Rapid AI adoption across Asia-Pacific is creating a dangerous security gap in API protection, as organisations race to embed artificial intelligence into core services while leaving the underlying APIs increasingly exposed to sophisticated attacks. Akamai ’s 2026 Apps, APIs and DDoS State of the Internet report reveals that APAC organisations observed nearly 65 billion web application and API attacks in 2025 alone, a 23% year-over-year increase that reflects the region’s growing digital dependence and attackers’ shift toward business logic exploitation.
The report warns that while innovation accelerates, API security maturity lags critically behind, with 87% of global organisations reporting API-related incidents last year and Layer 7 DDoS attacks surging 104% over two years. In India specifically, Reuben Koh, Akamai’s Director of Security Technology and Strategy for APJ, highlights the country’s emergence as one of APAC’s most targeted markets for AI bot activity and application-layer attacks.
APIs Under Siege as AI Momentum Builds
Akamai’s analysis shows attackers increasingly targeting APIs directly, with 61% of 2025 APAC API attacks involving unauthorised workflows and abnormal activity rather than traditional vulnerabilities. This business logic abuse includes automating transactions, data scraping and exhausting costly AI tokens through repeated legitimate calls that mimic normal traffic while evading signature-based defences.
Retail, financial services and telecommunications face the brunt due to their heavy API reliance for payments, e-commerce and cross-border services. High-tech sectors expanding API-driven offerings also see rising pressure, as AI-powered bots evolve to bypass conventional protections.
Koh notes India’s unique challenges: “The rapid expansion of digital services and AI adoption is increasing reliance on APIs to power everything from financial transactions to e-commerce platforms. However, many organisations still lack clear visibility into what their APIs are doing, which makes protecting them significantly harder.” India ranks in APAC’s highest attack intensity category alongside South Korea.
Divergent Risks Across APAC Markets
The report identifies distinct challenges by market maturity. In advanced economies like Singapore and Japan, massive API sprawl creates visibility nightmares as endpoint volume overwhelms security teams. Emerging markets such as Vietnam and Thailand face rapid digitisation outpacing security expertise and local talent availability.
AI-assisted low-code development exacerbates the issue by accelerating API creation with misconfigurations and insecure defaults that reach production without scrutiny. The outcome is uniform: more complex APIs, larger attack surfaces and persistent exploitation opportunities when security fails to match innovation speed.
Visibility and Maturity as Competitive Differentiators
Akamai’s 12th annual SOTI report, drawn from its global cybersecurity infrastructure handling massive web traffic volumes, emphasises API visibility as the foundational defence. In India’s high-velocity digital economy, Koh stresses that strengthening protections will sustain trust and resilience as financial services, retail and technology sectors innovate with AI and APIs.
The findings serve as a wake-up call for APAC CISOs: AI-first strategies must integrate API security from the outset, with investments in runtime protection, behavioural analytics and developer enablement to close the gap between ambition and execution.
