Bengaluru, Apr 01:Across Asia-Pacific organizations are racing to embed Artificial Intelligence (AI) into core digital services – from customer care to financial management and supply chain automation. However, this “AI-first” momentum is built upon a foundation of APIs (Application Programming Interfaces) that are increasingly under attack. According to new APAC insights from Akamai’s 2026 Apps, APIs and DDoS State of the Internet (SOTI) report, this growing dependence is creating a widening security gap. While innovation is advancing at speed, API security maturity is lagging, exposing a critical layer at the center of the region’s digital growth. The consequences of this gap are already being felt across the region, where businesses have reported experiencing measurable financial and operational impacts.
In 2025 alone, Akamai observed nearly 65 billion web application and API attacks in APAC, a 23% year-over-year increase. Globally, Akamai observed triple-digit growth in daily API attacks, highlighting the scale and consistency of pressure facing organizations across the region. Eighty-seven percent of surveyed organizations globally also reported experiencing an API-related security incident in 2025.
Layer 7 DDoS attacks are also tracking significant growth, surging 104% globally over the past two years. Unlike traditional volumetric or “brute force” attacks that overwhelm network bandwidth, Layer 7 attacks target the very processes that handle user requests. Given that APIs operate at this same layer, these attacks can directly disrupt the digital services and transactions that organizations rely on.
The nature of attacks is also changing. In APAC, 61% of API attacks in 2025 involved unauthorized workflows and abnormal activity, signaling a shift toward business logic abuse. This means that rather than exploiting technical vulnerabilities, attackers are increasingly manipulating applications in ways not intended. Examples include automating transactions, scraping data or repeatedly triggering legitimate API calls that disrupt services or exhaust costly AI tokens. AI-powered bots are increasingly targeting APIs directly, mimicking legitimate traffic while evading traditional defenses.
Retail and financial services remain leading targets due to their heavy reliance on APIs to power digital payments and cross-border services. Telecommunications and high-technology sectors are also experiencing rising pressure as they expand API-driven offerings.
Innovation Velocity vs. Security Maturity
In APAC, digital ambition is high, but the risks differ by market. In highly digitized, mature economies like Singapore and Japan, organizations operate with a much larger API sprawl, and the sheer number of APIs sharply increases the attack surface as the huge volume of endpoints makes visibility the primary challenge. In emerging digital economies such as Vietnam and Thailand, rapid digitization is outpacing the means and know-how to secure it. Shortage of local cybersecurity talent pool is also a key obstacle, resulting in these regions being prime targets for attacks.
At the same time, AI-assisted low-code development is speeding up how applications and APIs are built. While AI helps developers ship code faster than ever, it often introduces misconfigurations or insecure API defaults that move into production without human oversight. The result, across different starting points, is the same: more APIs in operation, greater complexity, and more opportunity for attackers if security does not keep pace.
Reuben Koh, Director of Security Technology and Strategy, APJ at Akamai said,
“In India, the rapid expansion of digital services and AI adoption is increasing reliance on APIs to power everything from financial transactions to ecommerce platforms. However, many organizations still lack clear visibility into what their APIs are doing, which makes protecting them significantly harder.
At the same time, India has emerged as one of the most targeted markets in Asia Pacific for AI bot activity and application layer DDoS attacks, reflecting the scale and speed of the country’s digital growth. India also appears in the highest attack intensity category in APAC, alongside South Korea, highlighting how frequently attackers are targeting the country’s digital infrastructure. As sectors such as financial services, retail and commerce, and technology providers continue to innovate rapidly using AI and APIs, strengthening API visibility and security will be critical to sustaining trust and resilience in India’s digital economy.”
Now in their 12th year, Akamai’s SOTI reports continue to offer critical insights on cybersecurity trends and web performance, drawn from attacks across Akamai’s cybersecurity protective infrastructure, which handles a significant portion of global web traffic.