Zuplo
Blog
API Security

87% of Organizations Were Hit by API Attacks in 2025 — Akamai SOTI Report

Nate TottenNate Totten
March 26, 2026
6 min read

Akamai's 2026 SOTI report reveals 87% of organizations suffered API security incidents. Learn the top vulnerabilities and how to defend your APIs at the edge.

Akamai just dropped a bombshell. Their 2026 State of the Internet (SOTI) report declares that APIs have officially become the primary attack surface for enterprises. Not web apps, not network infrastructure — APIs.

The numbers are staggering: 87% of organizations experienced an API-related security incident in 2025, average daily API attacks per organization surged 113% year-over-year (from 121 to 258), and Layer 7 DDoS attacks grew 104% over two years. As Patrick Sullivan, Akamai’s CTO of Security Strategy, put it: “Automation and AI are making these sophisticated campaigns cheap, repeatable, and fast.”

This tracks with what Wallarm’s 2026 API ThreatStats report found earlier this month: APIs now account for 43% of CISA’s actively exploited vulnerabilities. If you’re building or exposing APIs — and in 2026, who isn’t? — these reports are a wake-up call.

Why APIs Became the #1 Target

The shift isn’t surprising once you understand the forces at play. APIs are multiplying faster than teams can secure them. AI transformation, microservices architectures, and the push to expose everything via APIs have created an enormous and often poorly defended attack surface.

Three converging trends are driving this:

  • API proliferation from AI adoption. Every AI feature, every LLM integration, every agentic workflow adds new API endpoints. The report found that organizations now average 3,000 APIs containing sensitive data per customer — and 12% of those have known security weaknesses.
  • Industrialized multi-vector attacks. Attackers aren’t just hitting one endpoint. They’re running coordinated campaigns that blend API abuse, web application attacks, and Layer 7 DDoS into a single assault. Web application attacks surged 73% between 2023 and 2025.
  • “Vibe coding” creating new vulnerabilities. The report specifically calls out AI-generated code — what the industry has dubbed vibe coding — as a source of misconfigurations reaching production without adequate testing. When your code is generated by an LLM that optimizes for “it works” over “it’s secure,” you get functional APIs with gaping security holes.

The Top 3 OWASP API Vulnerabilities Being Exploited

Akamai’s data maps directly to the OWASP API Security Top 10. The three most exploited vulnerability categories in 2025 were:

Security Misconfigurations — 40% of Exploited APIs

This is the big one. Misconfigured CORS policies, overly permissive headers, verbose error messages leaking internal details, default credentials left in place — the list goes on. Misconfigurations are especially dangerous because they’re invisible to functional testing. Your API works perfectly while silently exposing everything.

This is also where vibe-coded APIs are most vulnerable. AI code generators rarely set restrictive CORS policies, strip server headers, or configure proper error handling. They’re optimizing for the happy path, not the attack path.

Broken Object Property Level Authorization — 35%

APIs that return more data than they should. A user requests their own profile and gets back internal IDs, admin flags, or other users’ data because the API doesn’t filter response properties based on the caller’s authorization level. This is hard to catch in code review and almost impossible to detect without dedicated testing.

Broken Authentication — 19%

APIs with weak or missing authentication: endpoints that should require auth but don’t, token validation that’s easily bypassed, or API keys that are never rotated. The report also noted a shift toward behavior-based attacks — unauthorized workflows and abnormal activity accounted for 61% of API attacks in 2025, up from 30% in 2024. Attackers are getting past authentication and exploiting what they find on the other side.

How Edge-Deployed API Gateways Close the Gap

Here’s the thing about the vulnerabilities Akamai identified: most of them can be mitigated before a request ever reaches your application code. That’s the fundamental value of an API gateway — it enforces security policies at the infrastructure level, independent of how your API was written.

An edge-deployed gateway takes this further by running those policies at the network edge, close to the attacker, rather than in a single region where every request has to travel to your origin first.

Here’s how each vulnerability maps to gateway-level protection:

Authentication Enforcement

The 19% of exploited APIs with broken authentication? A gateway ensures every request is authenticated before it reaches your backend. Zuplo supports API key authentication, JWT validation, and OAuth flows as built-in policies. You define them once and apply them to any route — no custom authentication code in your handlers, and a single policy definition secures as many endpoints as you need.

Rate Limiting and DDoS Protection

The 104% surge in Layer 7 DDoS? Edge-deployed rate limiting stops volumetric attacks before they reach your origin servers. Zuplo’s rate limiter runs across 300+ edge locations globally, which means an attack originating in São Paulo is blocked in São Paulo — not after it’s traveled to your us-east-1 deployment. Combined with automatic DDoS protection, this addresses both the application-layer floods and the broader DDoS campaigns the report highlights.

Request Validation

The 40% of exploited APIs with security misconfigurations? Many of those misconfigurations stem from accepting malformed or unexpected input. Request validation against your OpenAPI schema catches this automatically. If a request doesn’t match your documented API contract — wrong types, missing required fields, unexpected properties — it’s rejected with a clear error before your code ever sees it.

WAF Protection

For enterprise deployments, Zuplo’s managed WAF adds another layer of defense, filtering out known attack patterns including SQL injection, XSS, and other common web vulnerabilities at the edge.

Want to see these protections in action? Start for free — authentication, rate limiting, and request validation take minutes to configure.

Your API Security Checklist for 2026

Based on the Akamai findings, here’s what every API team should be doing today:

  1. Enforce authentication on every endpoint. No exceptions, no “we’ll add auth later.” Use a gateway policy that applies authentication globally so new routes are secured by default.

  2. Set rate limits on every route. Not just your public endpoints — internal APIs get abused too. Start with reasonable defaults (e.g., 100 requests per minute per user) and adjust based on actual usage patterns.

  3. Validate request schemas. If you have an OpenAPI spec (and you should), use it to validate every incoming request. This eliminates an entire class of misconfigurations and injection attacks.

  4. Monitor for anomalous patterns. The shift toward behavior-based attacks (61% of API attacks in 2025) means you need observability beyond just “is this request authenticated?” Look for unusual access patterns, unexpected data volumes, and abnormal endpoint usage.

  5. Audit your API inventory. The report found that organizations average 3,000 APIs containing sensitive data. Do you know where all of yours are? Shadow APIs and zombie endpoints are easy targets.

  6. Treat vibe-coded APIs with extra scrutiny. If your team is using AI to generate API code, add gateway-level guardrails that catch the security gaps AI systematically misses. Authentication, rate limiting, and input validation should be enforced regardless of code quality.

The Bottom Line

Akamai’s report confirms what many of us already suspected: APIs are the most critical attack vector in 2026, and the problem is accelerating. The combination of AI-driven API proliferation, industrialized multi-vector attacks, and the security blind spots in AI-generated code has created a perfect storm.

The good news is that the most exploited vulnerabilities — misconfigurations, broken authorization, broken authentication — are exactly the kind of issues that a well-configured API gateway catches by design. When that gateway runs at the edge, you get the additional benefit of stopping attacks close to their source, before they consume your infrastructure resources.

If you’re looking to lock down your APIs without slowing down your team, check out Zuplo’s security policies — they take minutes to configure and deploy globally. You can start for free and have authentication, rate limiting, and request validation running in production before your next stand-up.