The rapid adoption of artificial intelligence is opening a new security breach within companies: APIs. That’s the main conclusion of Akamai’s new report, 2026 Apps, APIs, and DDoS State of the Internet, which states that organizations are increasingly focusing their investment on automation and AI right at the layer currently under the most offensive pressure. According to the company, securing AI now directly involves securing APIs.
This warning is backed by concrete data. Akamai claims that attackers are industrializing their methods, blending API abuse, web application attacks, and layer 7 DDoS into coordinated, repeatable, and relatively inexpensive campaigns. The goal has shifted from simply achieving media attention through large intrusions to degrading performance, increasing infrastructure costs, and exploiting AI-driven automation at scale.
Within this context, the report highlights four key figures that clearly illustrate the shift: layer 7 DDoS attacks increased by 104% over the past two years, 87% of surveyed organizations experienced at least one API-related security incident in 2025, web application attacks rose by 73% between 2023 and 2025, and the average daily number of API attacks grew by 113% year over year.
Akamai interprets these figures as a clear signal that applications and APIs can no longer be managed as separate security concerns. When a company treats web security and API security as distinct, it creates visibility gaps—precisely where attackers find the gaps to connect authentication, business logic, workflow abuse, and availability.
The problem is no longer just code, but behavior
One of the most notable elements of the report is its suggestion of a shift from traditional attacks toward threats more closely related to behavior. It’s not just about exploiting isolated technical vulnerabilities but abusing legitimate flows, automating requests, and stressing infrastructure to the point where business logic itself becomes an attack vector. This aligns with the central thesis of the study: where digital transformation and AI investment are concentrated, risk follows closely.
Furthermore, Akamai highlights a factor resonating with many development teams: the rise of vibe coding. The company warns that intensive AI use to generate code is introducing vulnerabilities and misconfigurations that often reach production without sufficient testing. The message isn’t that AI creates entirely new categories of faults, but that it amplifies existing weaknesses and accelerates their arrival in real-world environments.
This is complemented by the evolution of the DDoS market. Akamai attributes much of the 104% surge in layer 7 attacks to easy access to rented botnets and AI-assisted scripts that lower the technical barrier to launching attacks against web applications and APIs. The report also notes the presence of “superbotnets” such as Aisuru and Kimwolf, derived from Mirai architecture, used within DDoS-as-a-service ecosystems operated by criminal groups and hacktivists.
APIs, agents, and new autonomous threats
The report also links this pressure on APIs with a broader phenomenon: the expansion of agentic AI. Akamai points out that vulnerabilities in agentic systems are expanding the attack surface of modern systems and cites the new OWASP Top 10 for Agentic Applications 2026 framework, which identifies specific risks for autonomous agents.
OWASP lists threats such as goal hijacking, tool misuse, identity and privilege abuse, unexpected code execution, and memory & context poisoning. In simple terms, the issue is no longer just exposing an API but allowing an agent with access to tools, memory, and credentials to be manipulated into misusing legitimate tools with malicious intent.
This has practical implications for organizations deploying copilots, internal agents, or automation connected to real systems: API security alone isn’t sufficient. It’s necessary to review authentication, usage limits, workflow abuse controls, sensitive data exposure, and granular control over what tools or actions an agent can invoke. Offensive pressure is shifting toward where identity, logic, and automation reside.
The uncomfortable conclusion for 2026
Akamai’s report leaves us with a clear but uncomfortable conclusion: many companies still view AI security as a new and separate problem, when in reality, a core part of the risk lies in well-known components: APIs, web applications, and availability. The difference now is that these are being exploited with more automation, scale, and economic impact.
Focusing solely on “AI-specific” solutions may fall short. The report’s own logic points elsewhere: first strengthen the fundamentals — inventory, visibility, authentication, API protection, abuse limitations, and DDoS resilience — before assuming the problem will be solved by a new AI security layer. Since APIs form the technical backbone of AI transformation, they are also the first point where that transformation can falter.
Frequently Asked Questions
What does Akamai say about APIs in 2026?
They have become the primary attack surface for companies accelerating AI and automation adoption.
Which figures stand out from the report?
Akamai emphasizes a 104% increase in layer 7 DDoS attacks over two years, 87% of organizations experiencing API-related security incidents in 2025, a 73% growth in web application attacks between 2023 and 2025, and a 113% rise in daily API attacks.
What is the relationship with agentic AI?
The report connects the issue to the expansion of autonomous agents and refers to the OWASP 2026 framework for agentic applications, which identifies risks like goal hijacking, tool misuse, and memory poisoning.
What is “vibe coding” in this context?
Akamai warns that AI-generated code can introduce vulnerabilities and insecure configurations that reach production without adequate testing.
via: akamai