The API Security Crisis Exposed By Akamai's State Of The Internet Report

Speaker A: Foreign.

Speaker B: Transformation is not the model itself, but the APIs, the apps and infrastructure that is quietly sitting underneath it all. Well, today I'm going to be joined by Richard Mears from Akamai. And this is a conversation that gets right into the heart of a challenge that many leaders are only just beginning to fully appreciate. Because, yes, we have heard a lot around AI opportunity, productivity and investment. But as organizations push harder into digital transformation, attackers are all feeling the same trail. And in many cases, they're heading straight for the APIs that are powering it all. And I think what makes this discussion so valuable is that it takes the latest Akamai State of the Internet report and turns a sea of big numbers into something much more practical. We will talk about why web attacks across EMEA have reached a two year high, why APIs have moved from being the overlooked plumbing to a primary attack surface, and how attackers are combining techniques in ways that feel much more systematic, scalable, and, um, business focused than we've seen before. And I also want to learn about what this means for organizations that are trying to keep pace with without losing sight of the basics. Because AI is absolutely changing the speed and scale of attacks. But Richard will make a strong case that this is not a moment to panic or throw everything out. It's just a moment to strengthen the fundamentals and make sure the tools you already depend on are ready for the world that you're stepping into. So if you want a conversation that, uh, cuts through the noise, make sense of what cyber risk is really heading or where it is heading this year, this one's packed with some pretty big takeaways. But enough from me. Let me introduce you to my guest right now. So a massive warm welcome to the show. Can you tell everyone listening a little about who you are and what you do?

Speaker A: Thanks very much, Neil. So, yeah, my name is, uh, Richard Mears, and I work in the security strategy team at Akamai Technologies. And my focus, um, in EMEA in this region, is to work with our, uh, customers and work with our partners, um, ensuring that they are best prepared for all the cybersecurity challenges that they are going to experience now and into the future. Um, M. And that's done through sort of the Akamai suite of solutions. We've been basically delivering and protecting the Internet for over 25 years now. Um, and we have a suite of products that helps to ensure that customers are protected, their users are protected, their websites, their apps, the APIs, the customers of our customers are protected from a credential abuse and things like that, and also the internal it, uh, within their organizations. So we've been working together and what it allows us to do is to generate large amounts of data and telemetry, um, which we put into what we call a State of the Internet report. And, uh, this is what we want to talk about today.

Speaker B: Awesome. It's a pleasure to have you join me. I've had quite a few people from Akamai on the show over the years, and I know it's a huge organization, but I think the one that stands out is Dr. Robert Blumov.

Speaker A: Oh, Bobby Blumov. Yes. Bobby Blumov is legendary within, uh, the industry and within the company. Ah, Dr. Deblomov is a, uh, much a luminary. Uh, his talks and his presentations are always, uh, illuminating. Every time I have a chance to talk to Bobby, I learn something new.

Speaker B: Yeah, he's an incredibly cool guy. And one of the reasons I was excited to get you on today is after reading the latest Akamai State of the Internet report for, uh, this year, especially around apps and APIs and DDoS. I think it highlights a sharp rise in web attacks across emea. So what is driving this latest surge and what's changed?

Speaker A: Just to give you some context, at the State of the Internet report, we do this every couple of months. And because we see so much traffic, um, at Akamai, um, we sort of slice and dice all of this telemetry, uh, on a regular, every couple of months into various different focus points. So sometimes we do it by vertical, uh, so publishing, or it might be for, uh, gambling or for financial services. And sometimes we do by attack Times or maybe DDoS. Ah, and this time we're sort of focusing on apps, APIs and DDoS, um, mainly around sort of what was happening in 2025. Um, and this focus was quite interesting. We look at it on a global scale and then we sort of zero in onto various regions. LATAM, North America, EMEA and APJ. Um, and we saw a steady increase throughout 2025 within EMEA and then a bit of a spike in Q4, which was surprising. Um, and a lot of it, yes, AI is definitely involved there. It's industrializing the attacks. It's making them faster, cheaper, more scalable. And that's due to a combination of automation and AI. We've also seen, um, a big increase in attacks specifically against APIs. And this sort of contributes to that sort of large sort of up ramp that we were seeing sort of a 113% increase on sort of attacks per company over the course of that year. Um, so I think it's a combination of a new attack vector or more focused attacks on APIs and AI helping to industrialize the attacks.

Speaker B: Every person listening from every organization should know all about APIs. They are the connective tissue of the modern digital economy and I think everybody relies on them. APIs are now being described as the primary attack surface. Uh, especially as AI adoption accelerates. We probably assume that that is going to continue as well. So why have API suddenly become such an attractive target for attackers? Or have they always been?

Speaker A: I think that APIs have sort of steadily increased in usage, uh, over the last few years. But the, the increase in uses was not matched by the increase in security focus and awareness upon them. So even though they um, increased in usage and effectiveness, uh, the security didn't follow it. Um, and especially now with AI, because we have to talk about AI, it impacts us all. Behind all AI is an API endpoint. And this becomes increasingly important. I mean APIs were unloved, but in the security sense to a massive degree anyway. Now we've put AI on top of it, so the security focus is even more concentrated. Uh, we need to really start looking at how we utilize our APIs. The visibility aspect is huge. Most organizations do not know how many APIs they have. Most organizations do not know how many APIs are doing, have sensitive data in them. And then when you layer on top of that that you're going to have AI in front of that going to do all manner of things with uh, through those APIs, you begin to lose visibility about exactly what's happening. Most organizations for example have about 3,000 APIs that have sensitive data. But if you ask many organizations, they wouldn't have that visibility into that. They don't know where those APIs are. And there's been a big shift in the way that attackers are going after APIs. So if we look in 2024 the split between sort of traditional web based attack, the SQL injection attacks, those sort of things against APIs, uh, against behavioral attacks as in the ones where they are logging in and actually just uh, abusing the business logic was about a 70, 30 split. 70% on the traditional sort of web based attacks that you'd associate those were going against the APIs, 30% against behavioral, when we look at it last year it's been flipped to 40, 60. So now 60% of all the attacks are behavioral based. This is being more intelligent, this is logging in as a legitimate user, but being able to abuse the Business logic to be able to scrape data, to get personal data, uh, to get thousands of records through common attack vectors such as BOLA and bot poplar, which are uh, acronyms that have been created through the OWASP Foundation. When they're describing how um, the combat attacks happen 60% now as opposed to 30% in 2024. So I think this has been a big shift uh, in the way that APIs are being abused.

Speaker B: Wow, so many big figures there. And the report also suggests that attackers are now industrializing their methods, turning attacks into scalable and repeatable operations. But for people listening, what does that look like in pract practice? How should their organization rethink their ah, defenses as a result? You maybe bring it to life with an example of what that looks like.

Speaker A: Yeah, I think it's not necessarily about rethinking, it's about evolving. AI is helping to industrialize, automation is helping to industrialize. And um, this means that layer 3, layer 4, layer 7 DDoS plus DNS attacks plus API attacks plus the traditional web attacks are being used um, as sort of a homogeneous attack vector. So they're being used together. So rather than being individual where it was just a volumetric DDoS attack or it was just a layer 7 DDoS attack, they're now being used in combination and automation. AI are ah, helping to wrap this up nicely to be able to try and get around traditional defenses. Uh, but organizations still need to go back to fundamentals. The fundamental tools still need to be there. We don't want to be chasing just an AI point product solution to protect against a specific element. We still need to get the fundamentals right about our access rights, our rate controls, how abuse uh, is being managed. We know that AI is going to be forced multiplier so we need to use uh, a better understanding of what our assets are. We need to be using things like behavioral analytics, anomaly detection and automated mitigation to help uh, sort of uh, strengthen our defensive. But we don't want to sort of throw existing everything out what we've already done. We just need to make what we have better, stronger, faster. The sort of six million dollar man analogy of being able to leverage AI into our traditional defenses and really get the most out of those because if we omit the fundamentals of what we've been trying to do, we will create gaps.

Speaker B: Now we're also seeing layer 7 DDoS attacks rise dramatically alongside API abuse as well. So how are uh, attackers combining some of these techniques? And why is this combination proving so effective as well?

Speaker A: Layer 7 DDKS is quite interesting that evolves in various different regions. We've seen layer seven diesel being phenomenally popular, uh, over in A.P.J. for example, then that's in Asia Pacific and that's been very common for, for a number of years. We're now seeing increases of it um, in EMEA as well. And over the last two years we saw the, the layer seven dealer stacks increase by 104%. Um, and I think there's the various reasons behind this one. There is the uh, proliferation of ransomware of DDoS as a service. Um, so we've had the legacy sort of uh, Mirai botnet that has evolved over the years. So we now have Turbo and Mirai and these tools are available to many organizations to launch these um, layer seven DDoS attacks. But what's quite interestingly is that they are sort of seen in conjunction with other attack vectors. So one of the things that layer 7 deals X do is that they can be quite subtle, they can be under the radar, they can be used in a way to basically increase cost, uh, so you can get things like performance degradation, cost spikes, uh, and consequently m much harder to spot. You don't realize that you're being attacked until you sort of see your cloud bill at the end of the month. But what we're also seeing now is ah, a sort of rehash of what was happening till 10 years ago where DDOS was used to um, basically provide us a blanket attack, create a lot of noise while somebody would then go and abuse uh, a uh, SQL injection query or something like that, or try and get in through an unpacked vpn. Um, we're seeing sort of similar sort of stuff now with layer seven, where layer seven is used to um, launch attacks to distract organizations so they can also do ah, additional API and um, web application attacks.

Speaker B: I'd like to thank denodo for supporting the Tech Talks network and helping us bring so many different stories to life. Because every business needs data that its teams can actually trust. So if you need data your teams can trust, denodo can help your organization deliver curated, governed and easy to use data products for analysts, business users and AI applications alike. And you can learn more by simply visiting denodo.com and I suspect we will have a few people listening from organizations that still treat application security and API security as completely separate challenges. And I'm curious, does this create risks and how should leaders maybe think about bringing these strategies together?

Speaker A: I think because API security and application security evolved at different timelines, sort of application Security sort of had a 10 year head start on it. Um, and everybody sort of assumed that what we were doing, APIs was like naturally covered by what we were doing with the web. Um, but it wasn't, it got left behind. Um, and the way that we were looking at API security as a whole was dramatically behind what we were doing with the web. Unfortunately the attackers realized this, uh, and they're fully tooled up, but everybody else, all the defenders were like 10 years behind. So we have to sort of realize that the attack surface for APIs is a lot larger than it is for websites. As we sort of mentioned earlier, most organizations will tell you how many websites they've got, they won't tell you how many public facing APIs they've got or even Intel APIs, uh, or which ones are facing uh, have um, uh, Hosting personal data. 3000 APIs a traditional organization have personal data. So organizations do have this sort uh, of gap where the APIs have a larger attack surface but they're not protected and they don't have the visibility around that. So we need to have a uh, more comprehensive view. We need to be treating APIs as basically the gateway to the organization and there's more information that's passed back through the APIs than it is through the website. We need to get that visibility and that control authentication and the authorization through the APIs to ensure that they are locked down and we have that control and visibility across them.

Speaker B: And the data also shows that some sectors like retail and manufacturing are particularly being heavily targeted too. So what is it that makes these industries so vulnerable and what lessons can maybe other industries learn from what's happening there?

Speaker A: I think retail and manufacturing have always been targeted heavily, especially retail. Um, people want stuff for free. So that's a common thing we've always seen sort of, especially around sort of commerce. Uh, so they're always being attacked to see what uh, what they can get out of that. I think also with manufacturing and retail there is, there isn't the same sort of levels or burden of regulation that you get in other um, industries such as financial services, uh, or in sort of critical national infrastructure. And therefore there's um, less focus on being able to provide the financial services, financial ability to put the controls in place. Um, so I think there's always an element of that. There's also with especially retail there's a rush, there's a need to get new products to market very quickly. There's always, and this is where things like APIs in the past and AI have become fantastically useful in creating the ability to deliver new websites, new services, new functions very, very quickly. Um, but this speed and this pace that is intrinsic within things like retail, um, creates a challenge for security, for security to keep up. Um, they're also very aware that things like retail, uh, especially is that they have certain times of year when they are especially vulnerable because they generate huge amounts of revenue at certain times of the year and trying to target them at those specific times of the year means that they are especially sort of vulnerable to ransomware attacks and DDoS attacks that can be used uh, to uh, and force leverage, for example.

Speaker B: There's also a huge geopolitical element in DDoS activity right now, especially across EMEA. And I'm curious, how are global events influencing attack patterns and anything else that businesses should be watching for this year? Because it feels that there's a lot of uncertainty out there and a lot of different attacks coming in.

Speaker A: Yes. So uh, DDoS has always been an interesting attack vector. Um, and as opposed to uh, like a web application attack or an API attack or somebody trying to gain access through uh, an unpatched VPN gateway, a DDoS attack is generally quite public. You know, it really is the equivalent of smashing in the um, front door or coming into your main business and smashing the plate glass windows in the front. It's an obvious statement and hence it's commonly used by um, the hacktivist as opposed to the cyber criminal who just wants to cash. DDoS is used by the hacktivist. These are the organizations that want to make a political statement that want to maybe echo kinetic activity with cyber activity. So um, for example we see a lot of activity, um, from people like no name, 5716. They've been active since 2022 and has sort of affiliations, um, or they have the same sort of affiliations as true to Russia. Along with the Carr, which is the cyber army of Russia reborn, a lot of activity around those, which is sort of um, driven up from what happened in 2022 and the invasion of Ukraine. Do we see a lot of sort of um, cyber activity that follows that kinetic activity? We've also seen obviously lots of activity recently this year as well because of the increased activity around uh, what's been happening in Iran as well. And therefore there's been a corresponding amount of activity from pro Iranian groups as well. Uh, and this is, this is nothing new. This has always happened when anybody has a, either a following of a kinetic, uh, following a kinetic battle or there is somebody who has A political disagreement with certain organizations. If you want to go back to 2012, for example, when we had WikiLeaks, there was a lot of DDoS activity then that was just because of somebody having a disagreement and uh, a different opinion. And therefore the ability to do ddos is a very public way of trying to do destabilize, to get an opinion across at large. And they can impact thousands or millions of people within a certain geographical, uh, area.

Speaker B: And for leaders listening today who are probably investing heavily in AI and digital transformation of everything is a single most important step that you think they should take to maybe better secure their infrastructure that is underpinning their growth. Because everyone's going so fast at the moment and implementing so many different things. We've got agentic, AI agents, et cetera as well. Any, uh, important steps that you would advise listeners to think about?

Speaker A: Focus on the fundamentals. The tech that underpins all of this is still the same tech. It works an awful lot faster, uh, it's an awful lot more intelligent. But the basic fundamentals are still the same. We're still working with those core concepts. We just need to energize them. We need to give them, uh, more visibility and more control. But the fundamentals still exist and we shouldn't ignore that and just sort of go after sort of shiny new tools. We need to focus on the fundamentals. Um, but that means giving them more power, more visibility, more control. Ah. And that means, yeah, we need to use AI to look at all the logs that we have. We need to use AI to find new variations of SQL Injection attacks. We need to use, um, AI to understand, say, to help with our proactive testing. Um, but we also need visibility inside our states to understand where shadow AI is using. And therefore consequently, maybe we've got shadow APIs that are being spun up, you know, to, maybe people are running things like multbolt inside our organization and there could be an inherent risk through that. So understanding all of the new tools that are being brought in to visibility, it comes down to and proactive testing.

Speaker B: And before I let you go, there's a lot of hype at the moment around AI chatbots and agents, etc. So any risks that AI chatbots could introduce as targets for things like social engineering and anything organizations listening should be doing to maybe adapt their controls to ensure that they stay secure. It feels like a big talking point at the moment. I'm curious if you have any thoughts on that?

Speaker A: Yeah, chatbots are, uh, um, most organized. Most people's sort of traditional Interaction with AI is through a chatbot. Um, and we do that through the frontier models, you know, the, the chat GPTs and the anthropics and all those sort of things with Geminis, Um, but also when you're talking to an organization, um, you go onto their web page, chances are they'll have a little icon, bottom right hand corner where you're going to start talking to them. It used to be a very hierarchical model on somebody's website, on their support website, you know, how can I help you today? And it was very normally hierarchical and after three clicks you'd normally ended up speaking to a human being because the hierarchy didn't work. Um, now with AI, it's got access to all of those previous support queries and it's able to give you a lot more information. And that is fantastic. It's a huge boom for organizations to be able to service their customers far more effectively. But the point, the problem is, is that AI models. The chat bot wants to help. It really, really wants to help. And if, I'm sure if you ever use, uh, you know, a common chat bot and when you ask a question, you very rarely get a succinct answer. Normally you get quite a verbose answer because it wants to help, it wants to give you as much information as possible that these things you need. Um, and this is one of the things that AI models can be abused and those chatbots can be abused because they want to be overly helpful. It can be quite easy to get them to give you more than you need. And it can be quite easy to get them to give you more data than is required to divulge information that is specifically being told not not to because it really wants to help you. And there's lots of things called prompt injection and prompt engineering now where it allows you to type in various commands, type in various controls to get information out of it, you know, to get information. So if you're a commerce organization, it may be able to give you discount codes, um, it may be able to give you passwords for, for particular, particular products and services that are, that are, for the root passwords and things like that. Maybe it's able to give you, um, specific banking information for another person because it's trying to be helpful. And one of the things I think organizations are missing out on the moment is that when they're deploying chatbots is what controls are they putting around that? Do they really know what's happening in that conversation flow, what questions are being asked of their chatbots and what Information is being provided by your platform, out by the chatbots to the public.

Speaker B: And we have focused today a lot on risks, attack vectors, et cetera and things that organizations can do. But there is also a lot of good news out there. Many teams are adopting a more proactive than reactive approach now. And I'm curious, when you read through the report and there was a lot of familiar things in there I would imagine. Was there anything that made you very optimistic about where we're heading and attitudes towards this stuff now?

Speaker A: Um, I think, I think one of the things is that we tend to hear a lot about uh AI is going to make a lot of weaponization, um, and automation and I think that's definitely going to be a situation. But I also think that AI can be used um, very effectively in um, helping our traditional defenses, um, and galvanizing them and giving them more power, more visibility, more control, uh, and also to do things like proactive testing, you know, things where it would take months to do. Uh, effective testing can now be done in hours. So we're going to get better visibility and better uh, control to our states through leveraging tools like AI.

Speaker B: Awesome. Well, thank you so much for sitting down with me today. I will include a link in the show notes to the App Store, APIs and DDoS state of the Internet report. I encourage people listening to check that out. I'll also include a link to your LinkedIn if people want to reach you anywhere else. You'd like me to point everyone?

Speaker A: Um, I think the uh, akamai.com uh security is a very good repository. Also do check out the um akamai.com blog where we do lots of very um, focused uh reports. We're doing a lot of reviews on um, specific uh, application based attacks. We do a lot of stuff on internal based attacks, internal vulnerabilities. Uh, we do a lot of assessments on patch Tuesdays for example and give a bit more detail on that. Um, so there's lots of really rich data within that as well. So uh, do encourage you to visit the blog on a regular basis.

Speaker B: Yeah, I mean there were so many big stats in that report you mentioned today. Emir as a region averaging 69% more attack attempts than the last seven quarters, uh in I think that was in 20, towards the end of 2025 retailers subject to 15.5 billion web attack attempts. But there is so much positivity in there. I'd urge everyone listening to check out the links and learn more about anything we talked about. And please also feedback to me anything that you're seeing out there. I'd love to hear from you, but more than anything, Richard, thank you for sitting down with me today and bringing all these insights to life. Really appreciate your time.

Speaker A: Thank you very much indeed, Neil. It's been great to be here.

Speaker B: One of the things I'll be taking away is just how often the biggest risk comes from the things that organizations are relying on the most. And APIs are a great example of that. They sit behind modern services, power digital experiences, connect systems, and increasingly support AI. But because they are often treated as almost a background infrastructure, many organizations simply haven't given the same level of attention, visibility or protection as they do the front end applications everyone can see. And attackers. Well, they've clearly noticed this. And I think Richard made an important point when he said that this is about evolution, not ripping everything out, starting again. Because there is always a temptation in tech to believe the latest threat demands a completely no answer. But in reality, it's the fundamentals that, uh, matter more than ever. Visibility still matters, good authentication and testing still matters. And the difference now is that all of those things need to operate with more speed, context, and a better understanding of how modern attacks actually behave. And yep, there is the chatbot piece, which I think will resonate with a lot of people at the moment. And these tools are designed to be helpful, sometimes a little too helpful. And that creates a whole new set of questions around prompt injection, data leakage, and control. And I think it's another reminder that every shiny new interface also opens a new door and somebody out there is already checking whether it's locked. And at the exact same time, um, there's also optimism in this conversation too, because AI is not just helping attackers move faster, it's also giving defenders better ways to analyze, test, detect, and respond. And that matters. And it means that this is not a story about technology running away from us. It's more a story about whether organizations can use it wisely enough to keep up. So I'd love to hear your thoughts on this one. As your business races to build with AI, are, uh, enough of your teams paying attention to the APIs and infrastructure beneath the surface, or are too many still focused on the shiny front end while the real exposure sits quietly in the background? As always, let me know. Tech talks, network.com love to hear from you on this one and we'll keep this conversation going, but yeah, we're out of time already. I'll be back again tomorrow with another guest. Hope you enjoyed today's as much as I did and I'll speak to you again tomorrow. Remember, please check out Tech Talks Network and the event page. I've got back to back events up until June and if I can meet any of you while I'm on the road, I'd love to do that too. But hopefully I will speak with you either on the show floor or into your ears tomorrow morning. Bye for now.