New report reveals persistent API security breaches risk

A new report by Traceable AI highlights persistent API-related security breaches despite improvements in awareness concerning security risks.

The second annual research report, conducted in conjunction with the Ponemon Institute, is titled the "2025 Global State of API Security". It provides insights from over 1,500 IT and cybersecurity experts across the US, UK, and EMEA, and reveals that organisations are struggling to protect their Application Programming Interfaces (APIs) against persistent breaches.

The report identifies the most pressing issues currently challenging API security. These include increasing bot attacks and fraud, risks stemming from third-party APIs, and the implications of generative AI applications on security.

It was found that 57% of organisations reported experiencing an API-related data breach in the past two years. Of these, a significant 73% encountered three or more incidents, highlighting systemic failure in existing API defences and an urgent need for investment in tailored API security solutions.

Moreover, only 19% of organisations rated their deployed security tools as highly effective, despite using a variety of them from legacy Web Application Firewalls (WAFs) to Content Delivery Networks (CDNs) and Gateways. Further, 53% acknowledged that traditional solutions such as WAFs and Web Application and API Protection (WAAPs) fail to identify or prevent fraud occurring at the API layer.

Generative AI applications have been identified as a new risk, with 65% of organisations acknowledging these applications pose a serious to extreme threat to APIs. 60% of respondents noted that the necessary additional API integrations for these applications expand their attack surface, combined with fears of sensitive data exposure and unauthorised access.

Bot attacks and fraud have been identified as pervasive issues, with 53% of organisations experiencing one or more bot attacks involving their APIs. 44% reported bot mitigation as a particularly difficult challenge to manage. Fraud was noted as the second most common cause of API-related breaches among survey participants.

The report indicates that third-party APIs also present a hidden danger. Organisations use an average of 131 third-party APIs, a slight increase from the previous year's 127. Despite this, only 16% of respondents reported a high ability to mitigate risks associated with these external APIs, leaving a considerable attack surface exposed.

Richard Bird, Chief Security Officer of Traceable, commented, "API breaches are rampant, and the industry is in denial." He further stressed, "Organisations keep deploying the same solutions—Web Application Firewalls, API gateways, and lifecycle tools—yet only a small percentage report any real success. This cognitive dissonance is a ticking time bomb. The truth is, these traditional defences are failing, and the more companies rely on them, the more they expose themselves to devastating attacks. We're also seeing a surge in bot attacks, increasing instances of API fraud, and new vulnerabilities emerging from the rapid adoption of generative AI applications. Companies must confront the uncomfortable truth: their current strategies are inadequate. Without a fundamental shift in how they secure APIs, breaches and their consequences will continue to escalate."

Traceable's annual research aims to provide organisations with an objective assessment of API security risks and trends, offering security leaders the knowledge necessary to make informed decisions and prioritise key security challenges. The company aims to ensure organisations have the insights needed to protect critical assets as APIs become central to business operations.