approach also includes threat monitoring around the clock, segmentation of networks to limit risk movement, and DDoS protection that’s specialized for web apps and APIs, not general web traffic. Combine that with frameworks like OWASP guidelines and Mitre ATT&CK mapping, which provide tested, community-driven priorities. Treat zero trust as a baseline, especially when access privileges can shift in microseconds.
A well-integrated security program built on proactive actions drives down exposure and holds up under automated, AI-driven threats.
For executives, the outcome is simple: when security is continuous, coordinated, and embedded, response times shrink, incidents decline, and digital investments are protected. It’s the difference between reacting and staying ahead.
Key highlights
- AI-powered APIs are undersecured and highly exposed: Most AI-driven APIs are publicly accessible with weak or missing authentication, making them easy targets. Leaders should mandate stronger API governance and security integration from design through deployment.
- AI is accelerating both sides of the cybersecurity arms race: While AI boosts defense with faster detection and response, attackers are also using it to automate and scale threats. Executives should invest in AI-driven security tooling as both a necessity and a countermeasure.
- Application-layer DDoS attacks are growing at unprecedented scale: Web-facing platforms now face monthly attacks in the trillions, often evading detection through adaptive, bot-driven tactics. Businesses should deploy advanced threat monitoring and Layer 7-specific DDoS protection.
- Tech companies remain the top cyberattack targets: With over 7 trillion attacks logged, the tech sector’s speed and connectivity are drawing disproportionate threats. Security must be treated as a core product attribute.
- EMEA is seeing concentrated attack volumes, led by the UK and Germany: Regional infrastructure is a consistent target, with 306 billion attacks on the UK and 369 billion on Germany alone. Leaders in affected regions should push for cross-border security collaboration and standardization.
- Multi-layered, proactive security architectures are now essential: Shift-left, DevSecOps, continuous threat detection, zero trust, and AI-powered threat mitigation are no longer optional. Decision-makers should push for security to be embedded early and updated continuously to keep up with evolving threats.
