APIs don’t just serve data—they encode business logic. And that makes them vulnerable in ways traditional security tools can’t always detect. In this TFiR interview, Stas Neyman, Director of Product Marketing at Akamai, explains how attackers are increasingly exploiting subtle API behaviors—especially error messaging and traffic patterns—to gain an edge. “That’s the quirk of APIs,” he says. “To a WAF or an API gateway, it just looks like standard traffic.”

Akamai’s approach to this problem is to baseline behavior. For each API, they establish a clear picture of what normal activity looks like—how often it’s called, by whom, in what pattern—and use that to identify anomalies in real time.

Neyman shared an incident where attackers tested a login API using lists of stolen email addresses. The API’s error responses revealed whether an account existed. From there, attackers matched those email addresses with compromised passwords from past breaches and attempted credential stuffing. The goal? Steal loyalty points.

“Without monitoring the behavior, without understanding what a typical baseline looks like, you’re missing a big chunk of business logic attacks,” he warned.

These kinds of threats bypass static rules or signature-based detection. They exploit how APIs behave under specific conditions—and how they respond differently depending on business logic. That makes them invisible to conventional tools and extremely hard to detect without a behavioral approach.

With Akamai’s model, risk isn’t judged on traffic alone—it’s tied to deviations from baseline behavior. Sudden spikes in calls to a specific endpoint, unusual patterns of input, or repeated errors can all raise alerts and trigger investigation.

For security teams responsible for protecting user data, authentication flows, and other high-risk API functions, this is more than anomaly detection—it’s adaptive, contextual defense.

As APIs become more dynamic and personalized, so must our approach to protecting them.