Privacy settings
We use cookies and similar technologies that are necessary to run the website. Additional cookies are only used with your consent. You can consent to our use of cookies by clicking on Agree. For more information on which data is collected and how it is shared with our partners please read our privacy and cookie policy: Cookie policy, Privacy policy
We use cookies to access, analyse and store information such as the characteristics of your device as well as certain personal data (IP addresses, navigation usage, geolocation data or unique identifiers). The processing of your data serves various purposes: Analytics cookies allow us to analyse our performance to offer you a better online experience and evaluate the efficiency of our campaigns. Personalisation cookies give you access to a customised experience of our website with usage-based offers and support. Finally, Advertising cookies are placed by third-party companies processing your data to create audiences lists to deliver targeted ads on social media and the internet. You may freely give, refuse or withdraw your consent at any time using the link provided at the bottom of each page.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
See Wallarm's API Protection In Action
Download the Report
Talk to an Expert
Annual Report · 2026
AI Is the New Risk Multiplier
Wallarm 2026 API ThreatStats Report
Wallarm's 2026 annual API ThreatStats Report explores the API security data and trends from 2025. Inside you'll find analysis of vulnerability, exploit, and breach trends, plus an update to the Wallarm API ThreatStats Top 10.
+398%
AI Vulns · YoY
2,185
AI Vulns · 2025
Top 10
API ThreatStats · Updated
Key Insight Highlights · 2026 Report
Five charts that define the year in API + AI risk.
We analyzed thousands of vulnerabilities, exploits, and breaches from 2025 to build this year's API ThreatStats Top 10 — and to map exactly where AI is changing the threat model.
Insight 01
API + AI vulnerability overlap
The real-world API attack surface tied to AI grew dramatically. And when API and AI weaknesses overlap, the same exploit characteristics dominate: remote access, single-request attacks, and consistently high business impact.
The overlap is where the catastrophic incidents are being concentrated.
Insight 02
Top 10 API risks · year-over-year change
Despite years of industry education about injection, APIs continue to process vast volumes of untrusted input and pass it directly into downstream systems. The shape of the Top 10 keeps shifting around the same core weakness.
The names change. The injection problem doesn't.
Insight 03
API vulnerabilities
When exploitation is this easy, scale — not sophistication — becomes the dominant risk factor. The vast majority of disclosed API vulnerabilities require no chained exploitation, no privileged access, and no insider knowledge.
Defenders are not losing to genius. They're losing to volume.
Insight 04
AI vulnerabilities grew 398% year over year.
AI vulnerabilities surged from 439 in 2024 to 2,185 in 2025 — a 398% increase. The category went from a curiosity in the data to the single fastest-moving class of API risk we track.
Every assumption from 2024 about how much AI-related disclosure to expect is now broken.
Insight 05
Top 10 API breaches
These incidents followed the same mechanics seen elsewhere in the dataset — stolen tokens, exposed endpoints, and unsafe integration trust — but with higher potential impact, because AI APIs often sit directly in the path of sensitive data, automation, and decision-making.
The blast radius of an API breach now includes the model behind it.
Download · Free
Get the full 2026 ThreatStats Report.
The full report includes the complete ThreatStats Top 10, every chart in this preview at full resolution, methodology notes, and ten case-study breaches that defined 2025.
2026 API ThreatStats Top 10 — updated rankings, with the data behind each move.
Year-over-year vulnerability and exploit trend analysis, with full data tables.
Ten case-study breaches showing exactly how AI changed the blast radius.
A defender's playbook: where to focus the next 90 days.