Security

Why DDoS Attacks Are Breaking Records and What CISOs Must Do in 2026 | Steve Winterfeld, Akamai

Akamai's Steve Winterfeld reveals why DDoS attacks are breaking records in 2026, how APIs and AI became primary attack vectors, and what security strategies CISOs must prioritize based on their business model.

By Monika Chauhan 2 hours ago

0

Guest: Steve Winterfeld (LinkedIn)
Company: Akamai
Show Name: CISO Insights
Topic: Security

Denial-of-service attacks should have been solved by now, yet 2025 saw botnets break records, with attack volumes almost double previous highs. As organizations rush to embrace APIs and generative AI, they are creating attack surfaces faster than they can secure them. Steve Winterfeld, Advisory CISO at Akamai, cuts through the noise to reveal what enterprise security leaders must actually focus on in 2026.

📹 Going on record for 2026? We're recording the TFiR Prediction Series through mid-February. If you have a bold take on where AI Infrastructure, Cloud Native, or Enterprise IT is heading—we want to hear it. [Reserve your slot

DDoS Attacks Reach Unprecedented Scale

For over a decade, Akamai has published its State of the Internet (SOTI) report, tracking threats across DDoS protection, API security, segmentation, and AI firewall technologies. The 2025 data reveals a troubling trend: DDoS attacks are not only persisting but evolving at an alarming rate.

“Every year, it gets bigger and more complex, and now we’re seeing botnets setting new records—significantly higher than in the past, in some cases almost double previous records,” Winterfeld explains. The attacks span both traditional Layer 7 attacks against websites and Layer 3/4 attacks against infrastructure and DNS, with the latter setting the most new records.

The resurgence of previously dormant threats adds another dimension to the challenge. “Mirai is a major botnet that’s back. It resurfaced almost out of nowhere and is active again,” Winterfeld notes, highlighting how threat actors continuously adapt and revive proven attack methods.

APIs and AI Become Primary Attack Vectors

Following the money reveals where threats concentrate, and in 2025, that path led straight to APIs and generative AI. As customer engagement increasingly happens through APIs and AI-powered chatbots, threat actors have shifted their focus accordingly.

“The threat follows the money, and the money follows engagement with people—and that engagement is increasingly done through APIs, and more and more through GenAI and chatbots,” Winterfeld observes. This evolution demands that organizations reassess their security priorities based on their specific business models.

For commerce companies, APIs represent the primary concern. High-tech organizations must prioritize generative AI security. Traditional manufacturing firms, unless they are actively adopting APIs or AI, should focus on ransomware prevention and network segmentation.

Tailoring Security Strategy to Business Reality

Rather than applying generic security recommendations, Winterfeld advocates for a business-first approach. “We as cybersecurity professionals—as you know, my perspective as a CIO—is that I have to understand how my organization is making revenue, what our business model is, and where our crown jewels are,” he emphasizes.

This strategic thinking extends beyond technology to encompass people, processes, and tools. Winterfeld shares a cautionary example: an engineer demanded that a DevOps team implement “file integrity management” on their product—a request that made no technical sense. “What they should have said is, we need to figure out how to make sure we can audit what you’re doing,” he explains, illustrating how a lack of understanding can expose vulnerabilities.

The skills gap extends to emerging technologies like generative AI, where many security professionals lack the literacy to properly assess and mitigate risks. Organizations deploying GenAI need specific security tools designed for those unique threats, not retrofitted solutions from previous technology generations.

Navigating the Complex Compliance Landscape

The regulatory environment for AI and APIs continues to fragment across jurisdictions. In the EU, the Cyber Resilience Act focuses on IoT devices, introducing a new CE marking for cyber-safe products. The EU AI Act categorizes AI systems by risk level—from “unacceptable” (banned) to “minimal” (no requirements)—with particular attention to social scoring and manipulative AI systems.

Meanwhile, APIs often appear not as standalone regulations but nested within broader frameworks. “PCI 4.0 put out API requirements. DORA has API requirements, and so they’re nested in other laws,” Winterfeld notes. In the United States, six states have already passed AI laws focused on transparency, bias prevention, and privacy, with more legislation pending.

Winterfeld’s advice is to build a solid security program first, then map it to compliance requirements. “There are so many regulations out there. It makes more sense to build a solid security program and then map it to compliance. You may find you have a gap, and you may need to go cover that gap,” he says.

2026 Priorities: From Agentic AI to Post-Quantum Encryption

Looking ahead, several emerging threats and technologies demand attention. Agentic AI represents a new frontier, with OWASP releasing not only a Top 10 for large language models but also a separate Top 10 specifically for agentic AI systems.

Vibe coding—using tools like ChatGPT to generate code—presents unexpected risks. Winterfeld recounts a peer, a cybersecurity expert, who used vibe coding to build an application but never instructed the AI to implement security measures. “I said, ‘Well, what did you tell it to do for security?’ And he goes, ‘Oh, well, I didn’t,’” Winterfeld recalls, demonstrating how even security professionals can overlook fundamental protections in the rush to adopt new tools.

Post-quantum cryptography preparation cannot wait. “Start to lean into post-quantum-safe certificates. Start building your infrastructure now, so when we get to quantum breaks—all that encryption that we depend on—we’ve moved to encryption that is going to be safer in a quantum world,” Winterfeld urges.

Traditional concerns—third-party risk, supply chain security, and hacktivism—remain relevant, though hacktivism increasingly serves as cover for state-sponsored operations. The geopolitical dimension of cyber threats will intensify as global conflicts continue.

Building Resilience Through Testing and Strategy

Beyond technology investments, organizations must update their risk portfolios and test their resilience. Do you have an API strategy? A GenAI strategy? Have you tested your resilience through different playbook scenarios and exercises?

“Do you have a good grasp of your situational awareness?” Winterfeld asks. He encourages security leaders to leverage established frameworks like OWASP, MITRE, and ISO standards rather than building from scratch. “It’s great to plagiarize—great to leverage.”

His closing assessment captures the perpetual challenge facing security professionals: “It’s going to be another year of continuously fighting an innovative, adaptive, thoughtful cybercriminal ecosystem, so we just need to continue to do the right things.”

You may also like

Why SIOS Is Building Admin-Centric HA for Generalist IT Staff | Margaret Hoagland

By Monika Chauhan6 hours ago

Cloud Native

AI Infrastructure Reality: Why Enterprise Projects Will Struggle in 2026 | Rob Hirschfeld, RackN | TFiR

By Monika Chauhan4 days ago

AI Infrastructure

Why Production Operations—Not Coding—Is the Real Killer App for AI Agents

By Monika Chauhan5 days ago

AI Infrastructure

Why Cloud Redundancy Isn’t Enough: The Application-Level HA Gap | Matthew Pollard, SIOS

By Monika Chauhan6 days ago

Cloud Native

Why Observability and Multi-Cloud HA Are Essential for 2026 | Margaret Hoagland, SIOS

By Monika Chauhan6 days ago

Cloud Native

Datadog’s Autonomous SRE Agents Cut Incident Response Time From Hours to Minutes

By Monika ChauhanJanuary 5, 2026

Observability