Attackers do not wait for security controls to catch up with new technology. As API attack volume has already overtaken web application attacks by more than 100 percent, threat actors are actively shifting focus toward generative AI and agentic AI infrastructure, precisely because these surfaces are new, underprotected, and tied directly to enterprise revenue generation.
In this interview on TFiR, Steve Winterfeld, Advisory CISO at Akamai, breaks down what current threat data shows about attacker behavior as AI adoption accelerates, and what security teams need to anticipate next.
Guest: Steve Winterfeld, Advisory CISO at Akamai
Show: TFiR
Here is what every security practitioner and CISO needs to know.
Technical Deep Dive
Q: Is agentic AI already showing up in threat data, or is it still a forward-looking risk?
Steve Winterfeld, Advisory CISO at Akamai, describes the current picture as a mixed bag. Agentic AI-related threats are occurring but are not yet common enough to quantify as a large-scale surge in threat telemetry. Winterfeld frames this against a clearer data point: the shift from web application attacks to API attacks is already quantifiable, with API attacks now exceeding web attacks by over 100 percent, which demonstrates how rapidly attackers reprioritize when technology and revenue move.
“It’s a mixed bag. I don’t think it’s common but it is definitely happening.” — Steve Winterfeld, Advisory CISO, Akamai
Q: Why do cybercriminals shift focus toward newer technologies like APIs and AI?
Winterfeld explains that attackers follow two signals: where enterprise technology is newest and therefore least hardened, and where forward-generated revenue is concentrated. When organizations invest heavily in a new technology stack, that stack becomes both a high-value target and a low-resistance entry point. The move from web to API attacks is the clearest recent example, but the same logic extends to large language models, generative AI, and now agentic AI.
“The criminals change focus based on where our latest technology is, often because it’s not as well protected and where our forward generated revenue is.” — Steve Winterfeld, Advisory CISO, Akamai
Q: What does the trajectory from API attacks to agentic AI attacks look like?
Winterfeld maps a clear progression that security teams can use for planning: web application attacks gave way to API attacks as APIs became the dominant integration layer. From there, the threat focus is moving through large language models, generative AI, and into agentic AI as each layer matures in enterprise adoption. The pattern is consistent and predictable enough that teams can use current investment trends to anticipate where attacker focus will land next.
“Through the different API large language models or gen AI and now agentic AI, I expect you to see that focus continue to shift over time.” — Steve Winterfeld, Advisory CISO, Akamai
Resources & Documentation
- Akamai, security research, threat intelligence reports, and advisory resources from Steve Winterfeld’s team
***
👇 Click to Read Full Raw Transcript
Swapnil Bhartiya: We talked about, you know, AI, we talked about agentic AI a lot. Is that already showing up in the thread data yet or is that more of a forward looking concern? That report is not flagging yet but you will start tracking it as well.
Steve Winterfeld: So it’s a mixed bag. I don’t think it’s common but it is definitely happening. You know we’re not, we’re not able to track and say, you know there’s a, a huge surge. But if you remember as we point it back to you know the, the web page attacks versus API attacks which we are able to quantify, you know that’s, that’s a huge delta the 70s to over 100%. So you can see that the, the criminals change focus based on where our latest technology is often because it’s not as well protected and where our forward generated revenue is. They’re following us in there. So through the different API large language models or gen AI and now agentic AI, I expect you to see that focus continue to shift over time.





