TL; DR: Leading API security company, Traceable AI, just released its 2025 Global State of API Security report — which, unfortunately, highlights a growing gap between traditional security tools and today’s fast-evolving cyberthreats. As generative AI, bot-driven attacks, and third-party applications expand, it’s time for many companies to rethink their API security strategies. Richard Bird, Chief Security Officer of Traceable, heeds this warning: “Without a fundamental shift in how they secure APIs, breaches and their consequences will continue to escalate.”
The way cybersecurity experts talk about attackers makes them sound like the modern-day boogeyman — a cautionary tale to scare people into good behavior.
But unlike those folktales, these digital threats aren’t exaggerated stories to scare us into compliance; cyberattackers are real, lurking not under beds but within networks, integrations, the cloud, and application programming interfaces (APIs).
One of the most common methods for cyberattackers was just mentioned on this list: APIs.
APIs act like a bridge between different software systems so they can communicate. If you’ve ever used a payment tool like Afterpay or looked at a Google Map widget on an eCommerce site, that’s an API.
The issue? Many companies don’t believe they’re in danger.
“API breaches are rampant, and the industry is in denial,” warns Richard Bird, Chief Security Officer of Traceable AI, a leading API security company.
But it’s hard to deny careful research, which leads us to Traceable’s 2025 Global State of API Security report, which was released in October 2024.
After speaking with more than 1,500 IT and cybersecurity experts from around the world, this report shows it’s clear we’re seeing some serious risks lurking in our APIs. Take one look at the numbers, and you’ll see it’s a wake-up call.
Traditional Security Tools Aren’t Cutting It
API breaches are alarmingly common, with 57% of organizations reporting at least one breach and 73% experiencing multiple incidents.
Richard emphasizes this isn’t just bad luck — it’s a symptom of an outdated security approach.
“Organizations keep deploying the same solutions, yet only a small percentage report any real success,” he says.
In fact, 34% of organizations give their current solutions a score of 5 or 6 out of 10, and 53% admit their legacy solutions aren’t keeping up.
I always say as technology gets smarter, so do cyberattackers. The traditional defenses we once trusted — like web application firewalls (WAFs), content delivery networks (CDNs), and API gateways — just aren’t cutting it anymore.
It’s a far cry from the ‘90s and early 2000s when a single password was considered enough to secure sensitive data. Today, that’s unthinkable; you wouldn’t use your first pet’s name or the street you grew up on to protect anything remotely valuable. (And if you do, make sure it’s not for your company.)
We’ve evolved, and so have our security needs.
“This cognitive dissonance is a ticking time bomb,” Richard emphasizes. “The truth is, these traditional defenses are failing, and the more companies rely on them, the more they expose themselves to potentially devastating attacks.”
I’ll sprinkle in some good news, though. The report does show that some companies are adopting more modern security methods for API protection:
- 46% are using CDNs to handle traffic spikes and prevent server overload
- 48% have added multifactor authentication (MFA) to make sure users verify their identity
- 50% are adopting zero-trust, verifying every API access to cut down on unauthorized access
- 47% are using rate limiting to cap how many API requests a user or bot can make
- 51% are tracking API activity in real time with logging and monitoring to quickly spot threats
And back to reality.
Sure, these methods are a more proactive approach, but there’s also plenty of evidence that cyberattackers are finding new, sophisticated ways to bypass any and all solutions.
The report shows that attackers evolve alongside our tech, and are specifically using advanced techniques such as generative AI (genAI) and third-party APIs.
The Double-Edged Sword of Generative AI
Whether you’re partial to ChatGPT, DALL-E, Midjourney, Jasper, or Copilot, genAI is great.
There are tons of statistics that show people love it for better productivity, inspiring creativity, problem-solving, and other versatile applications, particularly within the retail, financial, and medical industries. Even my uncle — who hasn’t used a computer since 2010 — knows about it.
And yet, this new tech also opens doors to danger. The report found that 65% of organizations see genAI applications as a serious risk.
Richard describes these as “new vulnerabilities emerging from the rapid adoption of generative AI applications,” hinting that we’re adapting much faster than our security measures can keep up.
See, genAI apps not only expose APIs to new vulnerabilities but also increase what we call the “attack surface.”
An attack surface refers to any and all possible points of entry where a cyberattacker could try to access a system.
Think of it like a school building, which has dozens of doors. Each door is a way in, so it’s up to school security to make sure every door is locked or has a key reader that only allows authorized people to enter.
So, like doors to a building, each new API, connection, or integration adds to the risk. In fact, it increases the attack surface by 60%.
Not only does this mean tons of sensitive information is at risk, but it also opens the floodgates to automated bot attacks that mimic real users.
In fact, 60% of respondents in the report said they’re worried about APIs opening doors to these threats. And with AI adoption speeding ahead, our security measures are quickly getting left in the dust.
It’s not just your company at risk, either. Back in 2023, a few Samsung employees leaked sensitive information by plugging proprietary code and meeting notes into a ChatGPT API.
Samsung then warned its employees about the risks of sharing that kind of information with the API, emphasizing that once that information is shared, it’s automatically stored on OpenAI’s servers and impossible to get back.
That’s exactly why you need to think twice about what you’re feeding into large language models (LLMs) like ChatGPT (unless you’re absolutely sure you’ve secured every single endpoint in your API).
Third-Party Apps Are Convenient, But…
Third-party applications have become essential for many businesses.
A third-party API is an API created by another company that allows you to connect their service to your app or website. So instead of building every feature from scratch, companies can use third-party APIs to add specific functions.
Take the payment processing API, Stripe, for example.
If an eCommerce company wants to accept credit card payments on its site, it can use Stripe’s API to handle the transactions. The point is the company doesn’t need to build its own secure payment system themselves; Stripe takes care of it instead, letting customers pay without leaving the site.
While convenient, third-party APIs are actually part of a larger issue. The report shows that one of the biggest challenges in API security is simply their sheer number.
According to the study, the average organization uses about 131 third-party APIs — yet only 16% of organizations surveyed said they feel their security measures are strong enough to manage the potential risks these APIs bring.
Richard notes that cybersecurity experts have been seeing a “surge in bot attacks,” particularly from third-party API applications.
Bot attacks are scripts or programs that perform repetitive tasks that look like human behavior. They can be programmed to target APIs to do a number of things, such as steal data, overwhelm systems, perform fraud, or bypass security measures.
And that’s exactly why bad actors love APIs: They essentially provide direct access to the data they’re looking for.
We talked earlier about how every API adds to the attack surface, creating new entry points for bad actors.
The report found that fraud is the leading cause of API-related data breaches, with more than 50% of organizations reporting incidents involving bots, and 44% finding mitigating those bot-driven attacks to be nearly impossible.
So, what does this suggest? Cyberattackers are zeroing in on APIs, possibly because they view them as the easiest entry points to exploit.
For example, without proper rate limiting, bots can repeatedly hit an API to extract data, like credit card information.
Or, a Denial of Service (DoS) bot attack (which is when a bot floods a system with so many requests it can’t keep up) could target an API handling online transactions, like Stripe, which would cause a data breach.
The message is clear, says Richard: “Without a fundamental shift in how they secure APIs, breaches and their consequences will continue to escalate.”
In the end, I see this report as a wake-up call. Every company, big or small, relies on APIs to run every day, which means security can’t just be an afterthought.
Read the full 2025 Global State of API Security report here.