The new report highlights key gaps in application security measures for organizations around the world, with concerns about issues ranging from artificial intelligence-driven attacks to undocumented application programming interfaces (APIs) and inadequate staff training.
The findings were published in Radware’s 2025 Cyber Survey: Application Security at a Breach Point. The report documents a variety of threat areas that are growing more commonly as organizations’ security defenses lag behind accelerated risks, particularly risks including AI, API, and business logic attacks.
The threat of AI
Research shows that cybersecurity concerns have skyrocketed as the use of AI by malicious actors. Many organizations are particularly concerned about hackers using AI to develop and refine attack tools, generating more cyberattack traffic, and generating new vectors for zero-day attacks.
The survey found that 70% of respondents were very concerned about hackers who use AI to create or improve hacking tools. Similarly, 67% expressed strong concern about the possibility that AI could generate more attacks, while 66% feared the role of AI in launching New Zero Day Attack Vectors.
Despite these concerns, few AI-based protection measures have been taken. Only 8% of organizations surveyed reported using AI-driven security solutions. However, there are expected significant changes in adoption as four of the five organizations plan to implement AI-based cybersecurity solutions within next year.
“The weaponization of AI by malicious actors has strengthened cybersecurity threats and brings more attention to areas where businesses simply aren’t protected,” says Shira Sagiv, Vice President of Product Portfolio at Radware. “Internal alarms need to echo. While businesses openly acknowledge the gaps in cyber protection and lack of preparation, particularly with regard to web applications and APIs, their use continues to create even more risk and exposure.”
API Vulnerabilities
The study also points out ongoing vulnerabilities in API management. APIs show that organizations are increasingly using it, but often unprotected. Between 2023 and 2025, API usage increased by 42%, with daily API updates increasing six times over the same period.
On average, organizations integrate 19 third-party APIs per application. This is a practice that introduces new risks, including potential compromises that cannot be easily resolved during the data exposure and coding stage.
Business logic attacks, a frequent variant of API attacks, also attracted attention as an increased risk. 81% of respondents said that real-time protection measures for business logic attacks are very or very important, but only 50% actually deployed runtime business logic protection. Furthermore, only 29% of security staff are fully trained to detect and manage these types of attacks.
The documentation and auditing process are also delayed. Only 6% of respondents who have complete documentation on all of their APIs pose additional challenges to maintain visibility and control. Furthermore, half of those surveyed reported that they were unaware that third-party code used in web applications, sensitive data may be leaked to external services, or that malicious scripts and services will be introduced into the system.
Operational and Compliance Pressures
Other findings show growing concerns about resilience and regulatory compliance. Only 16% of respondents are confident in their protection against attempted data breach involving third-party code running in web applications. The commercial impact of the attack remains high, with distributed denial of service (DDO) attacks resulting in downtime from the attack, which costs an average of USD 6,100 per minute.
Compliance with numerous international regulations continues to place great demands on organizations. An average of 54% surveyed said they had high or extreme concerns about compliance obligations across NIS2, HIPAA, SEC regulations, PCI DSS 4, GDPR, DORA, and SOX.
Research method
The survey, conducted in collaboration with Osterman Research, collected responses from a variety of experts, including compliance, risk, data privacy officers, Vice President of Research and Development, Network Security Administrators, and API Architects. Participants were drawn from nine countries in the North America, EMEA, APAC and Latam regions.
