State of Apps and API Security 2025: How AI Is Shifting the Digital Terrain

The web application security landscape in early 2025 reflects unprecedented complexity and sophistication in threat vectors. Organizations are confronting a marked increase in attacks that target web applications — Akamai observed more than 311 billion web application and API attacks in 2024 alone, representing a 33% year-over-year increase. This surge correlates directly with the accelerated adoption of cloud services, microservices architectures, and artificial intelligence (AI)–powered applications. Geopolitical factors have further intensified this landscape, with the high technology, commerce, and social media industries experiencing the most significant volume of Layer 7 (application-layer) distributed denial-of-service (DDoS) attacks. Notably, threat actors are now deploying AI-generated kill chains that automate the entire attack lifecycle.

Concurrently, APIs have emerged as primary targets, with Akamai documenting more than 150 billion API attacks from January 2023 through December 2024. The integration of AI-driven software as a service (SaaS) tools with core platforms via APIs has substantially expanded the attack surface. The financial implications are severe — API security issues currently cost organizations approximately US$87 billion annually, and projections indicate that this figure could exceed US$100 billion by 2026 without adequate intervention. Shadow and zombie APIs present particularly vulnerable attack vectors within increasingly complex API ecosystems.