The AI-Powered Reboot: Rethinking Defense for Web Apps and APIs
Security has seen quite a bit of transformation in a short amount of time thanks to artificial intelligence (AI). From completely new threat types we’d never even considered all the way to “upcycled” vulnerabilities that are using new vectors to become relevant again, defenders are getting a crash course in the power AI can wield — on both the resourceful and malicious fronts.
This is particularly true of blue teams who defend Layer 7. Nation-state attackers and emotional teenagers alike have adopted AI to execute cybercrime by deploying a new generation of sophisticated, automated tools.
Attacks on web applications are surging at a rate that’s as dramatic as a high school breakup — our analysts observed a 33% year-over-year increase in 2024. And APIs have emerged as a steadily growing target, with 150 billion documented attacks on APIs in 2024.
We can’t blame it all on AI, though; there’s not usually a single reason for changes in malicious activity. Accelerating growth in cloud services, the adoption of microservices architectures, and new levels of tech savvy also heighten the drama, along with a litany of other influences, resulting in an exhaustingly complex digital ecosystem.
New SOTI: App style
Knowledge is paramount in times of change. In the spirit of sharing that knowledge, we have released a new State of the Internet (SOTI) report, State of Apps and API Security 2025: How AI Is Shifting the Digital Terrain. The report presents Akamai’s analysis of the trends that are impacting web applications and APIs. We explore the contours of this new environment — and explain how security professionals can protect their critical systems and data in the meantime.
Attack strategies against applications and APIs
Although attacks on web applications and APIs are interconnected, they’re not interdependent. There are plenty of web app attacks outside of APIs and vice versa. Exploitation methodology and tactics depend on the attacker’s motivation and technical ability.
Web application attacks target user-facing components of web applications, such as public-facing login pages, and often employ less sophisticated techniques.
API attacks focus on exploiting vulnerabilities in an application's API endpoints, including system-to-system linkages, and require a deeper understanding of each API's structure and behavior.
Independent defenses
If the attacks themselves aren’t mutually dependent, your defenses against them can’t be either. Modern applications increasingly rely on APIs for functionality, so it’s critical to develop and future-proof cybersecurity strategies that address both web and API attacks.
Neglecting these aspects can leave you vulnerable to sophisticated, multi-vector attacks that exploit weaknesses in both the front end and back end of an application. The automation capabilities provided by large language models (LLMs) and generative AI make it easier than ever for an attacker to execute a large-scale botnet or phishing campaign.
Attacks on APIs: New insights
We’re well aware here at the Akamai Security Intelligence Group (SIG) that proper data science and research requires both a rigorous review of the data outputs and an examination of where the raw data comes from. We are also keenly aware that APIs are currently a favored playground for attackers. Those two insights led us to the latest evolution in our reporting datasets — enhanced API threat research and analysis — and yielded some interesting findings. In 2024:
There was a 32% increase in OWASP API Security Top 10–related incidents, revealing authentication and authorization flaws that expose sensitive data and functionality
There was a 30% growth in security alerts related to the MITRE security framework as attackers use AI and automation to exploit APIs
37% of the 116 billion web attacks in the Europe, Middle East, and Africa (EMEA) region targeted APIs, eclipsing the concentration among all other global regions
APIs powered by AI have proven to be even less secure than the human-powered ones. The majority of these APIs are externally accessible with weak authentication mechanisms and weren’t properly tested, rendering them more vulnerable to attacks.
That could cause some dire consequences depending on what else that API connects to. Remember when threat actors exploited an electronic signature provider's API to send fraudulent invoices? Dire consequences, indeed.😬
Secure code review isn’t overrated
We are still in the learning phase of API attacks, but the real world is employing a “testing in prod” method of education. Consumers demand innovation, and profits require fast innovation.
Security should be the most discerning part of a code review process, which can make it the most inhibitive step in getting a product out to market. Unfortunately, this often leads to less testing, and more and more code built on untested code.
Security checks are inherently antithetical to the developer’s purpose, but minimizing testing can lead to some less-than-ideal scenarios.
Increased security alerts: Our analysis revealed that security alerts related to Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), and International Organization for Standardization (ISO)–27001 increased by 16%, 21% and 22%, respectively.
Challenges in detecting API abuse: These challenges emphasize the need for real-time anomaly and behavior monitoring to identify threats preemptively.
Unmanaged zombie and shadow APIs: These two leading causes of API security incidents cause security teams to struggle to maintain comprehensive API inventories.
Attacks on web applications: New findings
As we mentioned previously, attacks on web applications and APIs are interconnected but not interdependent. Here’s the “interconnected” part: Our research reveals a substantial increase in web attacks targeting both web applications and APIs over the past two years across the globe.
Different places have different problems, so we analyzed specific industries, regions, and attack trends to provide multiple views of the impacts of Layer 7 abuse. Some of the most significant findings from the report include:
There was a 65% growth in web attacks targeting web applications and APIs from Q1 2023 to Q4 2024 — from 14 billion attacks to more than 29 billion.
There was a 94% growth in Layer 7 distributed denial-of-service (DDoS) attacks during the same period, surging from just over 500 billion monthly attacks to more than 1.1 trillion.
There was a 73% increase in web attacks targeting the Asia-Pacific and Japan region, rising from 29 billion in 2023 to 51 billion in 2024.
Commerce continues to be a leading target, experiencing more than 230 billion web attacks in 2024 — nearly triple the number for the next highest target, the high technology industry.
The role of AI in attacks — and defenses
What an attacker can do using AI is a popular topic of conversation. When it comes to malicious use of AI systems, there is essentially an à la carte menu of options:
- Automated vulnerability scanning at a speed that was previously unthinkable
- AI-generated malicious code
- Automated attacks with AI-powered bots
- Automated volumetric DDoS attacks
- Behavioral-based attacks (low and slow attacks that evade detection and target common API vulnerabilities)
The silver lining here is it’s not only the criminals who get to have fun with AI. AI is also helping to counter the threat with emerging AI-powered web application firewall (WAF) systems to assist in identifying and mitigating cyberthreats like bots, DDoS attacks, scrapers, and scanners.
Proactive defense leads to compliance
Compliance has a big impact on an organization’s overall risk management posture, so we also addressed regulation in this SOTI report. Not all threats to the business are cyber — remaining compliant through the myriad evolving security regulations around the globe is a full-time job in itself.
We covered new and updated cybersecurity requirements for different regions in this SOTI, such as the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in the United States and the Network and Information Systems (NIS2) Directive in Europe. Different geographical regions have different levels of regulatory sophistication, which creates nuance that has global effects.
For example, while North America is focusing on comprehensive risk management and mandatory incident reporting, Europe is expanding regulations to include mobile services.
Defenders need to be automating and innovating at the level and speed of the attackers, while also upholding governmental standards, handling incidents, and whatever else the team needs them to do.
Regulators are actively responding to the increasing threat to apps and APIs, so the more future-proofing you can do, the better. This is why focusing on proactive defense can make you compliant and secure (if the regulation is built properly, of course).
Assume breach and cover your basics
The key to staying secure in the age of AI is to establish a comprehensive security plan focused on assuming breach and covering your basics. Even if you’re not being driven by the regulatory powers to be, there has never been a better time to reexamine current review practices and reinforce the fundamentals.
How many large-scale breaches and attacks were caused from clicking on a phishing email? Attackers exploit holes in basic protections because they continue to be successful.
Emphasizing enhanced input validation, secure development practices, and regular security audits are not overrated practices and will provide long-game security rather than reactionary and fad-following protection that can lead to unexpected results down the line.
Conclusion: Download the SOTI
Get the full story: Download the new State of the Internet (SOTI) report, State of Apps and API Security 2025: How AI Is Shifting the Digital Terrain.
