Your APIs Are Under Attack: The Onslaught Is Just Beginning
▼ Summary
– Malicious traffic targeting APIs, web applications, and DDoS channels is increasing, with web and API attacks showing a clear upward trajectory from 2024 into 2025.
– API attacks are rising sharply, with the daily average per enterprise doubling from 121 in 2024 to 258 in 2025, and most organizations experiencing at least one API-related security incident.
– Attackers are shifting focus to behavior-based threats that exploit how applications function during normal use, while common API weaknesses remain tied to security misconfiguration and access control issues.
– Sensitive data exposure via APIs is a growing problem, exacerbated by organizations having uneven visibility into which of their thousands of APIs handle or return such data.
– DDoS attacks are multi-layered, targeting both network and application layers simultaneously, with botnets infecting IoT and Android devices to generate attack traffic, particularly against sectors like software and SaaS.
The digital landscape is witnessing an unprecedented surge in malicious traffic, with internet-facing systems enduring relentless assaults on APIs, web applications, and through distributed denial-of-service (DDoS) channels. Recent security analyses indicate this aggressive trend is not only sustained but accelerating, with projections showing increased activity across all these vectors through the coming year. The upward trajectory of web and API attacks solidifies their position as a dominant and pervasive threat to organizational security worldwide.
API security has moved from a niche concern to a routine operational challenge, with nearly every organization experiencing at least one related security incident annually. The volume of these attacks has more than doubled, reflecting how attackers are capitalizing on the explosive growth of API traffic. The focus has shifted subtly from pure data theft to manipulating application behavior. Modern threats increasingly scrutinize how requests flow through normal workflows and how systems respond, aiming to degrade performance, inflate infrastructure costs, and exploit automated processes at scale.
This behavioral targeting makes threats harder to detect, as requests can appear legitimate while still exploiting systemic weaknesses. The most common vulnerabilities continue to stem from security misconfigurations and flawed access controls, with issues in authorization and authentication appearing repeatedly in both vulnerability scans and real-world incident reports. The integration of automation and artificial intelligence by attackers has made these sophisticated campaigns cheaper, faster, and easily repeatable, posing a significant risk as businesses themselves invest heavily in AI-driven transformations.
A critical and growing concern is the exposure of sensitive data through APIs. Organizations routinely manage thousands of APIs that handle personal, financial, and proprietary information. A concerning portion of these interfaces contains security weaknesses, and the number of APIs inadvertently exposing sensitive data is on the rise. This trend mirrors the central role APIs play in connecting systems and facilitating data exchange. Compounding the problem is a widespread visibility gap; while many companies maintain an API inventory, far fewer can accurately identify which specific APIs return sensitive data, leaving critical information in systems that are not fully understood or secured.
DDoS campaigns have also evolved in complexity, now commonly spanning multiple layers of the network stack within a single operation. Attackers seamlessly blend Layer 3, Layer 4, and application-layer (Layer 7) traffic to overwhelm different parts of an organization’s infrastructure simultaneously. There has been a notable increase in Layer 7 attacks, which directly target application-facing systems and are more difficult to mitigate. This activity is often powered by expansive botnets, like Aisuru and Kimwolf, which compromise vast numbers of Internet of Things (IoT) and Android devices to generate attack traffic. Industries such as software and software-as-a-service (SaaS), which depend on continuous availability, face particularly sustained DDoS pressure across both network and application layers.
Simultaneously, web application attacks maintain a steady and threatening presence, with attack volumes growing consistently. Injection-based techniques, which manipulate application inputs to execute malicious code or access data, remain a staple in observed attack traffic. This activity is part of the routine background noise across countless digital environments. Regionally, the Asia-Pacific (APAC) area experiences intense pressure, enduring tens of billions of web and API attacks annually alongside significant multi-layered DDoS activity.
The overarching picture is clear: malicious activity is pervasive, sophisticated, and interconnected. Attack campaigns no longer respect boundaries between different types of systems or geographic regions. Application traffic, API calls, and network-layer assaults all operate within the same contested environment, demanding a unified and vigilant security posture from organizations aiming to protect their digital assets.
(Source: Help Net Security)
