In this exclusive interview with Swapnil Bhartiya at TFiR, Steve Winterfeld, Advisory CISO at Akamai, walks through findings from Akamai’s 2026 State of the Internet Security Report, explaining how enterprise threat patterns are evolving and what security leaders need to prioritize.

The Explosion in API-Targeted Attacks

As enterprises invest heavily in APIs for system-to-system communication and AI infrastructure—particularly GenAI and large language models—threat actors are following the money. Akamai’s data shows a dramatic shift in attack focus that should alarm every security leader managing cloud-native infrastructure.

Q: What were the critical findings that stood out in this year’s report compared to prior years?

Steve Winterfeld: “The first is that, across edge protection, companies are investing heavily in APIs—that system-to-system application interface—and in AI. And when I say AI here, I generally mean GenAI, specifically the subcategory of large language models. As you put these technologies out there, invest more money in them, and make them more revenue-focused, you’re seeing threats follow. We saw the number of API attacks rise by 113% over the last year. In comparison, attacks on web pages or web applications grew by only 73% over the last two years. So you can see where the threat is focusing.”

DDoS Attacks Reach Record Scale Through Technical and Geopolitical Drivers

Distributed denial of service attacks continue to evolve in both sophistication and scale. Akamai’s research identifies two primary factors driving the 104% year-over-year surge: enhanced botnet capabilities through TurboMirai variants and increased geopolitical cyber operations using DDoS as an asymmetric warfare tool.

Q: What’s driving the massive increase in DDoS attacks?

Steve Winterfeld: “DDoS attacks have been around forever and every year I’m still continue to be surprised by how they innovate, how they develop, how they change. This is another one where we’ve seen record-setting surges, and this is up by 104%. Now I think this is driven by two things. The first is technical capabilities around TurboMirai. So if you remember Mirai back in the day, it was these large bots, or these large networks made out of IoT, Internet of Things, devices. Well, now you see things like Kimwolf coming out, who have taken that initial capability and really cranked it up, and so now you’re seeing an order of magnitude larger attacks.”

Steve Winterfeld: “The second factor around DDoS is really the geopolitical activity. So if Country A imposes an economic sanction on Country B, the response might be denial of service attacks against their banks or against their critical infrastructure. And so this asymmetric kind of attack has really exploded what we’ve seen in DDoS attacks, both the size and the duration of these attacks.”

How AI Tools Are Accelerating Both Offense and Defense

AI-powered development tools, particularly vibe coding platforms, are democratizing sophisticated attack tool creation. While these same tools enable security teams to move faster, they’ve lowered the skill barrier for threat actors, allowing criminal groups to develop and deploy advanced exploits at scale.

Q: Did the research surface any meaningful trends around how AI is changing the threat landscape?

Steve Winterfeld: “We are getting tremendous benefits from AI, and one of those is vibe coding. As a CISO it drives me nuts that people don’t have quality control and security controls in vibe coding I’d like to see. But that aside, you’re seeing people with low skills put out pretty sophisticated code or applications. Well, guess who else is using that? The threat. So now we have criminal groups or cyber groups putting out much more sophisticated tools than they have in the past, and moving much faster.”

OWASP Frameworks for GenAI and Agentic AI Security

As enterprises deploy generative AI and agentic AI systems that make automated decisions—from loan approvals to contract execution—new attack vectors emerge. Steve Winterfeld recommends leveraging OWASP’s evolving framework sets to prioritize security investments across web applications, APIs, large language models, and now agentic AI.

Q: How should security teams approach protecting AI systems?

Steve Winterfeld: “As I’m sitting here trying to prioritize my budget—and one of my favorite sayings is, you know, as a CISO I have $20 worth of problems in a $10 budget—how am I going to optimize this? One of the great frameworks is OWASP. OWASP is a volunteer-led organization that focuses on protecting your web applications or your Internet-facing capabilities. They first came out with web attacks, then they came out with API attacks, then large language model attacks, and now they’ve come out with agentic AI attacks.”

Steve Winterfeld: “GenAI versus agentic AI, an oversimplified definition is agentic AI makes decisions where GenAI just answers questions. Well, if you have something making decisions—should this person get a loan? What’s the right medical decision? Is this contract executed and should they be paid?—criminals want to get into that decision cycle and affect it. OWASP put out a couple papers on what is goal hijacking, what is tool misuse, what is memory poisoning. You need API protection in front of it because it’s coming through API. You need DDoS protection in front of it because it could still be taken offline. On the back end, you’ll need micro segmentation for visibility as it tries to use this as an attack vector.”

The Hidden Crisis in DNS Security Hygiene

While DNS often flies under the radar in security discussions, Akamai’s research uncovered a systemic failure in foundational controls that creates widespread vulnerability. The data shows that 85% of observed domains fail basic DNS security implementations including SPF, DMARC, certificate authority authorization, and DNSSEC.

Q: Were there any special topics that surprised even you and your team?

Steve Winterfeld: “One of the things we found—because again, Akamai tends to talk to the customer about what the customer needs and we do a lot of DNS. So DNS is the phone book, the Domain Name System of the internet, or it’s the GPS. If you type in a name, something has to translate that to an IP address, and that’s DNS. One of the things we’re hearing is DNS is kind of this hidden threat. We found that 85% of observed domains failed foundational DNS controls—things like SPF, DMARC, certificate authority authorization, and DNSSEC. We also talked about the impact of quantum computing, managing your certs, which are kind of the keys to protection. We provided a checklist that you can use to check the hygiene level, the maturity level of yours, because we’re just seeing so much come from this angle that often isn’t well managed and put high enough in the risk portfolio to get the attention it deserves.”

Anthropic’s Mythos Vulnerability Discovery Model

Recent advances in AI-powered vulnerability discovery, particularly Anthropic’s Mythos model developed in partnership with Glasswing, have demonstrated the potential for automated security research at scale. The model discovered numerous vulnerabilities in systems that had been in production for multiple years, with findings embargoed to companies with significant Internet infrastructure footprints.

Q: Can you talk about some of the AI models that are coming out that even you are impressed with?

Steve Winterfeld: “The one that we’re hearing about most right now is the Anthropic Mythos Glasswing, and that came out saying they found just a large number of vulnerabilities, some in systems that have had these vulnerabilities out there for multiple years. Full disclosure, that is embargoed to a certain number of companies that have a large impact or a large footprint within security and infrastructure in the Internet. Any given day, 20 to 30% of the Internet goes across Akamai infrastructure. So Akamai is part of that embargoed company. We do have the ability to see what’s going on within all these vulnerabilities and integrate that into some of our protections.”

Steve Winterfeld: “I will caution people that knowing about a vulnerability and seeing it become operational in the wild are very different things. I’m not saying AI can’t do that and make it part of a nation state or a criminal enterprise. But it is more than just finding the vulnerability. The second challenge is, I as a CISO, I never didn’t have a backlog of unpatched vulnerabilities. So now it comes down to how critical is a vulnerability. What’s the impact to my network? Does it have access to proprietary or protected information? This is a natural evolution in the industry, and something that we should be able to continue to depend on, things like AI firewall and web application firewall to protect against.”

Turning Threat Intelligence Into Actionable Security Strategy

For security leaders reviewing threat intelligence reports, the challenge isn’t just understanding the data—it’s translating findings into prioritized action within constrained budgets and resources. Steve Winterfeld outlines how he approaches turning research insights into operational security improvements.

Q: What’s your guidance on turning these findings into action?

Steve Winterfeld: “When I get a report like this I want to understand, first of all, does this change any of my general assumptions? Is there data in here that I need to make a decision on? For instance, seeing the spike in DDoS attacks may make me want to go validate that my current DDoS protections will meet the level of these new surges, these new peaks in attack. This is a lot that I can go back and talk to my leadership, and I have statistics on why I need more money or effort or focus, or a policy approved to get DNS working, because hygiene still matters, and I need those foundational DNS controls. Ultimately, visibility is still key. Situational awareness is critical. Understanding to take advantage of this, it’ll drive validation testing exercises.”