State of API Security Report

39% of organizations adhere to the NIST Cybersecurity Framework for API development and deployment.

50% of security leaders have slowed a new application rollout due to API security concerns.

14% of organizations oversee 1,001 or more APIs.

17% of organizations were 'not very confident' in the accuracy of their API inventories.

30% of organizations are in the planning stage for their API security programs.

23% of organizations identify leveraging AI/ML capabilities for business insights or automation as a main driver behind the use of APIs.

52% of organizations identify development efficiencies and/or standardization as a main driver behind the use of APIs.

15% of organizations admitted they do not know which APIs expose PII.

61% of all organizations reported modest increases (≤15%) in their API security budgets.

21% of organizations have basic API security programs focused on risk assessments or manual reviews.

10% of organizations raised their API security budgets by 0–5%.

42% of organizations reported managing 101–500 APIs.

11% of organizations adhere to NIS2 for API development and deployment.

36% of organizations say GenAI is somewhat concerning for API security.

4% of organizations do not perform or have no formal assessment of their API security measures.

18% of organizations perform security audits to assess the effectiveness of their API security measures.

42% of organizations conduct code reviews and security testing.

12% of respondents identified that their company's API program doesn’t invest enough in pre-production security.

13% of organizations experienced explosive API growth of 101–200%.

35% of organizations adhere to the OWASP API Security Top 10 for API development and deployment.

43% of organizations are using specialized AI security tools.

18% of organizations said increased developer productivity is a metric for measuring API security ROI.

Only 7% of organizations reported increases in their API security budgets greater than 21%.

41% of organizations use vulnerability scanning to assess the effectiveness of their API security measures.

29% of organizations identified account misuse or other fraud as the most common API security problem.

12% of organizations cited a lack of investment in pre-production security for their API programs.

26% of organizations are adopting governance frameworks to establish rules for AI use in development.

15% of organizations said their API programs do not adequately address runtime or production security.

Only 3% of organizations indicated they do not know how many APIs they are responsible for.

45% of organizations identify digital transformation initiatives as a main driver behind the use of APIs.

12% of organizations manage 501–1,000 APIs.

16% of respondents pointed to resource or staffing shortages as the primary barrier to implementing a strong API security program.

33% of security leaders have suffered an API incident in the past year.

35% of organizations identify cloud migration as a main driver behind the use of APIs.

4% of organizations reported API increases of 201–300%.

25% of respondents pointed to budget limitations as the primary barrier to implementing a strong API security program.

7% of respondents pointed to time constraints as the primary barrier to implementing a strong API security program.

11% of respondents pointed to tooling/solutions gaps as the primary barrier to implementing a strong API security program.

10% of respondents identified that their company's API program doesn't focus enough on fleshing out requirements and documenting.

2% of organizations adhere to other specific security standards or frameworks for API development and deployment.

Only 19% of organizations were 'very confident' in the accuracy of their API inventories.

55% of organizations were only 'somewhat confident' in the accuracy of their API inventories.

8% of organizations were 'not at all confident' in the accuracy of their API inventories.

11% of organizations said their API security budget did not increase.

21% of organizations rely on regular penetration testing to assess the effectiveness of their API security measures.

4% of organizations do not know what specific security standards or frameworks they adhere to for API development and deployment.

57% of organizations train developers on secure coding practices for AI-generated code.

18% of organizations said lower enterprise risk score is a metric for measuring API security ROI

51% of organizations are still in planning or basic stages of API security maturity.

28% of organizations manage between 1 and 100 APIs.

33% of organizations flagged authentication problems as the most common API security problem.

14% of organizations reported their API programs are out of control or hard to manage.

11% of respondents pointed to competing priorities as the primary barrier to implementing a strong API security program.

14% of respondents identified that their company's API program is out of control or hard to manage.

2% of attack attempts target internal-facing API endpoints.

25% of organizations said APIs are used to create new revenue streams.

41% of organizations reported API growth of 51–100% over the past year.

20% of organizations rely on daily API checks.

25% of organizations said they were 'not very' or 'not at all confident' in the accuracy of their API inventories.

10% of organizations were not confident at all in their ability to detect and respond to attacks leveraging Generative AI.

9% of organizations rated the tools they use to detect and prevent API attacks as not very effective.

23% of organizations indicated APIs are enabling advanced analytics, automation, and business insights powered by machine learning.

20% of organizations monitor their APIs continuously in real-time.

1% of organizations did not know how confident they were in the accuracy of their API inventories.

26% of organizations said a strong compliance posture is a metric for measuring API security ROI.

18% of organizations said cost savings from breach prevention is a metric for measuring API security ROI.

30% of organizations reported a 0–50% increase in API growth.

28% of organizations reported breaches as the most common API security problem.

15% of respondents identified that their company's API program doesn’t adequately address runtime or production security.

10% of organizations monitor their APIs even less frequently than every few months.

12% of organizations monitor their APIs only every few months.

54% of organizations rely on developer documentation to identify which APIs expose sensitive data or PII.

22% of organizations raised their API security budgets by 6–10%.

29% of organizations raised their API security budgets by 11–15%.

3% of organizations are taking other measures to mitigate the risks of using Generative AI to develop APIs.

23% of organizations rely on weekly API checks.

20% of organizations cited denial-of-service attempts as the most common API security problem.

More than half (59%) of organizations are leveraging GenAI within their own security operations to streamline threat detection and risk mitigation.

51% of organizations use API management tools to identify which APIs expose sensitive data or PII.

9% of organizations said financial returns by the reduction in API security incidents is a metric for measuring API security ROI.

11% of organizations raised their API security budgets by 16–20%.

16% of organizations identify enabling AI agents or other autonomous systems as a main driver behind the use of APIs.

6% of respondents identified that their company's API program is too cumbersome and slows down delivery.

Only 19% of security leaders are 'very confident' in their API inventory accuracy.

10% of organizations rely on monthly API checks.

16% of organizations cited APIs as critical for enabling autonomous systems such as AI agents, which rely on APIs for communication and orchestration.

45% of organizations pointed to digital transformation initiatives as a primary driver for modernizing legacy systems and accelerating new services.

9% of organizations have no plans to use GenAI in API development.

35% of organizations are using APIs to support migration to modern cloud architectures.

6% of organizations conduct threat modeling to assess the effectiveness of their API security measures.

8% of organizations conduct incident response analysis to assess the effectiveness of their API security measures.

16% of respondents identified that their company's API program doesn't drive enough observability and control.

10% of respondents identified that their company's API program is too difficult to staff/resource.

8% of respondents identified that it’s difficult to know what to prioritize within their company's API program.

7% of respondents identified that it’s difficult to know if their company's API program is compliant with new policies/regulations.

30% of organizations reported intermediate maturity in their API security programs, with app sec testing and API gateways in place.

10% of organizations have advanced API security strategies that include dedicated API testing and protection.

Nearly 80% of organizations increased their API security budgets in the past year.

59% of organizations said the tools they use to detect and prevent API attacks are only somewhat effective.

Only 23% of organizations rated the tools they use to detect and prevent API attacks as very effective.

3% of organizations rated the tools they use to detect and prevent API attacks as not effective at all.

6% of organizations do not know how effective their existing security tools are in preventing API attacks.

2% of organizations use other methods to assess the effectiveness of their API security measures.

5% of organizations reported that GenAI is not a concern at all for API security.

13% of organizations reported using GenAI for all API development.

49% of organizations are using GenAI for some API development.

23% of organizations plan to adopt GenAI within the next 6–12 months for API development.

45% of respondents cited the potential for new API vulnerabilities tied to AI-generated code.

47% of respondents cited difficulty understanding and securing AI-generated code.

56% of respondents cited a lack of control over AI model security used for code generation.

2% of respondents expressed other security concerns about using Generative AI to develop APIs.

35% of respondents cited difficulty ensuring quality and reliability of AI-generated code.

15% of organizations are very confident in detecting and responding to attacks leveraging Generative AI.

55% of organizations were somewhat confident in their ability to detect and respond to attacks leveraging Generative AI.

5% of organizations did not know about their ability to detect and respond to attacks leveraging Generative AI.

9% of organizations were unsure about their API security budget increase.

2% of respondents identified 'Other' as their biggest concern about their company’s overall API program.

15% of organizations were not very confident in their ability to detect and respond to attacks leveraging Generative AI.

80% of security leaders lack continuous, real-time API monitoring.

96% of attack attempts originate from authenticated entities (compromised users, insiders, or rogue agents).

98% of attack attempts target external-facing APIs.

78% of dominant attack vectors map to OWASP API8 Security Misconfiguration.

10% of dominant attack vectors map to OWASP API1 Broken Object Level Authorization (BOLA).

28% of organizations identify partner enablement as a main driver behind the use of APIs.

48% of organizations identify platform or system integrations as a main driver behind the use of APIs.

25% of organizations identify monetization of functionality or data as a main driver behind the use of APIs.

41% of organizations cited vulnerabilities as the most common API security problem.

A small but notable 6% of organizations indicated their API volume more than tripled (301%+) in just 12 months.

34% of organizations reported sensitive data exposure and privacy incidents as the most common API security problem.

6% of organizations do not know by how much the number of APIs has increased over the past 12 months.

18% of organizations cited brute forcing or credential stuffing as the most common API security problem.

13% of organizations cited enumeration and scraping as the most common API security problem.

9% of organizations have no formal API security strategy in place.

31% of organizations adhere to GDPR for API development and deployment.

3% of organizations do not know if Generative AI is perceived as a growing API security concern/risk within their organization.

37% of organizations adhere to PCI DSS for API development and deployment.

39% of organizations adhere to HIPAA for API development and deployment.

56% of organizations perceive GenAI as a growing security concern for APIs.