APIS are now described as the dominant attack surface for global organisations, with 87% registering a related security incident last year, according to Akamai. Now in its 12th year, the State of the Internet (SOTI) report analysed Akamai’s own data and found the average number of API attacks per organisation in 2025 was 258, up 113% from 121 in 2024.
The study also showed that 61% of API attacks last year involved unauthorized workflows and abnormal activity, up from 30% in 2024, signalling a shift from traditional web-based to behaviour-based attacks. Among the OWASP Top API Security Risks, security misconfigurations (40%), broken object property level authorisation (35%) and broken authentication (19%) were the most frequently exploited vulnerabilities.
The report noted that an average of 3000 APIs per customer contained sensitive data last year, with 12% showing security weaknesses and 24% of those issues related to sensitive data exposure.