APIs are easy to develop, simple to implement, and frequently attacked. They are  prime and lucrative targets for cybercriminals. 

If this is the connected world, it is APIs that provide the connection points. Application programming interfaces allow different applications to share and reuse data. Since both connecting and sharing are increasing, so too is the use of APIs.

They have massively increased the attack surface. As this surface grows, so do the attacks. The number of breaches involving the misuse and abuse of APIs has increased dramatically over the last few years. The question now is whether it will continue growing in 2025.

The majority view is that successful API-related compromises will grow through 2025. There are several factors contributing to this conclusion, but primarily, API usage is still expanding, the complexity of the API ecosphere is increasing, the data that can be accessed is growing, and attackers’ capabilities are improving. But API security remains piecemeal, poor, and sometimes non-existent.

“As enterprises accelerate their adoption of SaaS applications, APIs will remain a prime attack vector. In 2025, we anticipate a surge in attacks targeting third-party SaaS API endpoints, especially as organizations increasingly rely on SaaS platforms and adopt innovative AI solutions,” comments Yoni Shohet, CEO and co-founder at Valence Security.

He adds, “The rapid adoption of AI-driven SaaS tools – often integrated with core SaaS platforms such as Google Workspace, Microsoft 365, Salesforce, and others via APIs – further compounds the issue. These tools are data-intensive and require broad privileges to operate effectively, creating an expanded attack surface.”

Brandyn Fisher, senior manager of cybersecurity at Centric Consulting, also notes, “We’re seeing more IoT devices and cloud systems communicating via APIs, and with lo-code/no-code solutions, anyone can build an API. The problem is they’re often built insecurely, without proper testing, and people mistakenly think obscurity provides security.”

Krishna Vishnubhotla, VP of product strategy at Zimperium, adds mobile apps to the menu. They differ from web apps and are largely outside of the organization’s perimeter and control. “So,” he says, “while the APIs might be the same, how they get abused and exploited on mobile is significantly different. Unfortunately, most organizations don’t account for these client-side attacks on mobile apps and fall victim to breaches and network infiltration.”

And then there’s the tangle of third party APIs used by chatbots to access external data. SaaS and web apps, IoT and cloud, and increasing use of mobile apps and chatbots lead to a complex API ecosphere – and in cyber, complexity breeds weaknesses. These weaknesses are exacerbated by an apparently continuing nonchalance toward API security, and the improving attack techniques of the adversary.

James Sherlow, systems engineering director of EMEA at Cequence Security

APIs are easily written, often with low-code / no-code tools. They are often considered by the developer as unimportant in comparison to the apps they connect, and probably protected by the tools that protect the apps. Bad call. “API attacks will increase in 2025 due to this over-reliance on existing application security and API management tools, but also due to organizations dragging their heels when it comes to protecting APIs,” says James Sherlow, systems engineering director of EMEA at Cequence Security. “While there was plenty of motivation to roll out APIs to stand up new services and support revenue streams, the same incentives are not there when it comes to protecting them.”

Meanwhile, attackers are becoming increasingly sophisticated in their attacks. “In contrast, threat actors are not resting on their laurels,” he continued. “It’s now not uncommon for them to use multi-faceted attacks that seek to evade detection and then dodge and feint when the attack is blocked, all the time waiting until the last minute to target their end goal.”

In short, he says, “It’s not until the business is breached that it wakes up to the fact that API protection and application protection are not one and the same thing. Web Application Firewalls, Content Delivery Networks, and API Gateways do not adequately protect APIs.”

Uri Dorot, senior solutions lead at Radware, adds, “Understaffed teams are no match for the gen-AI tools and sophisticated bots that enable hackers to easily expose API vulnerabilities and develop scripts that can abuse the application’s business logic”

And always, in the background, is the growing influence of gen-AI on almost every facet of modern cyber. Organizations will increasingly integrate gen-AI technologies into their processes during 2025. “Organizations will start to deploy their initial batch of LLM-based AI applications featuring heavily LLM-driven AI Agents. These AI agents communicate using APIs,” says Lebin Cheng, VP of API security at Imperva.

“We know this will happen,” adds Sherlow. “When it does, it will be APIs that share results with the AI and feed it more input.”

Gen-AI is expanding the API attack surface – and where the surface expands, the attackers will follow. “Adoption of LLM based applications and custom components, such as LLM agents, will start to proliferate at speed in 2025, leading to an explosion of application programming interfaces (APIs)” continues Cheng. “As the agentic AI wave takes hold, API traffic will undoubtedly increase – becoming an even greater threat to an organization’s sensitive data and driving a greater need for API observability.”

The irony is that attackers will use gen-AI to aid their exploitation of APIs to steal data fundamentally made available by the enterprise use of AI. “The advance in AI/LLM technology,” adds Cheng, “also gives sophisticated bad actors a powerful tool in their attempt to analyze exposed APIs for vulnerabilities such as Broken Object Level Authorization [#1 in the OWASP Top 10 API Security Risks].”

Ivan Novikov, CEO at Wallarm

But it gets worse. “Attackers will harness AI-generated kill chains that begin with AI-discovered vulnerabilities. These advanced tools won’t just find bugs; they’ll automatically generate exploits and payloads designed to employ new techniques that are both stealthy and highly impactful,” says Ivan Novikov, CEO at Wallarm. “This means that the entire attack process – from discovery to exploitation – can be automated, making attacks faster and more difficult to detect.”

AI, a new technology for most companies, will increase the attackers’ targets, and improve the armory they use to attack them.

APIs provide an excellent example of the proactive / reactive seesaw between attackers and defenders. Adoption grew fast with little security oversight. Attackers saw opportunities faster than defenders saw threats. The attackers were proactive. Defenders are beginning to react, but they are still (in general, not always) lagging behind the attackers.

The main problem is that APIs were rapidly written by developers with little security oversight. “Developers are more focused on function and speed and less focused on security,” says Peter Avery, VP of security and compliance at Visual Edge IT. It’s not a new problem. It needs to change now; but security is not a natural part of the API DNA.

The first step is to develop APIs with security by design principles. The second is to strengthen access control mechanisms. “Looking at API security breaches in the last 12 months, the majority stem from weak authentication and authorization issues,” says Jeremy Ventura, field CISO at Myriad360. “Therefore, it’s vital that security and IT teams ensure authentication and authorization mechanisms are working as intended, and that only authorized users have access to the API’s resources.”

He further notes, “But it doesn’t just stop there – weak encryption methods, sensitive data leakage, and traditional cross-site scripting issues are just some of the other vulnerabilities attackers are going after.”

Access control is not impossible, but it is hard. Not all MFAs are equal, and not all are well implemented. At the same time, defense against social engineering attacks is getting harder as gen-AI gets more powerful.

Governance is also an issue, since visibility of and into APIs is poor. The result is that companies suffer from both shadow and zombie APIs. Shadow APIs come from the ease of development and the lack of security oversight – resulting in an API catalog that simply isn’t catalogued. It remains impossible for security to secure what it cannot see.

A zombie API is one left behind – no longer actively supported or maintained, but still possibly accessible and vulnerable. Without updates or patches, zombie APIs are a major attraction for hackers. For both shadows and zombies, the underlying problem is the company’s perception of importance – it is the app that is a potential profit center and therefore important, while the API is a cost center and not so important.

Krishna Vishnubhotla, VP of product strategy at Zimperium

This same lack of oversight leads to a further weakness that will be increasingly exploited – flaws in the business logic. “API attacks will continue evolving with increased sophistication through advanced techniques, automation, and AI, while focusing on business logic flaws and supply chain vulnerabilities,” warns Vishnubhotla.

“Business logic attacks are hard to detect and mitigate because they use legitimate API endpoints and API calls,” adds Dorot.

Brandyn Fisher, senior manager of cybersecurity at Centric Consulting sees three primary pain points in API security. “One: vendor management – we’re seeing breaches through third parties. Two: identity and access management – firewalls aren’t enough anymore. Three,” he continues: “AI-driven social engineering – like more sophisticated phishing emails that are harder to detect.”

Tim Erlin, security strategist at Wallarm, has a different and specific concern with widespread potential: eBPF (extended Berkeley Packet Filter). This provides deep visibility into network traffic allowing security teams granular oversight of API calls. But Erin believes there is a potential problem.

“eBPF, once the darling of API security, will become a significant liability,” he warns.” While it was overshadowed by the big outage, this incident revolved around Linux systems crashing because of eBPF and Crowdstrike’s Falcon. eBPF provides the promise of security monitoring without deploying inline components, but its mechanism for plugging into the kernel makes it ripe for serious issues.” 

The advantage of having a driver within the kernel is clear: greater security for themselves (and by extension, the users) and better performance. The disadvantage is the damage that can be done from a failure in the kernel is more extensive and less easy to reverse.

The priority, suggests Eric Schwake, director of cybersecurity strategy at Salt Security, is for defenders to change their perspective. “APIs should no longer be viewed merely as lines of code; they are critical IT assets requiring the same security scrutiny and protection as any other valuable resource,” he says. This, he continues, requires a proactive and multi-layered approach to API security.

“First, it is essential to gain complete visibility into the entire API landscape, including shadow and zombie APIs, to fully understand the scope of the potential attack surface. Then, establishing robust API posture governance is crucial for implementing and enforcing strong security policies. This includes ensuring consistent configurations, employing proper authentication and authorization mechanisms, and adhering to industry best practices,” he said.

“Lastly,” he added, “deploying runtime protection solutions that can detect and block API attacks in real-time is vital to prevent malicious actors from exploiting vulnerabilities and accessing sensitive data. AI and machine learning can analyze API traffic patterns to quickly sift through anomalous traffic to detect advanced attacks and enable proactive threat mitigation.”

Just as AI can enhance adversarial activity against APIs, so can AI enhance defensive actions. Which side succeeds best will depend upon which side uses its AI tools best, and Sherlow recognizes an element of the snake eating its own tail here. “There are two challenges with respect to AI security. Firstly, how do you protect the technology from itself and secondly how do you protect it from attackers. In both scenarios, APIs hold the key to making these systems more secure,” he explains. But, of course, AI also holds the key to making those systems less secure via those APIs.

George Prichici, VP of products at OPSWAT, calls for a return to basics (as in ‘best practices’). “Basic best practices (which surprisingly still aren’t that widely followed) should bake in zero trust principles from the beginning – that is, guardrails including authentication, proper authorization based on least privilege principles; auditing and monitoring; using multi-layered defenses like a WAF; and multiple AV scanning, vulnerability assessment, threat intelligence, and more.” 

George Prichici, VP of products at OPSWAT

He also notes, “Homomorphic encryption offers a breakthrough in protecting sensitive data, enabling computation on encrypted data without decryption, thus reducing exposure risks.” In short, treat the API as you would treat all other critical assets. And don’t forget “to secure the entire supply chain – any security gaps / holes left along the way can be exploited.”

He believes the security industry is beginning to respond to the threats against APIs, with API-focused mitigations. “The OWASP API Security Top 10 provides a structured approach to identifying and mitigating vulnerabilities during development. Web Application and API Protection (WAAP) solutions add a layer of shielding by detecting and blocking API-specific threats in real time. AI-driven tools and technologies can proactively identify anomalies, predict threats, and automate responses, making API security more adaptive and resilient against evolving cyberattacks.”

Fisher simply suggests, “Focus on basic cybersecurity hygiene. Follow the OWASP guidelines for API security, including standards for data sanitization and permission setting. These basics will be more effective than just buying the latest security tools.”

“We expect to see a significant uptick in API-related breaches in 2025, driven by the widespread adoption of AI technologies,” warns Nathaniel Jones, VP of threat research at Darktrace. “While AI will enable more sophisticated API development, poorly configured and managed APIs will become increasingly vulnerable.”

Novikov adds, “We’re entering an era where API data breaches could affect billions of people. The surge in API availability and the expansion of gigabit bandwidths amplify this risk. Currently, we might witness breaches compromising around 1 million users’ data in just five minutes.” 

However, he adds, “By 2025, with the advent of new batching attack techniques and sophisticated AI-driven rate-limiting bypasses, that number could skyrocket to 10-20 million users compromised in the same short timeframe.”

Cheng believes, “With API-related security issues already globally costing organizations up to $87 billion annually [figures from Imperva], we could see these costs escalate to over $100 billion by 2026 if smart interventions are not taken.”

The often used standard threat prediction of ‘more and worse’ is likely to be accurate for the API threat in 2025 – unless organizations take immediate steps to improve their security. It is worth remembering that secure APIs are not impossible. The finance industry has been largely successful despite its long reliance on APIs.

Related: API Security Matters: The Risks of Turning a Blind Eye

Related: Top 10 API Security Threats for Q3 2023

Related: OpenAI Rolls Out Compliance API and Integrations for ChatGPT Enterprise

Related: Akamai to Buy API Protection Startup Noname Security for $450 Million