Application Programming Interfaces (APIs) have become the central target of cyberattacks in 2025, according to new report from cybersecurity company Imperva.
The firm’s 2025 API Security Threat Report recorded more than 40,000 incidents in the first half of the year across over 4,000 monitored environments.
The study shows APIs now account for roughly 14% of all cyberattacks, but attract 44% of advanced bot activity, suggesting attackers are directing their most sophisticated tools toward API endpoints.
Imperva researchers documented a record-breaking case earlier this year when an application-layer distributed denial-of-service (DDoS) attack peaked at 15 million requests per second against a financial services API.
The company said the scale underscored how attackers are combining automation and stealth to overwhelm critical systems.
Key Findings
- 40,000+ API incidents recorded in the first six months of 2025.
- 44% of advanced bot activity now targets APIs, compared to less than 30% two years ago.
- 15 million requests per second DDoS attack was recorded against a financial services API.
- Financial services are the most targeted industry, followed by e-commerce, healthcare, travel, and telecoms.
- Data-access, checkout, and authentication endpoints are the most frequently attacked.
- Attackers increasingly exploit business logic flaws through coupon abuse, gift-card cracking, and credential stuffing.
- New exploit trends include misconfigured third-party APIs, parameter tampering, and shadow APIs.
Also read: The API Security Questions Your Team Is Too Afraid to Ask
Calls for Stronger Defenses
The report urged companies to move beyond traditional firewalls and static rules, recommending security measures that account for business logic and runtime behavior.
“Defenders must discover every endpoint, enforce runtime schema validation, and apply object-level authorization for high-risk APIs,” Imperva advised.
The firm also recommended adaptive throttling, context-aware bot mitigation, and continuous API discovery to reduce risk.
Organizations are also advised to treat every API request as untrusted until it has been verified. “Protect the APIs that would break revenue, trust, or compliance if they fail — and make API security a board-level priority,” the report stated.
About Author
