By Enterprise security leaders are navigating one of the most volatile threat environments on record. API attacks are no longer a peripheral risk — they are the primary attack vector of choice for adversaries targeting Fortune 1000 organizations, growing at a rate that outpaces traditional web application threats by a significant margin. At the same time, distributed denial-of-service attacks are reaching volumes and durations that were considered outliers just two years ago, and the proliferation of AI-assisted development tools is quietly handing criminal groups a capability upgrade they have not had to earn through technical expertise.
The convergence of these three trends — surging API exploitation, geopolitically charged DDoS campaigns, and AI-accelerated adversarial tooling — is forcing CISOs to rethink how they measure, communicate, and defend their security posture. Board-level conversations about cyber risk now demand industry-comparative benchmarks, not just internal metrics. Security leaders who cannot answer “how do we compare globally?” are walking into the boardroom underequipped.
Akamai, which sits in front of a substantial share of global internet traffic across banking, healthcare, and commerce sectors, is in a unique position to observe these trends at scale. The company’s State of the Internet (SOTI) security research report translates that visibility — spanning web application firewall telemetry, API security data, AI firewall events, DDoS mitigation logs, and network segmentation signals — into actionable intelligence for enterprise security programs.
The 2025 findings are stark. API attacks rose 113% year-over-year. DDoS incidents surged 104%, fueled by next-generation IoT botnets and state-adjacent threat actors using denial-of-service as an instrument of geopolitical retaliation. And the emergence of vibe coding — AI-assisted development that allows low-skill operators to produce sophisticated applications — is lowering the barrier to entry for threat actors at exactly the moment defenders need to raise it.
For CISOs preparing for their next board presentation, budget cycle, or threat program review, the Akamai SOTI report offers the external benchmarking data that internal telemetry alone cannot provide.
The Guest: Steve Winterfeld, Advisory CISO at Akamai
Key Takeaways
- API attacks grew 113% year-over-year, far outpacing the 73% two-year growth rate of web application attacks — signaling a clear adversarial pivot toward system-to-system interfaces and AI endpoints.
- 87% of organizations surveyed reported an API security incident in 2025, making API compromise a near-universal enterprise experience rather than an edge case.
- DDoS attacks surged 104%, driven by Turbo Mirai-class botnets that dramatically scale IoT-based attack networks and by geopolitical actors using denial-of-service as asymmetric economic retaliation.
- Vibe coding — AI-assisted low-skill application development — is being adopted by threat actors to produce more sophisticated cybertools faster, compressing the capability gap between criminal groups and well-resourced adversaries.
- The Akamai SOTI report is designed to give CISOs industry-comparative benchmarking data to support board-level risk conversations and security investment justification.
***
Read Full Transcript & Technical Deep Dive
In this exclusive interview with Swapnil Bhartiya at TFiR, Steve Winterfeld, Advisory CISO at Akamai, explains the methodology, key findings, and threat implications of Akamai’s State of the Internet (SOTI) security research report — covering API attack growth, DDoS innovation, and the emerging security risks of AI-assisted vibe coding.
What Is the Akamai SOTI Report and What Problem Does It Solve for Security Leaders?
The State of the Internet report is Akamai’s mechanism for converting its unique threat visibility — accumulated from protecting Fortune 1000 companies across banking, healthcare, commerce, and other verticals — into actionable intelligence for CISOs and their programs. The report draws from Akamai’s full protection stack, including its WAF, API security tooling, AI firewall, DDoS mitigation infrastructure, and network segmentation capabilities. Its primary value proposition is comparative benchmarking: giving security leaders the external data points they need to measure their program’s performance against industry peers.
Q: What is this report all about? What data is it pulling from and what problem is it trying to solve for security leaders?
Steve Winterfeld: “Akamai is protecting a number of Fortune 1000 companies across the globe — banks and healthcare and commerce and all the different industries. What we wanted to do is put out this SOTI security research report to share our insights. We focus on those things we protect. We have our WAF, so we protect the applications out there, our API security, our AI firewall, our DDoS protection, and our segmentation. What you’re going to hear us talk about are the threats for which we have data. Within this, we’ve also added some insights from our annual survey on APIs. Things like 87% of organizations responded that they’ve had an API security incident in 2025. All this data is great insight — when you’re reviewing your program, how many API incidents have you had? How do you compare to the industry? Whenever I go talk to the board, they want to know how we compare with the industry, how we compare globally, how are we performing. Those are some of the kinds of things we hope to share through this report.”
API Attacks: 113% Growth and the Adversarial Pivot Toward System-to-System Interfaces
The most significant statistical finding in the 2025 SOTI report is the acceleration of API-targeted attacks. As enterprises have invested heavily in APIs to power system-to-system integrations and in generative AI infrastructure — specifically large language models — adversaries have followed the money. The attack growth rate for APIs now substantially outpaces the rate of growth for traditional web application attacks, and the near-universal rate of API security incidents reported by organizations in Akamai’s annual survey confirms that API exploitation has moved from an emerging risk to a mainstream enterprise threat.
Q: What were the critical findings or trends that stood out? What shifted most compared to last year or prior years?
Steve Winterfeld: “Across edge protection, companies are investing heavily in APIs — that system-to-system application interface — and in AI. When I say AI here, I generally mean generative AI, specifically large language models. As you’re putting these out there and investing more money, and as they’re becoming more revenue-focused, you’re seeing the threat follow. We saw the number of API attacks rise by 113% over the last year. Comparing that to just attacking your web pages or web applications — that only grew 73% over the last two years. You can see where the threat is focusing.”
DDoS Evolution: Turbo Mirai, Geopolitical Actors, and Record-Setting Attack Volumes
Distributed denial-of-service attacks have remained a persistent and evolving threat, but the 2025 data reflects a step-change in both the scale and the political context of these attacks. Two distinct forces are driving the 104% surge: technical innovation in botnet architecture — specifically the emergence of Turbo Mirai-class networks that dramatically amplify the original Mirai IoT botnet model — and the increasing use of DDoS as a geopolitical instrument by state-adjacent actors retaliating against economic sanctions through attacks on financial institutions and critical infrastructure.
Q: What is driving the DDoS surge, and how has the threat model changed?
Steve Winterfeld: “DDoS — distributed denial of service attacks — have been around forever, and every year I’m still surprised by how they innovate, how they develop, how they change. This is another one where we’ve seen record-setting surges, and this is up by 104%. I think this is driven by two things. The first is technical capabilities around Turbo Mirai. If you remember Mirai back in the day, it was these large botnets — large networks made out of IoT, Internet of Things, devices. Now you see things like Kimwolf coming out, who have taken that initial capability and really cranked it up. You’re seeing an order of magnitude larger attacks. The second factor around DDoS is really the geopolitical activity. If country A imposes an economic sanction on country B, the response might be denial-of-service attacks against their banks or against their critical infrastructure. This asymmetric kind of attack has really exploded what we’ve seen in DDoS attacks — both the size and the duration of these attacks.”
Vibe Coding, AI-Assisted Development, and the Democratization of Adversarial Capability
The third major theme in the SOTI report is qualitative rather than statistical, but its implications are significant. The emergence of vibe coding — the use of generative AI tools to allow developers with limited technical skill to produce functional, sophisticated applications — is a dual-use capability. While enterprises are navigating the quality and security control gaps that vibe coding introduces into their own development pipelines, threat actors are exploiting the same capability to produce more sophisticated offensive tools faster and with fewer resources than previously required.
Q: What is the security risk posed by vibe coding, and how is it changing the threat actor capability profile?
Steve Winterfeld: “We are getting tremendous benefits from AI, and one of those is vibe coding. As a CISO, it drives me nuts that people don’t have the quality control and security controls in vibe coding that I’d like to see. But that aside, you’re seeing people with low skills put out pretty sophisticated code or applications. Well, guess who else is using that? The threat. Now we have criminal groups or cyber groups putting out much more sophisticated tools than they have in the past and moving much faster. At a really high level, those are probably the key things I would point out.”
Watch the full TFiR interview with Steve Winterfeld here
