Akamai bolsters API security offering
Akamai bolsters API security offering By Chris Tredger, Technology Portals editor, ITWebJohannesburg, 14 Apr 2026API or Application Programming Interface is a critical component within digital ...
API Attacks Up 113% as Akamai Expands Security Platform
Akamai has released its 2026 State of the Internet report showing a massive shift in the threat landscape toward API-focused attacks. The average number of API attacks per organization hit 258 per day in 2025, up 113% from 121 in 2024. A full 87% of global organizations reported at least one API security incident last year.
The data shows a clear trend away from traditional web-based attacks toward behavior-based exploitation. Some 61% of API attacks last year involved unauthorized workflows and abnormal activity, up from 30% in 2024. Attackers are no longer just hammering endpoints. They are learning how APIs behave and exploiting the logic itself.
Agentic AI Makes It Worse
The report highlights how agentic AI is amplifying the risk. An average of 3,000 APIs per customer contained sensitive data last year, with 12% showing security weaknesses. A quarter of those issues related to sensitive data exposure. As AI systems depend heavily on APIs for integration and data exchange, the volume of sensitive information flowing through these interfaces is growing fast.
"Since AI depends on APIs for integration and data exchange, the volume of sensitive information traversing these interfaces has increased exponentially," the report states. "Securing AI truly starts with securing APIs."
Blended Attacks on the Rise
Akamai also flagged a growth in coordinated attacks that blend API abuse, web application attacks, and Layer 7 DDoS activity. Web app attacks surged 73% between 2023 and 2025, while Layer 7 DDoS attacks increased 104% over three years. DDoS-for-hire services and AI-enabled attack scripts are making these combined campaigns cheap, repeatable, and fast.
WAFplanet Take
The numbers here are not surprising but they are stark. APIs are the dominant attack surface now, and most organizations are not treating them that way. Traditional WAF deployments that only inspect web traffic are missing the biggest threat vector.
Akamai is pushing its integrated platform approach, and they have a point. Treating DDoS mitigation, WAF, API security, and bot prevention as separate tools creates gaps that attackers exploit. Solutions like Cloudflare, Imperva, and F5 are also converging on this integrated model.
If your WAF does not inspect API traffic, you have a blind spot that grows every time you deploy a new microservice or AI integration. The 113% attack growth is not slowing down. Check how your current provider handles API security and compare options on WAFplanet.
