Alarming details from the new State of the Internet report.
Akamai released its annual State of the Internet report on applications, APIs, and DDoS attacks and documented a significant shift in attacker tactics. The key finding is clear: attacks have become more systematic, cheaper to scale, and tightly tied to the infrastructure through which companies build digital services and implement AI. APIs are at the center of this pressure. While many companies recently treated them as a secondary element of defense, APIs are now increasingly becoming the primary entry point.
Researchers note that attackers are increasingly relying less on isolated, high-profile campaigns for the sake of publicity and reputational impact. Attacks are far more often structured as well-oiled operations, combining API abuse , web application attacks, and DDoS attacks at Layer 7 of the OSI model, that is, at the application level. This approach not only disrupts service availability but also increases the victim's infrastructure costs. The more businesses invest in AI and digital automation, the more willing attackers are to target the interfaces and services that underpin it all.
Statistics from a new report show that these are no longer isolated spikes. Over the past two years, the number of L7 DDoS attacks has grown by 104%. The number of attacks on web applications has increased by 73% from 2023 to 2025. The average number of daily API attacks has jumped by 113% year-over-year. Akamai also cites the results of a survey of organizations: 87% of participants reported experiencing at least one API-related security incident in 2025. These figures demonstrate that APIs have long ceased to be a narrow technical topic for developers and have become a full-fledged defense.
According to Akamai, the logic of attacks is also changing. Attackers are increasingly trying not just to breach security and steal data, but to degrade services, slow down applications, drive up computing costs, and exploit AI automation for their own gain. This model is advantageous for attackers for several reasons. First, automation reduces preparation costs. Second, ready-made scripts allow for the rapid repetition of the same actions on different targets. Third, attacks on APIs and web applications often yield significant financial returns even without the traditional, high-profile hack.
The report highlights another problem: application security and API security can no longer be considered separately in practice. Many companies still manage these areas as two separate tasks, with separate tools, teams, and visibility zones. This setup inevitably creates gaps in control. For an attacker, these very blind spots become a convenient entry point, because in a real-world attack, the web application and API are typically used as a single vector.
The document also contains several additional observations that clearly illustrate where the risk is shifting. One of these concerns so-called vibe coding, where code is written at a rapid pace, often with heavy reliance on AI tools and without proper engineering discipline. According to Akamai, this approach is increasingly introducing new vulnerabilities and configuration errors into production that aren't properly tested before launch. In other words, companies are simultaneously speeding up development and reducing their safety margins, and attackers are then exploiting precisely these hastily deployed interfaces.
A separate section of the report is devoted to hacktivist-related DDoS activity. Akamai notes that politically motivated groups continue to escalate their pressure amid the changing international environment and the growing availability of rented botnets . This infrastructure is increasingly reminiscent of the homemade networks of infected devices of yesteryear. DDoS-for-hire and DDoSaaS models , where the required capacity can be obtained as a service, are gaining a foothold in the market. The easier access to such rentals, the lower the barrier to entry for new entrants.
The researchers directly attribute the 104% increase in L7 attacks to this accessibility. It's becoming increasingly easy for attackers to acquire a botnet through custom services and augment it with AI-enhanced attack scenarios. This simplifies target selection, reduces the cost of operations, and accelerates the launch of campaigns against APIs and web applications. The report specifically mentions superbotnets such as Aisuru and Kimwolf. These networks build on the architecture once made widely known by Mirai and now serve as the foundation for DDoS-as-a-service ecosystems. Moreover, this infrastructure is used not only by cybercriminal groups but also by hacktivists.
Akamai also draws attention to the broader economic context. Modern internet attacks are increasingly being built as a business model, prioritizing efficiency. While attackers previously needed to expend significant resources on complex manual preparation, some tasks are now automated, and the necessary tools can be rented. This makes attacks not only scalable but also predictably repeatable. This evolution is particularly disconcerting for defenders, as they are no longer about rare, complex operations, but rather a stream of cheap and quick campaigns that can be launched again and again.
The new report includes not only general statistics but also an analysis of regional trends, an assessment of the economics of modern internet attacks, and a separate column by a guest author on defense against new threats associated with agent-based AI systems. Agent-based AI in this context typically refers to systems that do more than simply respond to requests, but are capable of executing chains of actions, accessing tools, and interacting with external services. This model is particularly sensitive to security because the agent almost always relies on an API, meaning a vulnerability or error in the interface immediately impacts the broader automation chain.
The State of the Internet report series is now in its 12th year. Akamai traditionally bases its conclusions on data it sees through its own global security infrastructure, which processes a significant share of global web traffic. In the current version of the document, the primary focus has shifted to the intersection of applications, APIs, DDoS, and AI. Essentially, the report captures a rather harsh reality: businesses are accelerating their digital transformation, and attackers are adapting to the new architecture with almost no delay. And if APIs have become the foundation of AI services, then AI protection, in a practical sense, increasingly begins with API protection.
Akamai released its annual State of the Internet report on applications, APIs, and DDoS attacks and documented a significant shift in attacker tactics. The key finding is clear: attacks have become more systematic, cheaper to scale, and tightly tied to the infrastructure through which companies build digital services and implement AI. APIs are at the center of this pressure. While many companies recently treated them as a secondary element of defense, APIs are now increasingly becoming the primary entry point.
Researchers note that attackers are increasingly relying less on isolated, high-profile campaigns for the sake of publicity and reputational impact. Attacks are far more often structured as well-oiled operations, combining API abuse , web application attacks, and DDoS attacks at Layer 7 of the OSI model, that is, at the application level. This approach not only disrupts service availability but also increases the victim's infrastructure costs. The more businesses invest in AI and digital automation, the more willing attackers are to target the interfaces and services that underpin it all.
Statistics from a new report show that these are no longer isolated spikes. Over the past two years, the number of L7 DDoS attacks has grown by 104%. The number of attacks on web applications has increased by 73% from 2023 to 2025. The average number of daily API attacks has jumped by 113% year-over-year. Akamai also cites the results of a survey of organizations: 87% of participants reported experiencing at least one API-related security incident in 2025. These figures demonstrate that APIs have long ceased to be a narrow technical topic for developers and have become a full-fledged defense.
According to Akamai, the logic of attacks is also changing. Attackers are increasingly trying not just to breach security and steal data, but to degrade services, slow down applications, drive up computing costs, and exploit AI automation for their own gain. This model is advantageous for attackers for several reasons. First, automation reduces preparation costs. Second, ready-made scripts allow for the rapid repetition of the same actions on different targets. Third, attacks on APIs and web applications often yield significant financial returns even without the traditional, high-profile hack.
The report highlights another problem: application security and API security can no longer be considered separately in practice. Many companies still manage these areas as two separate tasks, with separate tools, teams, and visibility zones. This setup inevitably creates gaps in control. For an attacker, these very blind spots become a convenient entry point, because in a real-world attack, the web application and API are typically used as a single vector.
The document also contains several additional observations that clearly illustrate where the risk is shifting. One of these concerns so-called vibe coding, where code is written at a rapid pace, often with heavy reliance on AI tools and without proper engineering discipline. According to Akamai, this approach is increasingly introducing new vulnerabilities and configuration errors into production that aren't properly tested before launch. In other words, companies are simultaneously speeding up development and reducing their safety margins, and attackers are then exploiting precisely these hastily deployed interfaces.
A separate section of the report is devoted to hacktivist-related DDoS activity. Akamai notes that politically motivated groups continue to escalate their pressure amid the changing international environment and the growing availability of rented botnets . This infrastructure is increasingly reminiscent of the homemade networks of infected devices of yesteryear. DDoS-for-hire and DDoSaaS models , where the required capacity can be obtained as a service, are gaining a foothold in the market. The easier access to such rentals, the lower the barrier to entry for new entrants.
The researchers directly attribute the 104% increase in L7 attacks to this accessibility. It's becoming increasingly easy for attackers to acquire a botnet through custom services and augment it with AI-enhanced attack scenarios. This simplifies target selection, reduces the cost of operations, and accelerates the launch of campaigns against APIs and web applications. The report specifically mentions superbotnets such as Aisuru and Kimwolf. These networks build on the architecture once made widely known by Mirai and now serve as the foundation for DDoS-as-a-service ecosystems. Moreover, this infrastructure is used not only by cybercriminal groups but also by hacktivists.
Akamai also draws attention to the broader economic context. Modern internet attacks are increasingly being built as a business model, prioritizing efficiency. While attackers previously needed to expend significant resources on complex manual preparation, some tasks are now automated, and the necessary tools can be rented. This makes attacks not only scalable but also predictably repeatable. This evolution is particularly disconcerting for defenders, as they are no longer about rare, complex operations, but rather a stream of cheap and quick campaigns that can be launched again and again.
The new report includes not only general statistics but also an analysis of regional trends, an assessment of the economics of modern internet attacks, and a separate column by a guest author on defense against new threats associated with agent-based AI systems. Agent-based AI in this context typically refers to systems that do more than simply respond to requests, but are capable of executing chains of actions, accessing tools, and interacting with external services. This model is particularly sensitive to security because the agent almost always relies on an API, meaning a vulnerability or error in the interface immediately impacts the broader automation chain.
The State of the Internet report series is now in its 12th year. Akamai traditionally bases its conclusions on data it sees through its own global security infrastructure, which processes a significant share of global web traffic. In the current version of the document, the primary focus has shifted to the intersection of applications, APIs, DDoS, and AI. Essentially, the report captures a rather harsh reality: businesses are accelerating their digital transformation, and attackers are adapting to the new architecture with almost no delay. And if APIs have become the foundation of AI services, then AI protection, in a practical sense, increasingly begins with API protection.
