APIs are now the top attack vector

Average API attacks per organization jumped to 258 in 2025, a 113% increase from 121 in 2024, and 61% of those API attacks involved unauthorized workflows or abnormal activity (up from 30% in 2024). (infosecurity-magazine.com) Layer 7 DDoS activity rose 104% over the past two years, reflecting attackers’ increasing use of application-layer floods against API endpoints. (vmblog.com) Web-application attack volume also surged year-over-year, with a 73% increase reported between 2023 and 2025. (cloudnews.tech) Akamai recorded roughly 311 billion web-application and API attacks in 2024 across its telemetry. (cvisionintl.com) The vendor also quantified roughly 150 billion API attacks between January 2023 and December 2024 in its aggregated SOTI data. (prnewswire.com) Akamai’s analysis shows the threat is shifting from simple volumetric probes to behavior-based abuse that manipulates legitimate workflows and exfiltrates sensitive fields. (helpnetsecurity.com) The report also finds many organizations lack consistent API visibility and cannot reliably identify which endpoints expose sensitive data. (akamai.crndigitalnewsroom.com) The SOTI ‘Mitigation’ guidance stresses continuous API discovery/inventory, bot-management controls, WAF protections, and edge rate-limiting as primary defenses against workflow-driven API abuse. (cvisionintl.com) Akamai’s operational docs further recommend adversarial-bot handling and layered edge controls to reduce false positives while blocking maligned automation. (techdocs.akamai.com) Akamai researchers describe coordinated campaigns that blend API abuse with Layer 7 DDoS to degrade availability and inflate infrastructure costs, creating a compound operational risk for cloud-native stacks. (marketchameleon.com) The report ties that compound risk directly to rapid adoption of microservices, AI-driven APIs, and cloud platforms that expand exposed attack surface area. (cvisionintl.com)