Organizations are losing between $94 - $186 billion annually to vulnerable or insecure APIs (Application Programming Interfaces) and automated abuse by bots. That's according to The Economic Impact of API and Bot Attacks report from Imperva, a Thales company. The report highlights that these security threats account for up to 11.8% of global cyber events and losses, emphasizing the escalating risks they pose to businesses worldwide.
Drawing on a comprehensive study conducted by the Marsh McLennan Cyber Risk Intelligence Center, the report analyzes over 161,000 unique cybersecurity incidents. The findings demonstrate a concerning trend: the threats posed by vulnerable or insecure APIs and automated abuse by bots are increasingly interconnected and prevalent. Imperva warns that failing to address security risks associated with these threats could lead to substantial financial and reputational damage.
API Adoption and the Expanding Attack Surface
APIs have become indispensable to modern business operations, enabling seamless communication and data exchange across applications and services. They power everything from mobile applications to eCommerce platforms and open banking. However, their widespread adoption has created significant security challenges. According to data from Imperva Threat Research, the average enterprise managed 613 API endpoints in production last year, and that number is projected to grow as companies rely more heavily on APIs to drive digital transformation and innovation.
This heightened reliance on APIs has dramatically expanded the attack surface, with API-related security incidents increasing by 40% in 2022 and an additional 9% in 2023. These attacks are particularly dangerous because APIs often serve as direct pathways to an organization's underlying infrastructure and sensitive data. The report estimates that API insecurity is responsible for up to $87 billion in annual losses, a $12 billion increase from 2021. This can be attributed to a variety of reasons, including the rapid adoption of APIs, inexperience of many API developers, lack of standardized security practices, and limited collaboration between development and security teams.
Bot Attacks: A Persistent and Evolving Threat
Alongside the rise in attacks on APIs, bot attacks have become a widespread and costly threat, resulting in up to $116 billion in losses annually. Bots—automated software programs designed to perform specific tasks—are frequently weaponized for malicious activities such as credential stuffing, web scraping, online fraud, and distributed denial-of-service (DDoS) attacks.
In 2022, security incidents related to bots surged by 88%, followed by an additional 28% increase in 2023. This alarming growth was fueled by a combination of factors, including the rise in digital transactions, proliferation of APIs, and geopolitical tensions such as the Russia-Ukraine conflict. The widespread availability of attack tools and generative AI models has also significantly enhanced bot evasion techniques and enabled even low-skilled attackers to carry out sophisticated bot attacks.
According to Imperva, bots now represent one of the most critical threats to API security. Last year, 30% of all API attacks were driven by automated threats, with 17% specifically tied to bots exploiting business logic vulnerabilities. The growing reliance on APIs—and their direct access to sensitive data—has made them prime targets for bot operators. Automated API abuse alone is now costing businesses up to $17.9 billion annually. As bots become more sophisticated, attackers are increasingly using them to exploit API business logic, bypass security measures, and exfiltrate sensitive data, making detection and mitigation more challenging for organizations.
Large Enterprises at Greater Risk
Large enterprises, especially those with annual revenues exceeding $1 billion, face a disproportionately higher risk of API and bot attacks. According to the report, these organizations are 2-3 times more likely to experience automated API abuse by bots compared to small or mid-size businesses. This heightened exposure is primarily driven by the complexity and scale of their digital infrastructures.
These companies typically manage hundreds or even thousands of APIs across multiple departments and services, creating sprawling API ecosystems that are challenging to monitor and secure. Within such environments, shadow APIs, unauthenticated APIs, and deprecated APIs present significant vulnerabilities. These mismanaged APIs often lack critical security measures, such as regular updates, authentication, and continuous monitoring, leaving them open to exploitation.
Similarly, large enterprises are prime targets for bot attacks due to their extensive digital presence and valuable assets. The more complex the digital environment, the more potential entry points exist for bots to exploit, ranging from login pages to checkout systems. With vast amounts of sensitive data flowing through their applications and APIs, these companies are a highly lucrative target for bot operators.
The risk is even more pronounced for enterprises with annual revenues exceeding $100 billion, where API insecurity and bot attacks account for as much as 26% of all security incidents. This stark figure highlights the critical need for comprehensive API security and bot management strategies in large enterprises, where a security incident can result in significant operational disruptions, substantial financial losses, and long-lasting reputational damage.
Protecting Against API and Bot Attacks
Together, vulnerable or insecure APIs and automated abuse by bots account for billions of dollars in annual losses. As businesses increasingly rely on APIs to power digital transformation, the risk of security incidents is expected to rise, putting organizations at greater risk of financial and reputational damage. Simultaneously, the evolution of bots, often driven by generative AI, has amplified the challenges of defending against these threats.
To effectively mitigate these risks, Imperva recommends that organizations take the following proactive steps:
- Foster cross-functional collaboration: Collaboration between security and development teams is essential for embedding security into every stage of the API lifecycle. This partnership ensures that security measures are integrated from design to deployment, enabling proactive identification and mitigation of vulnerabilities before they can be exploited. When it comes to bot management, this collaboration must extend even further. Bots are a cross-functional challenge that impacts many areas of the business. To effectively combat them, teams across marketing, eCommerce, customer experience, IT, Line of Business, and security must work closely together. This broader collaboration helps identify vulnerable features, such as login pages, checkout processes, and forms, that are particularly susceptible to bot attacks.
- Comprehensive API discovery and monitoring: Organizations must have full visibility into all their APIs, including shadow, deprecated, and unauthenticated APIs, to ensure none are overlooked. Continuous monitoring and auditing are essential to identifying potential vulnerabilities before they are exploited.
- Integrate API security and bot management: Bot management and API security must be used in tandem to successfully mitigate automated attacks on API libraries. This combined approach helps identify vulnerable APIs, continuously monitors for automated attacks, and provides actionable insights for rapid detection and response. By integrating bot management and API security, businesses can better protect against sophisticated automated threats while gaining visibility to detect and mitigate risks before they cause a security incident.
As API ecosystems continue to expand and bots become more sophisticated, the cost of inaction will only rise. Organizations must address the security risks associated with APIs and bots to protect sensitive data, mitigate financial losses, and safeguard their brand reputation.