Cloud computing company Akamai Technologies has released its latest state of the internet report, State of Apps and API Security 2025: How AI Is Shifting the Digital Terrain.
Now in its 11th year, Akamai’s report series offers expert insights into cybersecurity and web performance based on data gathered from our network infrastructure that processes over one-third of global web traffic.
The report revealed that the Asia Pacific and Japan region experienced a 73% increase in web application attacks year-over-year, the highest percentage increase globally, underscoring the need to protect web applications and APIs amidst the rapid growth and adoption of artificial intelligence.
AI is transforming web application and API security landscapes by improving threat detection and response capabilities. However, it is also introducing new security challenges. In 2024, the Asia-Pacific and Japan region recorded 51 billion web application attacks, up from 29 billion in 2023. The surge is closely tied to the rapid adoption of AI applications, which are expanding the attack surface and increasing the complexity of cyber attacks.
The countries most targeted by web and API attacks in the region were Australia (20.3 billion), India (17.3 billion) and Singapore (15.9 billion), followed by Japan (6.3 billion), China (6.2 billion), South Korea (4.9 billion), New Zealand (2.9 billion), and Hong Kong SAR (2.2 billion).
Across Asia Pacific and Japan, the most attacked industries were financial services, with over 27 billion web attacks, followed by commerce, with over 18 billion web attacks, which correlates with these industries’ accelerated adoption of emerging technologies such as AI.
The number of web and API attacks in the region contributed to the 311 billion web application attacks globally in 2024, representing a 33% year-over-year increase. At the heart of this year’s findings is the growing threat to APIs, which are increasingly used to integrate AI-driven tools with core platforms.
Akamai documented 150 billion API attacks globally between January 2023 and December 2024 as threat actors exploited authentication gaps and automation-friendly attack vectors. AI-powered APIs are especially at risk due to their external accessibility and often inadequate authentication measures.
The report also revealed a 94% increase in Layer 7 (application layer) DDoS attacks during the same period to 7 trillion attacks globally, with the high-technology sector being the most impacted industry. Monthly attacks rose from just over 500 billion in early 2023 to more than 1.1 trillion by the end of 2024. HTTP floods remained the leading Layer 7 DDoS threat, targeting web apps and APIs with persistent severity.
The growth trend is also evident in Asia Pacific and Japan as the region saw a 66% year-over-year growth in Layer 7 DDoS attacks – the second most targeted region globally, and reached a 24-month high, peaking at 504 billion in December 2024. The region experienced 7.4 trillion attacks over the two years, with Singapore recording 4.7 trillion attacks followed by India (1.1 trillion) and South Korea (607 billion). The report also revealed that digital media platforms, including social media channels and commerce, were the most impacted sectors in Asia Pacific and Japan.
Other key global findings include:
- Over 230 billion web attacks targeting commerce organisations, making it the most impacted industry globally. This is nearly triple the number of attacks experienced by high technology (the second most attacked sector);
- OWASP API Top 10-related incidents increased by 32%, revealing authentication and authorisation flaws that expose sensitive data and functionality;
- Growth in security alerts related to the MITRE security framework is up 30% as attackers are using advanced techniques, such as automation and AI, to exploit APIs; and
- Shadow and zombie APIs present particularly vulnerable attack vectors within increasingly complex API ecosystems.
“The surge in web and API attacks across APJ reflects more than just the region’s rapid digital adoption, it also underscores the urgent need for cybersecurity to evolve rapidly with the growing integration of AI into enterprise ecosystems,” said Akamai Technologies’ Reuben Koh. “As threat actors escalate their attacks in both scale and sophistication, security strategies must thus adapt accordingly. This report will also dive into practical mitigation strategies on how organisations can better protect themselves against evolving threats.”
In response to the exponential growth of web and API attacks, regulatory bodies worldwide are enforcing stricter cybersecurity compliance requirements and guidelines, including governments across Asia Pacific and Japan. Singapore has expanded its cybersecurity bill to expand regulatory oversight; Japan has strengthened its national cybersecurity strategy and laws; India passed the Digital Personal Data Protection Bill; and Australia enacted the Cybersecurity Act 2024, which brings API and applications processing sensitive data under stricter oversight.
With compliance deadlines approaching and enforcement increasing, organisations that delay security improvements risk not only regulatory penalties but also reputational damage, data loss, and service outages. Akamai recommends adopting a shift-left security approach, strengthening API governance, and deploying AI-powered defences to detect and mitigate evolving threats.
You can read the full report here.
