In 2025, 36% of AI-related vulnerabilities involved APIs (786 of 2,185 AI-related vulnerabilities).

62% of security professionals are blind to shadow or undocumented APIs.

In 2025, 43% of CISA KEV additions were API-related, making APIs the single largest exploited surface in that dataset.

82% of the more than 10,000 Model Context Protocol (MCP) servers interact with sensitive APIs, creating additional vulnerabilities in 2025.

APIs in technology & SaaS providers' environments saw a 400% spike in critical vulnerabilities.

Nearly 7 in 10 retail & consumer goods organizations had APIs with misconfigured authorizations or data exposure issues. These retail & consumer goods APIs averaged 15 vulnerabilities per API.

In one analysis, retail had 27% of vulnerable assets across cloud, APIs, and web applications.

In one analysis, technology had 15% of vulnerable assets across cloud, APIs, and web applications.

In one analysis, the media sector had 18.8% vulnerable APIs.

In one analysis, retail had 29.8% vulnerable APIs.

In one analysis, education had 37.7% vulnerable APIs.

In one analysis, telecommunications had 15% of vulnerable assets across cloud, APIs, and web applications.

In one analysis, education had 31% of vulnerable assets across cloud, APIs, and web applications.

In one analysis, the government sector had 18.5% vulnerable APIs.

In one analysis, finance had 5% of vulnerable assets across cloud, APIs, and web applications.

In one analysis, the services sector had 10.6% vulnerable APIs.

In one analysis, government had 26% of vulnerable assets across cloud, APIs, and web applications.

In one analysis, health care & insurance had 16% of vulnerable assets across cloud, APIs, and web applications.

In one analysis, construction had 18% of vulnerable assets across cloud, APIs, and web applications.

In one analysis, technology had 15% of vulnerable assets across cloud, APIs, and web applications.