Recent breaches suggest attackers are shifting beyond traditional endpoints to target application programming interfaces (APIs). But typical perimeter protections can completely miss this vector.

“We used to talk about defense-in-depth and endpoint protection,” says Sean Murphy, CISO at BECU, a nationwide credit union. “That morphed into identity, and now the API is the new perimeter.”

BECU’s backend architecture is heavily based on microservices and APIs, making this an important — and widening — surface to secure. “They’re your front door, and if you don’t know what the inventory of your APIs is, the attackers surely will find them.”

With API-first development on the rise, API portfolios have quietly ballooned throughout large enterprises. Conservative estimates place the average number of APIs within a large company at 250 to 500, but it’s not uncommon for enterprises to run thousands.

These useful interfaces often connect backend systems, partners, and customer data. Yet their access is frequently ungoverned, insecure, or misconfigured. A 2025 report from Salt Security found that nearly one in three organizations experienced an API breach in the past 12 months. They also found 95% of attacks originate from authenticated sources, often using stolen API keys or credentials.

Traditional security approaches, such as endpoint detection and response (EDR) and web application firewalls (WAFs), often miss these attacks because they lack the context needed to detect business-logic abuse. To these systems, API abuse often looks like normal, valid traffic.

“EDR and WAFs were built for yesterday’s problems: malware on endpoints and basic web exploits,” says Elliott Franklin, CISO at Fortitude Re, a reinsurance company. “Without a deep understanding of business logic and identity context, traditional tools miss credential stuffing, token theft, or data scraping.”

CISOs say addressing the problem at scale requires new tooling, practices, and governance frameworks. It’ll also take an identity-aware shift to hedge for tomorrow’s problems, which revolve around the use of APIs in agentic AI.

APIs are the new attack surface

APIs drive the majority of internet traffic, and cybercriminals are taking advantage. In the 2024 Optus breach, attackers exposed 9 million customer records due to broken API access control. Over the past two years, API exploits have also hit WhatsApp, Trello, 23andMe, Avelo Airlines, and Volkswagen.

These threats have many CISOs viewing APIs as a primary attack surface. “APIs have become the most critical and rapidly expanding attack surface for the modern enterprise,” says Senthil Subramaniam, global CISO and assistant VP at Infinite Computer Solutions, an IT services company. “Many API security incidents arise from flaws like injection attacks and broken authorizations.”

A key contributor to the rise in exploits is the ubiquity of APIs, which now act as connective tissue across enterprises, linking SaaS platforms, cloud workloads, and internal applications. “That ubiquity makes them a natural focus for attackers,” says Fortitude Re’s Franklin.

The openness of APIs and their proximity to sensitive data and critical systems also make them attractive to attackers. “APIs have absolutely become one of the primary attack surfaces today,” says James Faxon, a principal advisor at Risk & Insight Group and previously CISO of NukuDo, a cybersecurity talent development company. “In many environments, APIs now represent a much more direct path to business systems than endpoints ever did.”

“An attacker doesn’t need to compromise a laptop or deploy malware to gain leverage,” adds Faxon. By simply obtaining a token, he explains, an attacker could exploit a misconfiguration or flawed authorization logic to move laterally and extract data without triggering traditional endpoint controls.

To make matters worse, many organizations lack proper API inventories, making it easy for APIs to fall outside normal oversight. A 2023 study from Enterprise Management Associates found that roughly 70% of enterprises have just 30% of their APIs documented. That figure does not include shadow APIs outside normal security governance.

“Most teams don’t have clear visibility into how their APIs are working behind the scenes,” says Chaim Mazal, chief AI and security officer at cloud security company Gigamon. Without a clear understanding of how APIs communicate and the data they expose, developers can inadvertently create exploitable attack paths.

Others see growing urgency amid AI-driven shifts. “APIs may not yet be the primary attack surface, but it’s becoming more urgent in recent years,” says Andreas Gaetje, CISO at Körber, a provider of intelligent manufacturing and supply chain solutions, who notes hyperautomation and agentic AI make API security more pressing.

Still, the number of reported API security incidents doesn’t outweigh credential theft, phishing, and endpoint compromise, notes Mark Dorsi, CISO at Netlify, a cloud computing company. But the threat level is changing as autonomous systems gain higher-value capabilities.

“As agentic systems increasingly interact with services through APIs, including Model Context Protocol, agent-to-agent workflows, and automated integrations, APIs will see a material uplift in both usage and exposure,” says Dorsi.

Legacy defenses can’t keep up

Traditional perimeter-based defenses are often insufficient against API-layer attacks. Traditional security defenses, such as EDR, XDR, and WAF, “primarily focus on clients, hardware, and software endpoints, looking at IP-based attack vectors,” explains BECU’s Murphy. “APIs bring us into the world of business logic and runtime types of issues.”

Others agree that legacy defenses leave a gap for API-first architectures. For example, EDR misses east-west traffic, content within API flows, and gateway-level attacks, while WAFs mainly detect malicious payload patterns and miss important context around authorization, identity, and caller intent, says Infinite Computer Solutions’ Subramaniam.

“API attacks often exploit business logic, not payload patterns,” he adds. “They exploit broken authentication or authorization, abuse of legitimate endpoints, excessive data exposure, and mass enumeration.” These requests often appear valid individually, but together form a malicious sequence.

“API attacks are typically logical, valid requests made with stolen or over-permissioned credentials that abuse business logic rather than breaking HTTP rules,” Risk & Insight Group’s Faxon says. For example, an attacker might abuse a long-lived, over-permissioned token for a financial API. “API abuse can often blend into normal traffic until the damage is already done,” he adds.

Netlify’s Dorsi agrees. “Traditional controls lack the context to understand intent, misuse, or abuse across API calls,” he says.

How CISOs are responding

CISOs are deploying a range of strategies to mitigate API threats. This goes beyond buying new-fangled cloud-native tools — it requires an API governance strategy involving organization-wide policies, API inventories, automated checks, and strong identity and access control.

For example, BECU has implemented an API governance structure, adopting a single policy for all developers. “We started building in governance before the technology was leveraged,” explains Murphy. This is critical to reduce the possibility for misconfigurations, he says, which remains a leading risk in the OWASP Top 10 API Security Risks.

In large enterprises, shared security guidance helps maintain least-privilege access and avoid exposing internal secrets. While all engineers and API builders are subject to BECU’s internal policy, it’s continually evolving, Murphy adds.

“Strong API governance is key,” agrees Franklin. “At Fortitude Re, we’re building API security into our broader identity and access management strategy.” A key area of focus is tracing non-human identities, which helps inventory and classify APIs in use. “The biggest gap I see is shadow APIs,” he adds.

To reduce that risk, visibility is critical. Körber’s Gaetje recommends taking proactive steps to enhance visibility by cataloging your surface area. “The most important activity is to gain visibility into exposed APIs,” he says. “What you cannot see, you cannot control.”

For Faxon, security begins with a full inventory of what APIs exist, who owns them, and what data they expose. “The most effective organizations treat APIs as first-class security assets,” he says.

In practice, implementing holistic API governance involves multiple tools and developer touchpoints. Infinite Computer Solutions uses specialized API gateways for processing traffic and adopts advanced security features to run risk assessments, Subramaniam says.

“Our security tools are also embedded into the CI/CD pipeline,” he adds, noting that API specifications must pass automated security validation checks, which helps ensure compliance with security standards.

Dorsi says Netlify takes a disciplined approach to understanding how APIs are used, emphasizing strong authorization maturity through practices like limiting scopes, rotating credentials, and continually reassessing trust.

“We treat APIs as critical infrastructure, not just plumbing,” he says. “Strong identity and authorization design is foundational. That means explicit ownership models, least privilege scopes, and consistent auth patterns across APIs.”

All in all, CISOs indicate that API security requires deep forethought. “We treat APIs as part of our operational surface, not just our software stack,” says Faxon. “Every API we build is documented, threat-modeled, and owned, with least-privilege access as the default and permissions continuously re-evaluated as systems evolve.”

AI exacerbates preexisting risks

Another driver of today’s API vulnerabilities is the rise of AI. While large language models (LLMs) and coding assistants empower software engineers, they also empower adversaries, complicating the API security landscape and requiring new approaches beyond traditional endpoint defenses.

“AI is fundamentally reshaping the threat landscape,” says Gigamon’s Mazal. “AI has enabled the democratization of offensive tooling, meaning that anyone, regardless of skill level, can now exploit API weaknesses without writing a single line of code.” With a growing API attack surface and lower barriers, organizations should assume a breach posture, he adds.

For instance, AI can amplify an attacker’s ability to discover and exploit API vulnerabilities like misconfigurations or over-permissioning, says Murphy. This reality has influenced BECU to take a deliberate approach to API visibility, deploying monitoring tools to discover and track its entire API catalog.

Another element of BECU’s policy requires developers to use a sanctioned API gateway with enforced security controls. “We make it as difficult as possible for an adversary to exploit us in any shape or form,” says Murphy, adding they apply identity and access control, monitoring, and alerting, regardless of API type.

“Internal doesn’t mean an external adversary can’t access it,” adds Murphy. As such, BECU is vigilant with all APIs, regardless of whether they’re internal APIs used for backend system-to-system communication or external-facing APIs that power customer interactions on mobile banking apps.

Beyond amplifying external threats, AI is increasingly embedded within enterprise software stacks, introducing a new vector to cover. A 2025 study from Software Finder found that 56% of IT leaders expect their software stack to be AI-powered by 2030. As agentic AI begins to consume APIs, the risks around unauthorized access and unintended sensitive data exposure rise as well.

As Subramaniam explains, “AI agentic systems, which autonomously access APIs to perform tasks, complicate API security by expanding the attack surface, enabling dynamic and unpredictable interactions, and amplifying existing vulnerabilities through high-speed, automated actions.” Preventing unauthorized access by agents will require more granular control and more time-bound role-based access control (RBAC).

Securing third-party tool usage

Other API risks stem from the broader software supply chain. In 2025, JPMorganChase CISO Patrick Opet published an open letter about diminishing standards for SaaS providers, writing that the SaaS delivery model is “quietly enabling cyber attackers” and creating a “substantial vulnerability that is weakening the global economic system.”

Third-party API consumption can open an organization to sensitive data exposure. According to Gartner, 71% of organizations use APIs provided by third parties such as SaaS vendors, making third-party APIs another major risk vector.

“For third-party APIs, we already require vendor security reviews and contractual security assurances,” says Fortitude Re’s Franklin, noting that this is part of a broader SaaS security program that provides visibility into the SaaS systems employees use.

The onus, however, is also on the consuming organization to implement better token-handling processes to secure API connections to SaaS platforms. This is especially important, as developers are often reckless with API keys and secrets. In 2024, Escape discovered 18,000 API secrets and tokens floating around on the open web.

Some CISOs are actively addressing this. “Our team centralizes and encrypts all third-party credentials — API keys, tokens — within the API management layer,” says Subramaniam. “We never distribute raw credentials to our internal development teams.”

Maintaining safe integrations requires ongoing discipline, too. “We apply the same rigor to third-party APIs: Credentials are tightly scoped, regularly rotated, and monitored for behavioral drift,” adds Faxon. “If an integration begins acting outside its expected pattern, it’s treated as a security event, not a technical anomaly.”

For Murphy, avoiding third-party API gaps requires careful vendor evaluation and tooling decisions. “You trust but verify.” The same intentions must be applied to assessing API management tools, too — maintaining too many niche products increases complexity and brings scalability challenges, and requires stitching them together to obtain a cohesive API security view.

“The more complexity, and the more differentiated monitoring, the higher risk you’re going to mess up,” says Murphy. “But, diversity in the platform is good, too, since compartmentalizing can help with a tiered aspect to security oversight.” One top item in BECU’s roadmap for 2026 is automating between their exposure management platform, vulnerability management platform, and security operations center, he adds.

API standards must evolve

As APIs become a core aspect of modern business operations, their security risks are becoming more pronounced. “Every API misconfiguration is not just a security gap,” says Faxon. “It’s a business decision being executed at machine speed, without human oversight.”

Responding to this new era of threats requires moving beyond traditional perimeter defenses. Organizations will need new approaches to secure non-human identities — machines, bots, and agents that increasingly interact with systems and data at a business application level.

“The real shift isn’t just from endpoints to APIs,” says Franklin. “It’s from human-driven access to non-human identities like APIs, service accounts, and machine-to-machine connections.” Although these identities now outnumber humans in most enterprises, he adds, they lack rigorous governance, requiring rethinking to secure this new attack surface.

The challenge is further complicated by the diversity of API environments. APIs may be distributed across multiple clouds, platforms, and locations, each with different security controls. As Mazal explains, “The challenge is that as development accelerates and the pace of innovation increases, not all APIs follow the same set of controls.”

Edge-based IoT APIs, for instance, may not allow the same types of traffic enforcement found in centralized environments. “The resulting gaps in interconnectivity make it difficult to manage APIs holistically and consistently across the ecosystem.” For him, real-time threat monitoring and visibility of network telemetry are still essential to correct visibility gaps.

Ultimately, CISOs shouldn’t abandon traditional security tools. But they do need to extend security deeper into the development and design process, embedding checks early, strengthening identity-based authorization, and improving real-time visibility into business-layer interactions.

By combining governance, identity controls, and visibility, CISOs can adequately prepare for the security realities of an API-driven world.