Behind Asia-Pacific’s AI Ambitions, a $65 Billion Threat Lurks
02 Apr 2026
Behind Asia-Pacific’s AI Ambitions, a $65 Billion Threat Lurks
There is a profound irony unfolding at the heart of the Asia-Pacific’s digital transformation.
Companies are racing to adopt AI at an unprecedented pace. Supply chains are being automated. Customer service is being handled by intelligent bots. Financial transactions are processed without human intervention. It all feels like a leap into a promising future.
But something is being left behind. And it comes at a high cost.
Akamai’s latest internet security report reveals a sobering reality: the faster companies rush toward AI, the wider the backdoor they leave open.
The Numbers Are Chilling
Throughout 2025, nearly 65 billion attacks targeting web applications and APIs were recorded in the Asia-Pacific region alone. That’s not a typo. That figure represents a 23% increase from the previous year.
Globally, the average number of API attacks has surged by 113% year-over-year. Layer 7 DDoS attacks—the most dangerous type because they target the application’s logical layer—have increased by 104% over the past two years.
And here’s the most alarming statistic: 87% of organizations worldwide reported experiencing API-related security incidents throughout 2025. Almost none were spared.
Why APIs? Why Now?
An API, or Application Programming Interface, is a “bridge” that connects one digital system to another. When you make a payment through an e-commerce app and your credit card data is sent to a payment gateway, it goes through an API. When a customer service chatbot retrieves transaction data from a database, it also goes through an API. When a company’s AI model accesses real-time data to make decisions, once again, everything goes through an API.
In short: the more AI an organization uses, the more APIs are active. And the more APIs are active, the larger the attack surface becomes.
The infrastructure that serves as the backbone of innovation is also the most vulnerable target. That is the paradox.
No Longer Forced Attacks—Now They’re Disguised
What makes this threat more dangerous than ever is not just its scale, but the way it has evolved.
In the Asia-Pacific region, 61% of recorded API attacks did not involve conventional technical breaches, but rather the exploitation of business logic. Attackers do not break into systems; they enter through doors that are already open, then impersonate legitimate users or systems.
Imagine someone entering a supermarket not by breaking a window, but by forging a VIP membership card. The system doesn’t flag them because, technically, they appear legitimate. That’s what’s happening on a massive digital scale: automated illegal transactions, covert data collection, or repetitive API calls that drain resources—even depleting AI tokens, which are now increasingly expensive and critical.
Risk Map in the Asia-Pacific Region
This report also reveals something that is rarely discussed: cyber threats in the Asia-Pacific region are not evenly distributed, and that is precisely what makes them more complex.
In mature markets like Singapore and Japan, organizations operate with a massive number of APIs, a result of advanced digitalization and complex service ecosystems. It is this complexity that exponentially expands the attack surface. It’s not because security is poor, but because the scale is so vast that achieving full visibility becomes a challenge in itself.
In emerging markets like Vietnam and Thailand—and this is relevant for Indonesia as well—the threats are different. Digitalization is advancing at breakneck speed, far outpacing the availability of local cybersecurity talent. This skills gap creates blind spots exploited by organized threat actors who know exactly where to find unprepared targets.
Indonesia, with its massive digitalization ambitions and a rapidly growing startup ecosystem, finds itself at the crossroads of both these risks.
What Companies Should Do
There are four priorities that cannot be postponed.
First, identify all your APIs, including those that have been forgotten. Many organizations do not have a complete inventory of all their active APIs. An unmonitored API is an unprotected API.
Second, build the capability to distinguish between human users, legitimate AI, and malicious bots. Without this capability, no access decisions can be truly trusted.
Third, embed security from day one of development, not after deployment. Security by design is more than just a slogan. It’s the difference between plugging the holes before or after the flood comes in.
Fourth, ensure monitoring runs in real-time around the clock. Threats that move as fast as machines don’t wait for your security team’s working hours.
Innovation Without Security Is a Gamble
Failing to secure API infrastructure doesn’t just mean operational disruptions. It can mean significant financial losses, a loss of customer trust, and in some cases, consequences that cannot be fully reversed.
High digital ambitions are a good thing. But ambition without a commensurate security foundation, in this era of industrialized threats accelerated by AI, is no longer merely negligence. It is an existential risk to the business.
65 billion attacks in a year is not just a statistic. It is a sign that the war has begun. The question is simple: is your defense ready?
Reference: Akamai 2026 Apps, APIs, and DDoS State of the Internet (SOTI) Report, the 12th annual report analyzing cyber threats based on Akamai’s global defense infrastructure.
Author: Ghea Devita
Marketing Communication PT Perkom Indah Murni
