Only 17% of security leaders have a comprehensive API protection strategy, despite API security being a top priority for 73%.
A new report from Salt Security highlights a concerning gap between awareness of API risks and the measures taken to safeguard them. According to the 2025 Salt Security CISO Report – API Blindspots and Breakthroughs, just 17% of CISOs (Chief Information Security Officers) state they have a fully developed and implemented API security strategy, even though 73% consider this area a high or critical priority over the next year.
The study, conducted by Global Surveyz Research, involved interviews with 300 CISOs across France, Germany, Italy, the UK, and the US, all leading organizations with over 1,000 employees in industries such as financial services, healthcare, transportation, retail, and software.
Rapid growth and lack of control
With an unstoppable increase in APIs — 30% of organizations experienced growth of 51% to 100% in the past year, and 25% even over 100% — companies are expanding their API environments to drive innovation, improve efficiency, and meet customer demands. However, this rapid adoption often outpaces security teams’ ability to monitor and protect these environments effectively.
Only 19% of CISOs have full visibility and confidence in their API inventory. The percentage rises to 27% in large enterprises but drops to 12% in smaller organizations. Alarmingly, 74% of respondents regularly discover new APIs they weren’t aware of, and 90% admit they can’t guarantee their environment is free of unmanaged or “shadow” APIs.
A disconnect between development and security
Development cycles also complicate security efforts. 75% of APIs are updated weekly or daily, yet 66% of organizations only audit hidden or unmanaged APIs once a month or quarterly, creating exposure windows of up to 12 weeks. Only 34% have adopted automated, continuous audits to close this gap.
Legacy tools and false sense of protection
Despite the complex landscape, most organizations still rely on traditional tools for API defense. 76% of CISOs depend on Web Application Firewalls (WAFs) and 72% on API gateways. While useful, these tools weren’t designed to stop business-logic attacks, one of today’s most exploited vectors.
“There’s clear overconfidence in legacy technologies to defend against modern, sophisticated threats,” said Michael Callahan, Salt Security’s Chief Marketing Officer. “These tools weren’t built with current challenges in mind, and combined with incomplete visibility into the API ecosystem, the risk multiplies. Today’s problems require modern, scalable, efficient, and effective solutions.”
A future demanding a new approach
The report emphasizes that organizations need to urgently shift their strategies to effectively secure their API environments. 84% of security leaders feel they lack sufficient resources to manage API alerts in real time. Hiring more staff isn’t scalable; instead, a modern approach based on automation, real-time visibility, and AI is necessary.
In this context, Salt Security recently launched the Illuminate platform, providing complete and instant visibility into an organization’s API landscape. The tool offers attacker’s perspective, automates governance and compliance, and employs AI to detect behavioral attacks in real time.
More information and full report download:
https://content.salt.security/GWEB-2675-CISO-Report-2025_LP-CISO-Report-2025.html
Methodology
The study was conducted by Global Surveyz Research, involving surveys of 300 CISOs from companies with over 1,000 employees in France, Germany, Italy, the UK, and the US. Industries represented include finance, healthcare, transportation, retail, and software.
Source: salt.security