Across Asia-Pacific (APAC), organisations are racing to embed Artificial Intelligence (AI) into core digital services – from customer care to financial management and supply chain automation. However, this “AI-first” momentum is built upon a foundation of APIs (Application Programming Interfaces) that are increasingly under attack. According to new APAC insights from Akamai’s 2026 Apps, APIs and DDoS State of the Internet (SOTI) report, this growing dependence is creating a widening security gap. While innovation is advancing at speed, API security maturity is lagging, exposing a critical layer at the centre of the region’s digital growth. The consequences of this gap are already being felt across the region, where businesses have reported experiencing measurable financial and operational impacts.
In 2025 alone, Akamai observed nearly 65 billion web application and API attacks in APAC, a 23% year-over-year increase. Globally, Akamai observed triple-digit growth in daily API attacks, highlighting the scale and consistency of pressure facing organisations across the region. Eighty-seven percent of surveyed organisations globally also reported experiencing an API-related security incident in 2025.
Layer 7 DDoS attacks are also tracking significant growth, surging 104% globally over the past two years. Unlike traditional volumetric or “brute force” attacks that overwhelm network bandwidth, Layer 7 attacks target the very processes that handle user requests. Given that APIs operate at this same layer, these attacks can directly disrupt the digital services and transactions that organisations rely on.
The nature of attacks is also changing. In APAC, 61% of API attacks in 2025 involved unauthorised workflows and abnormal activity, signalling a shift toward business logic abuse. This means that rather than exploiting technical vulnerabilities, attackers are increasingly manipulating applications in ways not intended. Examples include automating transactions, scraping data or repeatedly triggering legitimate API calls that disrupt services or exhaust costly AI tokens. AI-powered bots are increasingly targeting APIs directly, mimicking legitimate traffic while evading traditional defences.
Retail and financial services remain leading targets due to their heavy reliance on APIs to power digital payments and cross-border services. Telecommunications and high-technology sectors are also experiencing rising pressure as they expand API-driven offerings.
Innovation Velocity vs. Security Maturity
In APAC, digital ambition is high, but the risks differ by market. In highly digitised, mature economies like Singapore and Japan, organisations operate with a much larger API sprawl, and the sheer number of APIs sharply increases the attack surface as the huge volume of endpoints makes visibility the primary challenge. In emerging digital economies such as Vietnam and Thailand, rapid digitisation is outpacing the means and know-how to secure it. Shortage of local cybersecurity talent pool is also a key obstacle, resulting in these regions being prime targets for attacks.
At the same time, AI-assisted low-code development (or “vibe coding”) is speeding up how applications and APIs are built. While AI helps developers ship code faster than ever, it often introduces misconfigurations or insecure API defaults that move into production without human oversight. The result, across different starting points, is the same: more APIs in operation, greater complexity, and more opportunity for attackers if security does not keep pace.
Reuben Koh, Director of Security Technology and Strategy, APJ at Akamai said, “Across APAC, AI adoption is accelerating business transformation at an unprecedented pace. However, this speed has also caused a rapidly increasing governance gap, forcing organisations to rethink their overall risk landscape.
Reuben Koh, Director of Security Technology and Strategy, APJ at Akamai
Organisations must prioritise building stronger operational governance to allow innovation to continue at speed. They also need clearer visibility of their APIs, have to manage AI bots and agents, require real-time monitoring across the stack, and need to build security into applications from code to runtime. Failure to do so might result in widespread operational disruption, huge financial losses, and erosion of customer trust. Today, APIs are no longer just connecting systems to data, but have become an essential part of the enterprise data fabric.
As autonomous AI systems become more deeply embedded into business operations, resilience at the API layer will determine how confidently companies can scale. Securing these foundations will become essential to sustaining long-term business growth for every organisation in the AI era.”
Now in their 12th year, Akamai’s SOTI reports continue to offer critical insights on cybersecurity trends and web performance, drawn from attacks across Akamai’s cybersecurity protective infrastructure, which handles a significant portion of global web traffic.
Read the full report here
