Insight and analysis on the information technology space from industry thought leaders.
The New Front Line: API Risk in the Age of AI-Powered Attacks
Attackers and defenders alike are using AI to scan for weaknesses in API design and implementation. How can defenders prevail?
August 28, 2025
By Gerard Morelli
As microservices , cloud and edge computing, mobile apps, and IoT devices spread throughout governments and businesses, application programming interfaces (APIs) have emerged as a primary cybersecurity attack vector. A typical large organization has hundreds of APIs serving as connective tissue in their networks, not to mention undocumented and unmanaged "shadow" APIs outside the organization's monitoring and security reach.
Akamai documented 150 billion API attacks in 2023 and 2024. Because every API endpoint is different, every attack is unique, making all API vulnerabilities essentially zero-day vulnerabilities. API-heavy companies, such as those in fintech and SaaS, see higher risks. The real-world implications of a compromised API include:
Data loss.
Infrastructure damage, internally or in the supply chain.
Financial costs of breach remediation, loss of intellectual property, penalties for non-compliance with data protection regulations, etc.
Reputational harm with customers, partners, and the public.
But it gets worse. The rapid adoption of artificial intelligence (AI) agents has expanded the API attack surface. Bad actors probe for API weaknesses, with their exploits increasingly using AI as well. Vulnerabilities include improper authentication, insecure endpoints, and lack of input validation. Malicious actors sometimes harness faulty business logic within the API against the target's own authentication systems and data.
Related:Beyond the Moat: Why There Is Safety in Layers
Unfortunately, the arms race between AI-based attacks and AI-based defenses is asymmetrical. AI is more advantageous to the attacker than the defender. Attackers have no rules and feel free to grab whatever tool or method they want, regardless of the consequences. By contrast, when an enterprise adopts AI for defense, it must be careful not to introduce new vulnerabilities. In practice, this means there will always be a delay when using AI for defensive purposes.
How Should Commercial Entities Defend APIs?
Not all commercial entities are alike, and their API protection priorities will differ. For instance, small enterprises may be served adequately by offloading this role to their cloud or enterprise software vendors, by buying extra liability coverage, or both.
For industries with the most sensitive and proprietary data — healthcare, finance, insurance, technology — this is not an option. Moreover, the very public cases of cyber incursions and data loss at Facebook, T-Mobile, Dell, Peloton, and other Fortune 500 companies seem to be changing hearts and minds when it comes to a previously lackadaisical approach to API security.
Related:How to Shift Security Left in Complex Multi-Cloud Environments
A good starting point for manual or automated API testing is the OWASP API Security Top 10 , a list of the most critical security risks associated with APIs. Another key resource to improving the risk management framework and process is NIST SP 800-160 and its focus on cyber resiliency engineering to develop "survivable, trustworthy secure systems." The U.S. military has taken this guidance seriously in its Cybersecurity Maturity Model Certification. The Department of Defense has mandated that vendors obtain CMMC certification by 2027 or risk losing their DOD contracts.
On the tools front, Endpoint Detection and Response (EDR) technology has been expanded and enhanced with Extended Detection and Response (XDR). XDR provides a unified approach to threat detection and response by integrating and correlating data from multiple security layers, such as endpoints, networks, cloud workloads, and email. Notably, XDR leverages AI for analytics and automation, using machine learning to detect, analyze, and respond to threats more effectively and efficiently.
XDR promises faster incident response, reducing the time it takes to detect and respond to threats. XDR platforms address a range of security concerns:
Related:Why Experts Are Rethinking Token Security and API Keys
Evolving Threat Landscape: Attackers are adapting their strategies to exploit new vulnerabilities, targeting not just traditional endpoints but also cloud environments and IoT devices.
Increased Cloud Adoption: The rise of cloud adoption creates new security challenges and requires solutions designed for cloud-native environments.
Shadow IT and Unmanaged Devices: XDR helps address risks posed by shadow IT and unmanaged devices within the network.
AI vs. AI: From Pen Test to DevSecOps
All organizations will need to review their existing and planned cloud services and IoT ecosystems for potential API threats. Annual API penetration testing is no longer sufficient.
Here's where AI can help enterprises provide holistic solutions. Think of security as a chessboard. The state of play is hard for a single player to assess, but AI can test opponents' next 15 possible moves and respond according to their past gameplay. AI can help automate compliance checks and track API security threats in two key ways:
1. Comprehensive Compliance Checks
Create and maintain a comprehensive, automated inventory of all APIs.
Perform thorough and complete compliance reviews.
Automatically scan and verify security protocols across entire systems.
Reduce human error by systematically checking every potential vulnerability.
2. Dynamic Threat Intelligence
Connect AI systems to external security sources to continuously update threat definitions.
Automatically incorporate new security insights and vulnerability information.
Make real-time recommendations for mitigating emerging threats.
AI-based XDR systems will be needed to confront the onslaught of AI-based API attacks. However, XDR's unified approach provides only half of the solution. Equally important, organizations must shift their development practices to DevSecOps , whereby security is embedded and conducted in the development lifecycle and operations. With AI pitted against AI engines, the only way to stay ahead of threat actors is to learn and respond continuously.
The API attack base will continue to grow, and the consequences of attacks will only grow more intense. The six months it might take to put defensive infrastructure in place just gives threat actors more time to array new offensive firepower. Intelligent, continuous testing under the OWASP API Security Top 10, backed by a DevSecOps stance, forms the new front line in a more intense cybersecurity battle.
About the author:
Gerard "Gerry" Morelli is vice president of the Integrated Mission Solutions practice area of Integrated Financial Accounting Solutions . IFAS is a Washington, D.C.-based professional services firm that provides integrated financial management solutions to federal government clients worldwide. Morelli's career spans over 25 years in cybersecurity, IT, telecommunications, engineering, and space operations for government and private sector entities. His leadership experience includes major service contracts for the U.S. Department of Justice, Department of Defense, AT&T, Microsoft and Qwest.
You May Also Like