Go to content
We are the #1 Microsoft partner
#1 Microsoft partner of NL
Console Courses Working at (NL)
language_nl language_be
Home Security Blogs APIs: the fastest growing attack surface and the worst in view

APIs: the fastest growing attack surface and the worst in view

Blogs MxDR (Managed eXtended Detection and Response) CDC (Cyber Defense Center)
Dennis de Hoog
16-6-2026
This article is automatically translated using Azure Cognitive Services, if you find mistakes, please get in touch

  • APIs are the rapidly emerging attack surface of modern organizations and the worst part that is in the picture. 

  • In the API domain, we are seeing fewer and fewer technical exploits and more and more abuse of valid access. 99% of observed API attacks in the last 12 months came from authenticated sources (Salt Security, 2026). 

  • Traditional security checks whether someone is allowed in, not what they ask for next. That's where the blind spot lies that API Protect addresses. 

  • API Protect, part of our MxDR service, fills in this layer and is monitored 24/7 by our security analysts. 

Valid credentials, invalid intentions 

What we see more and more often in studies is that entering is no longer the problem. In the API domain, we see fewer and fewer technical exploits and more and more abuse of valid access. The attacker has purchased valid credentials , purchased, phished, or taken from a compromised service. What happens next is where it goes wrong: an API is queried ten times per second, data is retrieved to which the user's role is not entitled and endpoints are addressed that are not documented anywhere. 

According to Salt Labs, 99% of observed API attack attempts today come from an authenticated source, a user or service that operates with valid credentials , but without the human judgment or limitation that you would expect. This shifts where you need to seize security: from the gateway to the behavior within it. So it's no longer just about who gets access, but especially about what behavior takes place afterwards.

How big is the problem really 

APIs have exploded. 67% of organizations saw an increase in the number of APIs by more than 50% in a year. At the same time, the attack picture shifted with it: 43% of the actively exploited vulnerabilities on the CISA Known Exploited Vulnerabilities list were API-related in 2025. 

What distinguishes API attacks from classic exploits: the threshold is low. 97% of API vulnerabilities are exploitable with a single request. No advanced exploit chains, no zero-days. A message to the right endpoint is often enough. That makes API abuse scalable in a way that traditional attack vectors aren't. 

The rise of AI agents exacerbates the problem even further. One-third of all AI vulnerabilities published in 2025 were at their core API vulnerabilities (Wallarm, 2026). By definition, agents operate with valid credentials, with no rate limits or human oversight. So if you want to secure your AI stack, you have to secure your APIs. 

Why traditional security doesn't see this

In practice, three blind spots keep recurring. 

  • There is no inventory. Almost every organization does not know part of its own API landscape and therefore cannot demonstrate that it has been mastered. Forgotten endpoints, links that were quickly set up, APIs that have come along with acquisitions. What is not in the documentation is also not on the dashboard. And what you don't know, you can't protect. 
     
  • Controls are at the wrong level. A Web Application Firewall or API gateway checks technical validity: syntax, tokens, rate limits. What he does not judge is whether the behavior is logical. A request can be technically perfect and at the same time misuse. That doesn't capture a ruleset; That captures behavioral analysis. 
     
  • Signals are independent of each other. API alerts often land in a separate console, separate from endpoint, identity, and cloud signals. For an analyst, that means noise without context. In a world where an attacker goes from a phished account to a data-exfiltrating API call in the same session, that context is the difference between detection and missed indicator. 

What a mature approach entails 

There is no tool that solves this in one go. What does work is an approach that affects four layers at the same time. 

  • Continuous discovery. Inventory isn't an audit, it's an ongoing process. APIs are created on a daily basis. They need to be discovered on a daily basis, including shadow endpoints that run outside of the official gateway. 
     
  • Posture management. For each link: what about authentication, data sensitivity, exposure to the internet, the breadth of rights granted? Prioritization on exploitability and business impact, not just on CVSS score. 
     
  • Runtime behavioral detection . Anomaly detection on parameters, traffic patterns and usage behavior captures what a WAF does not see. Here the attack becomes visible, not upon entry, but in the pattern that follows. 
     
  • Integration into the SOC workflow. An API alert in a silo is an alert that no one follows up. Only when signals converge with the broader telemetry does the story emerge that an analyst can triage. 

Even with this approach, scenarios remain that are difficult to overcome. Exploitation from trusted supply chain integrations , business logic attacks within normal usage patterns, and internal actors with legitimate access remain a shared responsibility between development, management, and security. 

What does this mean for demonstrability under NIS2 and GDPR?

Under NIS2, API management falls under the duty of care for technical measures (art. 21). Under the GDPR, every undocumented endpoint touches on Article 32 and the obligation to report data breaches as soon as personal data leaks via that route. For a Compliance Officer  , that means: without continuous discovery and posture management, compliance is not demonstrable. API Protect provides that evidence base by classifying data sensitivity per endpoint and testing the configuration of each link against applicable standards. 

How API Protect takes this approach

For the technical layer, we use Microsoft Defender for APIs. We chose that platform because it analyzes runtime behavior rather than just applying static rules, and because it ties into the broader Defender and Sentinel telemetry that we already process in our SOC. 

The value of API Protect isn't in the platform alone, but in what our SOC analysts do with it, 24/7 in conjunction with the broader telemetry about your environment: 

  • Visibility of all APIs in your environment, including forgotten and undocumented links, with data sensitivity classified per endpoint . 

  • Assessment of how secure each link is set up: too broad access, missing authentication, unnecessary exposure to the internet. 

  • Detection of deviant behavior, monitored 24/7 by our SOC analysts, in conjunction with the rest of the signal picture about your environment. 

This means that API security does not become a separate capability that you have to do on the side. It will become part of the broader detection and response process that we are already running for you. 

What this means for your security operation 

API security is not a project with an end date. It is a capability that grows with your organization, with your supply chain and with your opponent. The question is not whether APIs should be in scope of your security operation. The question is how quickly you can get them in the picture before someone else does. 

If you want to know which APIs are already active in your own environment and which of them are undocumented, you start with factual insight. Request an API discovery scan

Frequently asked questions

Our author

Dennis de Hoog

Contact me.