teissTalk: Refining your API security strategy to protect against AI-driven attacks

On 17 July 2025, teiss Talk host Thom Langford was joined by Tiago Rosado, Chief Information Security Officer, Asite; Anne Coulombe, CISO, Bleuet LLC; Menachem Perlman,  Director, Global Solutions Engineering at Akamai Technologies - API Security,  Akamai.

Views on news

Recently, there has been a 32 % increase in OWASP API security related incidents and a 30 per cent growth in security alerts related to the MITRE framework. API attacks also happen in sectors working with critical data such as health and finance. Attackers usually find a vulnerable entry point and then proceed from there to get sensitive data that they put on the dark web. Meanwhile, the number of APIs a company uses is still growing exponentially. While the US government is withdrawing funding from frameworks like National Vulnerability Database (NVD) or CVE, the EU is stepping up to make them accessible for everyone in Europe. These percentages may even be understated as businesses tend to keep quiet about data exfiltration incidents if they can or if they can’t put a label on it yet. In some cases, companies aren’t even aware that something’s happened. Clients sometimes also take advantage of APIs to access data that they can then use without extending the contract with the provider. 

How AI affects API security

APIs have been around for more then a decade but they’ve become a hot topic recently thanks to their growing use. 30% of this growth is linked to genAI deployments. GenAI tools are being leveraged by cyber criminals to accelerate the speed of preparing a new attack, as well as to scale their social engineering efforts. They typically use the dark LLM versions of these tools available on the dark web or on Telegram. GenAI tools also democratise hacking as they can be used by perpetrators who are less tech-savvy. IoT uses APIs extensively and even your fridge or baby monitor may have one as well. You can identify automated attacks through APIs by the speed of data exfiltration and how it targets specific information. AI can also come much faster at a company’s data than a script kitty would. ML can be leveraged to vectorise the data from user content to avoid pollution from the outside. 

Infosecurity practitioners may see a different kind of reality on the ground, where visibility of what’s happening rarely exceeds 70%. To learn if APIs leak information, experts need to go back to how the API was coded and what was the developer’s assumption. Did they introduce backdoors or any bias? There are two major steps that must be taken to address API security. First, check what regulations your industry has. Then, use OASP API top 10 and go through threats to make sure the company has the right protections against them. If you take these two steps, you’ll be in the top 1% of companies in terms of API management. What security professionals can do to get better control over APIs in the future is to get their business to work with them before they release an API. Make sure as a security practitioner that you don’t scare off the business with complex, long term solutions. Break these down into smaller chunks. 

The panel’s advice

• APIs are everywhere in the value chain – developers use them in the coding process as they develop and test them.
• About 5 years ago, APIs were developers’ responsibility but now it’s shifting to security teams.
• Get visibility of who uses AI in your company then deploy AI-powered firewalls that can understand the context.
• Use API management tools to get visibility of what APIs your enterprise system entails.