The Number That Should Alarm You Is Not 87%
Akamai's 2026 API Security Impact Study surveyed 1,840 security professionals across 10 countries and 6 industries. The headline finding — 87% of organisations experienced an API security incident in the past 12 months, averaging 3.5 incidents per organisation — is alarming but directionally unsurprising. API attacks have been climbing for years. In 2022, the figure was 76%. The trajectory was visible.
The number that should stop a boardroom conversation is 23%. That is the share of enterprises that know which of their APIs return sensitive data. In 2022, it was 40%. Despite increased spending, dedicated security hires, and rising C-suite attention, API visibility has collapsed by nearly half in four years. Organisations are building more APIs, deploying them faster, and understanding them less.
The AI Multiplier
42% of security professionals who reported API incidents said the attacks targeted APIs linked to AI technologies — applications, agents, and large language models. This is not a future risk. It is the most commonly cited incident type in the study. AI-linked APIs are already the primary API attack surface.
The mechanism is straightforward. Every AI agent, every LLM-powered chatbot, every agentic workflow creates API endpoints. These endpoints are often built rapidly, deployed to production to demonstrate AI capability, and catalogued inconsistently. When Akamai reports that API visibility dropped from 40% to 23%, the decline is not random. It is driven by the explosion of AI-connected APIs that organisations deploy outside traditional security review processes.
38% of respondents now rank securing AI technologies as their top cybersecurity priority for the year ahead. But priority and capability are different things. The same study shows that only 35% of organisations use dedicated API security tools. 80% rely on web application firewalls — tools designed to inspect HTTP requests at the page level, not the API call level. A WAF that blocks SQL injection in a search form does not understand whether an API endpoint is leaking customer records through a valid 200 response.
The C-Suite Delusion
Akamai found a 12-point gap between how C-suite leaders and DevSecOps practitioners assess API security maturity. 40% of C-suite leaders reported advanced API testing maturity. Only 28% of the people actually doing the testing agreed. On full SDLC integration, the gap is wider: 19% of executives say API security is fully embedded in development pipelines. 13% of DevSecOps staff confirm it. Only 1 in 6 enterprises embed API security testing in CI/CD at all.
This perception gap matters because investment decisions flow from executive assessment. If the C-suite believes API security is mature, budgets are allocated to other priorities. Meanwhile, the teams responsible for actually securing APIs know they are operating with partial visibility, inadequate tooling, and integration that exists in presentations but not in pipelines.
The Framework Connection
WebPulse tracks 25 web frameworks. Every modern framework in our index — Next.js, Nuxt, FastAPI, Django REST, Rails, Spring Boot — is API-first by design. Their routes are API endpoints. Their data fetching is API calls. Their authentication is token-based. When Akamai reports that 87% of organisations suffered API incidents, the attack surface they are describing is the surface that modern web frameworks create.
Legacy frameworks present a different API problem. WordPress exposes the WP REST API on every installation by default (/wp-json/). Drupal exposes JSON:API. These are not endpoints teams chose to deploy — they ship enabled. When only 23% of organisations know which APIs return sensitive data, the APIs they do not know about include the default REST endpoints their CMS deployed years ago, serving user enumeration data, post metadata, and configuration details to anyone who asks.
The industry cost breakdown underlines where the stakes are highest. Energy and utilities averaged US$860,000 per incident. Manufacturing: US$732,000. Health and life sciences: US$725,000. Financial services had the highest incident rate at 96%. These are the industries where WebPulse data shows the heaviest legacy framework concentration — and where the default API endpoints of those frameworks are most likely to go unaudited.
The Regulatory Gap
95% of organisations factor APIs into their regulatory compliance requirements. But only 38% include API security incidents in mandatory reporting. The gap — 57 percentage points — represents the distance between acknowledging that APIs matter for compliance and actually treating API breaches with the same reporting rigour as other security incidents. When a database breach triggers mandatory notification, but an API leaking the same data does not, the regulatory framework is incentivising the wrong behaviour.
What This Means
The Akamai study confirms a structural problem: the web's attack surface has shifted from pages to APIs, and security capabilities have not kept pace. API attacks increased 113% year-over-year. Layer 7 DDoS attacks — the kind that target API endpoints specifically — surged 104% over two years. Meanwhile, the people defending those APIs are less certain about what they are defending than they were four years ago.
For organisations evaluating web frameworks: the framework's security score matters, but it is incomplete without API security posture. A framework with zero CVEs still generates APIs. Those APIs still need inventory, authentication, rate limiting, and sensitive data classification. The 23% figure is not someone else's problem. It is the statistical probability that your organisation does not know what its own APIs are exposing.
