Akamai Research : Web Attacks Up 33

The Rise of AI-Powered Attacks on Web Applications and APIs
AI-powered applications are becoming increasingly sophisticated, but their rapid adoption also poses new security challenges. A recent report by Akamai Technologies, Inc. reveals that the surge in AI-powered attacks is correlated with the accelerated adoption of AI applications, which expand attack surfaces and introduce new security vulnerabilities. The report, titled “State of the Internet and Apps and API Security 2025: How AI Is Shifting the Digital Terrain,” highlights the growing threat landscape in the digital world. Web attacks have increased by 33% year-over-year, with 311 billion attacks in 2024. The majority of these attacks target commerce organizations, with 230 billion attacks targeting the sector. **The Expanding Attack Surface of AI-Powered APIs**
AI-powered APIs have emerged as primary targets, with Akamai documenting 150 billion API attacks from January 2023 through December 2024. The integration of AI-driven tools with core platforms via APIs has significantly expanded this attack surface. Many AI-powered APIs are externally accessible and rely on inadequate authentication mechanisms, making them vulnerable to attacks. The majority of AI-powered APIs are used for internal purposes, but some are exposed to external users, creating a potential attack vector. Additionally, the lack of standardization in API security can make it difficult for organizations to identify and protect against these attacks. **Layer 7 DDoS Attacks: A Growing Threat**
Layer 7 (application-layer) distributed denial-of-service (DDoS) attacks against web applications and APIs have increased dramatically. Quarterly attack volumes increased 94% year-over-year between Q1 2023 and Q4 2024. In early 2023, Akamai observed monthly numbers of 500 billion, which rose to 1.1 trillion in one month by December 2024. This growth is due to the growing sophistication of bot-driven attacks, the persistence of HTTPS flooding as a primary attack vector, and the prevalence of Layer 7 DDoS attacks targeting the high technology industry. **OWASP API Security Top 10-Related Incidents**
OWASP API Security Top 10–related incidents increased 32% in 2024, revealing authentication and authorization flaws that expose sensitive data and functionality. The report also notes that growth in security alerts related to the MITRE security framework is up 30%. **Security Spotlight: API Attack on Ecommerce Company**
The report includes a security spotlight on an API attack against an ecommerce company, highlighting the vulnerabilities that can arise from inadequate API security. **The Importance of Mitigation Strategies**
The report provides unique insights on risk scoring and technical methods that can assist frontline defenders in staying ahead of the evolving threat landscape. It emphasizes the importance of implementing effective mitigation strategies to protect against AI-powered attacks. “AI is transforming web and API security, enhancing threat detection but also creating new challenges,” said Rupesh Chokshi, Senior Vice President and General Manager of Akamai’s Application Security Portfolio. “This report is a must read to understand what’s driving the shift and how defenders can stay ahead with the right mitigation strategies.”
**A Growing Threat Landscape**
The report is the 11th year of Akamai’s State of the Internet reports. The SOTI series provides expert insights on cybersecurity and web performance and is based on data gathered from Akamai’s network infrastructure, which processes more than one-third of global web traffic. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence. **Regional and Industry Attack Data**
The report provides regional and industry attack data, highlighting the areas most affected by AI-powered attacks. The high technology industry is particularly vulnerable, with 7 trillion Layer 7 DDoS attacks targeting the sector from January 2023 through December 2024. **Shadow and Zombie APIs: A Growing Threat**
Shadow and zombie APIs present particularly vulnerable attack vectors within increasingly complex API ecosystems. The report notes that these APIs can be exploited by attackers to gain unauthorized access to sensitive data and functionality. **Recommendations for Defenders**
The report provides recommendations for defenders to stay ahead of the evolving threat landscape. These recommendations include implementing effective authentication and authorization mechanisms, standardizing API security, and using risk scoring and technical methods to identify and protect against AI-powered attacks. In conclusion, the report highlights the growing threat landscape in the digital world, with AI-powered attacks posing new security challenges. To stay ahead of these threats, defenders must implement effective mitigation strategies and stay informed about the latest threat trends and vulnerabilities. With the right approach, organizations can protect their web applications and APIs from AI-powered attacks and ensure the security and integrity of their digital assets.