Applications and APIs have long been foundational to the internet, but in 2025, they’re also proving to be one of its most dangerous fault lines. Akamai’s latest “State of Apps and API Security” report paints a sobering picture of an evolving threat landscape—one increasingly shaped by AI, cloud-native architecture, and unmonitored attack surfaces.

Steve Winterfeld, Advisory CISO at Akamai, joined TFiR to unpack the key findings and their implications. With 20-30% of global internet traffic passing through Akamai’s platform, the company has a unique vantage point on emerging threats.

One of the biggest red flags in the report? “We’re seeing that 47% of APIs are unaccounted for,” said Winterfeld. These so-called “zombie,” “shadow,” or “ghost” APIs often linger in environments without proper visibility or governance. Left unmonitored, they become prime targets for attackers looking to exploit sensitive data paths that no one is watching.

The scale of the threat is staggering. “We saw a 94% growth in DDoS attacks year-over-year,” Winterfeld shared. “There was also a 63% increase in web and AI-related attacks.” These are not theoretical risks—they’re hitting production systems in commerce, finance, and healthcare right now.

Akamai’s report dives deeper, correlating attack types with known frameworks like OWASP and MITRE. According to Steve, “32% of the overall attacks are going against known OWASP Top 10 API vulnerabilities.” This mapping gives security teams a clear place to start—prioritize high-risk categories and align defensive tools accordingly.

But with AI workloads exploding, APIs are becoming even more central to the equation. “AI is a machine-to-machine interface problem, and APIs are the interface,” said Winterfeld. He pointed out that commerce is leading in public-facing AI adoption, making it a top target. And as organizations rush to integrate large language models, they often overlook the secure design patterns needed to protect these interfaces.

The defensive use of AI is also maturing. Akamai, for instance, now uses GenAI to streamline threat detection workflows. “A junior analyst can now ask, ‘Where is log4j used across our network?’ and get that answer in natural language,” Winterfeld said. This democratization of security intelligence helps teams respond faster and more consistently, especially in the face of zero-day exploits.

Yet even as tools improve, the cultural divide between developers and security teams persists. Winterfeld emphasized the importance of shared incentives and easy-to-use controls: “Part of caring about customers is giving a great and secure experience.” That means embedding security hooks into CI/CD pipelines and training developers to avoid the most common API mistakes, such as broken authentication.

To bridge the gap, Akamai recommends security and DevOps teams work from a common playbook:
– Establish an AI security plan for both development and runtime
– Use frameworks like OWASP and MITRE to guide risk conversations
– Automate runtime detection for unknown APIs and insecure deployments
– Foster a culture where developers are enabled, not obstructed, by security

As generative AI and microservices continue to reshape the tech stack, the need for proactive API governance and collaboration across teams has never been greater. The attacks are real, growing, and increasingly precise. But with the right plan—and the right mindset—security leaders can stay ahead.