API vulnerabilities–and their potential impact on a company’s cybersecurity defenses–are a real and growing concern. Traceable recently released its second annual research report, the 2025 Global State of API Security, and found that most organizations are failing to fully protect their APIs from a wide range of increasingly sophisticated cyber threats.
Traceable is the only API security company conducting annual, global research on the state of API security. This comprehensive study reveals fundamental weaknesses in API security strategies and tracks how these issues continue to shift.
According to the research, 57% of organizations suffered an API-related data breach in the past two years, with a staggering 73% of these same companies experiencing three or more incidents.
Today, APIs play an essential role in enabling communication between applications and can facilitate digital transactions, exchange data for analytics and reporting, and integrate with a large ecosystem of third-party products and services for a myriad of other purposes.
Companies have embraced APIs for the many benefits they can deliver and, in doing so, have quickly built up a surprisingly high number. Traceable reports that companies now have an average of 131 APIs. Yet organizations often implement their API set without fully considering the security implications.
“The pressing issue is that many companies lack an inventory of all the APIs that are exposed to the outside world,” said Krishna Vishnubhotla, Vice President, Threat Intelligence at Zimperium. “It’s crucial to act swiftly as bad actors are exploiting this gap, and sophisticated API attacks will continue to evolve through the use of advanced techniques, automation, and AI, all while focusing on business logic flaws and supply chain vulnerabilities.”
Traditional Security Solutions Come up Short
The possibility of an API vulnerability comes as a surprise to those organizations who may have thought they were already protected by traditional cybersecurity solutions. Yet tools such as web application firewalls (WAFs) and API gateways were simply not designed to defend against modern API-targeted threats.
WAFs are designed to monitor HTTP traffic between a web application and the internet. However, APIs communicate using different protocols or formats and may inadvertently expose sensitive data or business logic vulnerabilities that WAFs were not designed to detect.
API gateways primarily focus on traffic management, authentication, and rate limiting – not in-depth security. They often lack the advanced threat detection capabilities needed to identify more sophisticated attacks. So, even if companies have API gateways, cyberattackers can still exploit vulnerabilities within the APIs.
It all adds up to a situation where organizations may be operating in the dark and, as a result, now face too much risk.
The Plot Thickens: New Complications from Generative AI, Bot Attacks, and API Fraud
It would be one thing if companies could retroactively address these security issues, yet new trends are increasing the total API attack surface and creating new vulnerabilities.
- Generative AI: The increased popularity and widespread adoption of generative AI has already produced a huge surge in API integrations for many companies. Not surprisingly, Traceable’s report found that 65% of respondents now see generative AI as a “serious to extreme” threat to API security.
- Bot attacks: Cybercriminals are increasing their use of automated bots to exploit APIs and target everything from login credentials to sensitive data. From the same research, 53% of organizations reported bot-related incidents targeting their APIs.
- API fraud: This method involves attackers exploiting API vulnerabilities to commit fraudulent activities such as financial theft, unauthorized data access, or account takeovers. API fraud is now the second most common cause of API-related data breaches.
To effectively mitigate these emerging threats and defend against API vulnerabilities, organizations must do all they can to adopt more comprehensive API cybersecurity best practices.
API-Specific Security Strategies
Where should companies start to identify and bolster their API vulnerabilities? According to Eric Schwake, Director of Cybersecurity Strategy at Salt Security, “Organizations must implement a comprehensive API security strategy with strong API posture governance to address these evolving threats. This means establishing and enforcing rigorous security policies and configurations throughout the API lifecycle to reduce vulnerabilities and misconfigurations that attackers might exploit.”
Additionally, organizations should implement proactive bot detection and fraud detection tools and capabilities and conduct regular security audits of all APIs. Another best practice is to implement API monitoring and anomaly detection systems that can quickly identify unusual network behavior.
These strategies may help companies improve their ability to detect threats in real-time and take action to protect against API attacks.
New Risks Call for New Cybersecurity Strategies
Richard Bird, Chief Security Officer of Traceable, summarizes the growing disconnect in how companies now approach API security. “Organizations keep deploying the same solutions–web application firewalls, API gateways, and lifecycle tools–yet only a small percentage report any real success. The cognitive dissonance is a ticking time bomb.”
Research findings from the 2025 State of API Security report seem to agree. Only 19% of organizations consider traditional defenses to be effective against API attacks.
As the API attack surface expands and cyber threats become more sophisticated, relying on outdated security measures is not enough. Organizations must take immediate action to adopt modern, comprehensive API security strategies that address these evolving risks.
