Akamai has released its State of the Internet (SOTI) 2026 report on applications, APIs, and distributed denial-of-service (DDoS) attacks, warning of a significant shift in the cyber threat landscape. According to the study, attackers are systematizing and scaling their methods to directly target infrastructures that support business growth and artificial intelligence development.
With the rapid adoption of AI by organizations, APIs — traditionally overlooked as a critical vulnerability point — have become the main target. Akamai’s experts have observed that attacks are evolving into coordinated campaigns that combine malicious API usage, web application assaults, and layer 7 DDoS attacks, creating increasingly efficient and profitable operations for cybercriminals.
These types of threats aim to disrupt business activities and maximize economic impact, especially in environments with significant technological investments. In this context, APIs are solidifying as a key element in AI-driven transformation, making their protection essential to ensuring the security of artificial intelligence systems.
Data from the report highlights the scale of this industrialization:
- Layer 7 DDoS attacks have increased by 104% over the past two years.
- 87% of surveyed organizations reported experiencing a security incident related to APIs in 2025.
- Web application attacks have surged dramatically, up 73% between 2023 and 2025.
- An average annual growth of 113% in daily API attacks has been observed.
“Attackers are increasingly focusing on degrading performance, increasing infrastructure costs, and exploiting AI-driven automation at scale, rather than pursuing headline-grabbing campaigns,” says Francisco Arnau, Akamai’s regional vice president for Spain and Portugal. “With automation and AI, these sophisticated campaigns are cheap and quick to deploy, and can be repeated. Now that companies are heavily investing in AI transformation, attackers are targeting the APIs powering that shift.”
The report also emphasizes that application and API security are now inseparable, although many organizations still treat them as separate challenges. Addressing them as independent issues creates visibility gaps that are ideal for attackers, turning them into their sole attack vector.
Here are some of the key findings:
- The adoption of “vibe coding” is creating new vulnerabilities and misconfigurations that often reach production without proper testing.
- Hacktivist-led DDoS attacks continue to rise as politically motivated actors adapt to global issues and the growing availability of profitable botnets.
- The 104% increase in layer 7 DDoS attacks is driven by easy access to botnets through rental DDoS services and attack scripts with AI, making it easier to target APIs and web applications.
- Superbotnets, such as Aisuru and Kimwolf, originating from the original Mirai architecture, now form the foundation of DDoS-as-a-Service ecosystems (DDoSaaS) used by both cybercriminals and hacktivists.
The 2026 SOTI report on applications, APIs, and DDoS also includes a detailed analysis of regional attack trends, expert insights on the economy of modern Internet attacks, and a guest column on defenses against emerging AI agent threats, along with practical mitigation strategies.