---
title: "Akamai's 2026 API Security Survey Shows an 87% Incident Rate"
description: "Akamai's fourth-annual API Security Impact Survey: 87% of organizations hit by an API incident at $700K average cost. Five takeaways and what to do next."
canonicalUrl: "https://zuplo.com/blog/2026/04/30/akamai-2026-api-security-survey-takeaways"
pageType: "blog"
date: "2026-04-30"
authors: "nate"
tags: "API Security, AI"
image: "https://zuplo.com/og?text=Akamai%202026%20API%20Security%20Survey%20Shows%2087%25%20Incident%20Rate"
---
Akamai's
[fourth-annual API Security Impact Survey](https://www.globenewswire.com/news-release/2026/04/28/3282376/0/en/Security-Leaders-Cite-AI-as-a-Risk-Multiplier-for-APIs-in-New-Akamai-Survey.html),
released on April 28, surveyed 1,840 security professionals across 10 countries
and 6 industries. The headline: **87% of organizations experienced an API
security incident in the past year**, at an average cost exceeding **$700,000
per incident**.

Akamai's
[State of the Internet report](/blog/apis-number-one-attack-surface-2026-akamai-soti-report)
last month flagged the same 87% rate from a different angle: attack patterns and
OWASP categories. This survey adds the business layer: what incidents cost,
where AI fits in, and why visibility is declining even as security spend grows.

<CalloutAudience
  variant="bestFor"
  items={[
    "Security and platform teams who own API gateway policy",
    "DevSecOps practitioners trying to translate survey findings into architecture decisions",
    "Engineering leaders sizing the gap between perceived and actual API security maturity",
  ]}
/>

Here are the five findings that matter most, and what to do about each.

## 1. The headline numbers are getting worse

The numbers tell a clear story of acceleration:

- **87% of organizations** reported an API security incident in the past 12
  months, up from 76% in 2022
- Organizations averaged **3.5 incidents** per year
- The average cost per incident exceeded **$700,000**
- **Financial services** were hit hardest, with **96%** reporting API attacks
- The costliest incidents were in **energy and utilities** ($860,000 average),
  followed by **manufacturing** ($732,000) and **health and life sciences**
  ($725,000)

These are real losses hitting real budgets. With 80% of respondents ranking API
security among their top three cybersecurity priorities, the problem has
executive attention. The question is whether attention translates into action.

## 2. AI is the new risk multiplier

Perhaps the most significant new finding: **42% of security professionals report
that APIs powering AI applications, agents, and LLMs were targeted by
cyberattacks** in the past year. Meanwhile, **38% rank securing AI technologies
as their top cybersecurity priority** for the year ahead.

This tracks with our
[Q1 2026 API security scorecard](/blog/q1-2026-api-agent-security-scorecard). AI
isn't just creating new APIs. It's creating new _kinds_ of traffic traditional
security tools can't model.

An AI agent making tool calls through an MCP server generates non-deterministic
request patterns. A RAG pipeline produces traffic volumes that shift
unpredictably based on user prompts. A fine-tuning job might hammer a data
endpoint for hours, then go silent.

On Zuplo gateways we already see AI agent traffic with retry shapes and burst
patterns that don't match anything human users produce. A single flat IP-keyed
limit falls over the moment a real agent shows up.

### Why traditional rate limiting fails for AI traffic

Rate limiting that assumes steady-state human patterns doesn't work here. You
need
[per-consumer rate limiting](https://zuplo.com/docs/policies/rate-limit-inbound)
keyed on identity, not IP.

Zuplo's rate limiter buckets traffic by user, IP, or a custom function, with
separate limits per route. A known AI agent's API key gets a high-burst ceiling
while anonymous IP-keyed traffic gets a tighter one.

<CalloutTip variant="mistake">
  Treating an AI agent's bursts like attacker traffic by relying on IP-keyed
  rate limits alone. A legitimate agent will trip the limit; a real attacker
  rotates IPs. Key on consumer identity, then size limits per tier.
</CalloutTip>

<CalloutDoc
  title="Rate Limit Inbound policy"
  description="Bucket by user, IP, or custom function, with separate limits per route. Configure tiers for AI agents and human consumers."
  href="https://zuplo.com/docs/policies/rate-limit-inbound"
  icon="lightning"
/>

### AI-specific security on Akamai infrastructure

For teams running AI workloads on Akamai infrastructure specifically, Zuplo's
[AI Gateway on Akamai](https://zuplo.com/docs/dedicated/akamai/ai-powered-applications)
provides an integrated governance layer.

It pairs Zuplo's rate limiting and authentication with the
[Akamai AI Firewall](https://zuplo.com/docs/ai-gateway/policies/akamai-ai-firewall)
for prompt injection defense, data loss prevention, and toxic content filtering,
addressing AI-specific attack vectors at the infrastructure level.

## 3. The API visibility crisis is getting worse, not better

Here's the finding that should alarm every security team: **only 23% of
enterprises have full API inventories that include details on which APIs expose
sensitive data**. In 2022, that number was 40%. API visibility is _declining_
even as attack surfaces expand.

Organizations are spending more on API security than ever, yet losing track of
their own APIs. APIs proliferate faster than manual inventory can keep up.

Microservices, AI integrations, third-party connectors, internal tools: every
team ships new endpoints, and the central security team finds out when something
breaks.

An OpenAPI-first approach solves this by design. When the gateway requires an
[OpenAPI specification](https://zuplo.com/docs/articles/routing) as the source
of truth for routing, every route must be defined in a spec before it can
receive traffic. Undocumented endpoints don't exist at the gateway layer.

With Zuplo, the OpenAPI spec drives routing, request validation, documentation,
and SDK generation. If a route isn't in the spec, the gateway doesn't route to
it.

That property only delivers full visibility if the gateway is the only public
ingress: backends on private networks, gateway as the single front door. With
that in place, OpenAPI-first eliminates shadow APIs and zombie endpoints by
architecture, not by periodic audits always running behind.

## 4. The C-suite thinks things are better than they are

The survey uncovered a dangerous perception gap: **40% of C-suite leaders
reported advanced API testing maturity**, compared to only **28% of DevSecOps
practitioners**, the people actually doing the work. That 12-point gap between
executives and operators is a leading indicator of underinvestment.

When leadership believes security is more mature than it is, budgets go
elsewhere. When DevSecOps teams know about gaps but can't show data, they can't
make the case for better tooling.

Closing the gap means one source of truth. When API security policies live as
[configuration-as-code](https://zuplo.com/docs/articles/terraform) in Git, "how
mature is our API security?" stops being self-report. The repo is the answer:
authentication policies, rate limits, and validation rules are
version-controlled, reviewable in pull requests, and deployable through CI/CD.

Executives don't need to read JSON to benefit. A short audit script that reads
the route list and flags any route without an authentication, rate-limit, or
request-validation policy attached produces a coverage report in seconds.

Run it in CI and the gap closes the moment someone ships an unprotected route.
Both sides argue from the same data instead of from interpretation.

## 5. Dedicated API security staff isn't enough

The survey found that **53% of organizations have dedicated API security
personnel**, yet the 87% incident rate persists. Hiring more security people
isn't solving the problem because the problem isn't staffing. It's architecture.

Security teams can't manually review every endpoint, validate every payload, or
monitor every consumer. Enforcement has to happen automatically at the
infrastructure level. The team's job is to _configure_ the rules, not _enforce_
them request by request.

That's the shift an edge-native API gateway enables. "Edge-native" means the
gateway runs as workers on a global CDN, so policies execute close to the caller
rather than at a single regional origin.

Instead of leaning on application code for auth, validation, and rate limits,
you push those concerns to the gateway.

### What edge enforcement looks like in practice

- **Authentication**: Enforce
  [API key auth](https://zuplo.com/docs/articles/step-3-add-api-key-auth),
  [JWT validation](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound), or
  [OAuth 2.0](https://zuplo.com/docs/articles/oauth-authentication) as a policy
  on every route. Requests without valid credentials never reach your backend.
- **Request validation**: Validate every incoming request against your
  [OpenAPI schema](https://zuplo.com/docs/policies/request-validation-inbound)
  automatically. Malformed payloads, missing required fields, and wrong data
  types are rejected before your application code ever sees them.
- **Rate limiting**: Set
  [per-consumer limits](https://zuplo.com/docs/policies/rate-limit-inbound) that
  prevent abuse from both human and AI consumers. Different tiers for different
  consumer classes, enforced at the edge across 300+ locations globally.
- **WAF protection**: For enterprise deployments, Zuplo's
  [managed WAF](https://zuplo.com/docs/articles/zuplo-waf) (Web Application
  Firewall) integrates with Akamai App & API Protector. The WAF sits in front of
  the gateway and adds a defense layer against OWASP Top 10 threats, DDoS, and
  zero-day vulnerabilities before traffic reaches your policies.
- **Key lifecycle management**: Zuplo's
  [API key system](https://zuplo.com/docs/articles/api-key-management) provides
  instant rotation and
  [leaked-key detection via GitHub secret scanning](https://zuplo.com/docs/articles/api-key-leak-detection).
  When 42% of respondents report AI API attacks, proper key lifecycle management
  is the difference between a contained incident and a $700,000 breach.

<CalloutDoc
  title="API key management"
  description="Instant rotation and leaked-key detection via GitHub secret scanning. Treat keys as a lifecycle, not a string in a database."
  href="https://zuplo.com/docs/articles/api-key-management"
  icon="book"
/>

## What this means for your team

The Akamai survey confirms a pattern we've seen across
[multiple](/blog/wallarm-2026-api-threatstats-api-security)
[reports](/blog/apis-number-one-attack-surface-2026-akamai-soti-report) this
year: incidents are accelerating, AI is expanding the attack surface, and most
organizations don't have adequate visibility into their own APIs.

All three have architectural answers, not headcount answers: OpenAPI as the
source of truth, auth and per-consumer rate limits enforced at the edge, request
validation against the spec, and gateway config stored in Git so security
posture is reviewable rather than self-reported.

Zuplo's WAF integrates with Akamai App & API Protector, which puts us in the
same edge security ecosystem that produced this research. The controls the
survey calls critical (authentication, rate limiting, request validation, API
visibility) are what Zuplo ships out of the box.

Ready to close the gaps this survey exposed?
[Start for free](https://portal.zuplo.com) and deploy OpenAPI-first routing,
per-consumer rate limiting, and automated request validation. Those three
controls address every root cause in Akamai's findings.