Traceable
AI released its second
annual research report-the 2025 Global State
of API Security. The findings demonstrate that organizations are
failing to protect their APIs despite persistent breaches and increased
awareness of security risks. This comprehensive study, incorporating insights
from over 1,500 IT and cybersecurity experts across the US, UK, and EMEA,
reveals fundamental weaknesses in API security strategies and tracks how these
issues have shifted since our inaugural report.
Key findings examine the most pressing API security issues
organizations face today: increasing bot attacks and fraud, risks from
third-party APIs, and the new security implications of generative AI
applications.
Download
the full report for in-depth analysis.
Key Findings Include:
- API-Related
Data Breaches Continue to Wreak Havoc: 57% of organizations suffered an API-related data
breach in the past two years, with a staggering 73% of these experiencing
three or more incidents. Even more concerning, 41% endured five or more
breaches, revealing a systemic failure in API defenses and a clear need
for investment in purpose-built API security solutions.
- Traditional
Security Solutions Fail to Deliver API Protection: Despite deploying an
array of security tools-from legacy WAFs to CDNs and Gateways-only 19% of
organizations rate their defenses as highly effective. Moreover, 53% admit
that traditional solutions like WAFs and WAAPs are ineffective at
identifying or preventing fraud at the API layer.
- Generative
AI Applications Create New Risks: 65% of organizations state that generative AI
applications pose a serious to extreme risk to APIs. 60% state that the
additional API integrations required for generative AI applications expand
their organization's attack surface; the same percentage cite concerns
about sensitive data exposure and unauthorized access.
- Bot
Attacks and Fraud are Rampant: 53% of organizations have experienced one or more bot
attacks involving their APIs, and 44% say that bot mitigation is a top
challenge. Fraud is equally concerning, emerging as the second most
prevalent cause of API-related data breaches among survey respondents.
- Third-Party APIs Are a
Hidden Danger:
Organizations now use an average of 131 third-party APIs, up slightly from
last year's 127. Yet, only 16% have a "high ability" to mitigate these
external risks, leaving a vast attack surface greatly exposed.
"API breaches are rampant, and the industry is in denial," said Richard
Bird, Chief Security Officer of Traceable. "Organizations keep deploying the
same solutions-Web Application Firewalls, API gateways, and lifecycle tools-yet
only a small percentage report any real success. This cognitive dissonance is a
ticking time bomb. The truth is, these traditional defenses are failing, and
the more companies rely on them, the more they expose themselves to devastating
attacks. We're also seeing a surge in bot attacks, increasing instances of API
fraud, and new vulnerabilities emerging from the rapid adoption of generative
AI applications. Companies must confront the uncomfortable truth: their current
strategies are inadequate. Without a fundamental shift in how they secure APIs,
breaches and their consequences will continue to escalate."