New Cloudflare report shows that organizations are struggling to identify and manage the cybersecurity risks of APIs

Cloudflare, Inc. (NYSE: NET), the leading cloud connectivity company, today released its first API Security and Management Report. Findings from this year’s report show that APIs, a technology underlying today’s most used websites and applications, are being used more than ever by businesses – opening the door to more online threats than ever before. The report highlights the gap between companies’ use of APIs and their ability to protect the data those APIs touch.

APIs are the engine of the digital world – our phones, smartwatches, banking systems and shopping websites use APIs to communicate. They can help e-commerce sites accept payments, enable healthcare systems to securely exchange patient data, and even give taxis and public transportation access to real-time traffic data. Almost every company today uses them to build and deliver better websites, apps and services to consumers. However, when unmanaged or unsecured, APIs represent a goldmine for threat actors to exfiltrate potentially sensitive information.

“APIs are central to how applications and websites work, making them a rich and relatively new target for hackers,” said Matthew Prince, CEO and co-founder of Cloudflare. “It is critical that companies identify and protect all of their APIs to prevent data breaches and secure their businesses.”

Key findings from Cloudflare’s 2024 API Security and Management Report include:


  • Even in unlikely industries, API traffic is very high: The seamless integrations that APIs enable have led to companies across industries increasingly using them – some faster than others. The IoT, rail, bus and taxi, legal services, multimedia and gaming, and logistics and supply chain industries recorded the highest share of API traffic in 2023.

  • API traffic accounts for the majority of internet traffic: APIs dominate dynamic internet traffic around the globe (57%), with every region Cloudflare protects seeing an increase in usage over the past year. However, the top regions that exploded in API adoption and recorded the highest traffic share in 2023 were Africa and Asia.

  • APIs face a number of common and increasing threats: As with any popular business-critical function that houses sensitive data, threat actors will attempt to gain access by any means possible. The increasing popularity of APIs has also led to an increase in attack volumes. HTTP Anomaly, Injection Attacks, and File Inclusion are the three most common types of attacks that Cloudflare mitigates.

  • Shadow APIs provide a defenseless path for threat actors to: Companies try to protect what they cannot see. Nearly 31% more API REST endpoints (when an API connects to the software program) were discovered by machine learning compared to customer-provided identifiers – meaning companies lack a complete inventory of their APIs.

  • DDoS mitigation solutions are one of the most effective tools for protecting APIs: Regardless of whether a company has full visibility of all of its APIs, DDoS mitigation solutions can help prevent potential threats. A third (33%) of all remediations applied to API threats were blocked by existing DDoS protections.

“APIs are powerful tools for developers to build complex, full-featured applications for their customers, partners and employees, but every API is a potential attack surface that needs to be secured,” said Melinda Marks, practice director, cybersecurity, at Enterprise Strategy Group. “As this new report shows, companies need more effective ways to ensure API security. This includes better visibility of APIs, ways to ensure secure authentication and authorization between connections, and better ways to protect their applications from attacks.”


Methodology of the report: The results in this report, including the statistics listed above, are based on traffic patterns collected by Cloudflare’s global network (including Cloudflare’s web application firewall, DDoS protection, bot management, and API gateway services) between the were observed October 1, 2022 and August 31, 2023. For the quarter ended September 30, 2023, Cloudflare processed an average of over 50 million HTTP requests per second and blocked an average of 170 billion cyber threats per day.

To learn more, please check out the resources below:

  • 2024 API Security and Management Report
  • Blog: Introducing Cloudflare’s 2024 API Security and Management Report
  • Cloudflare API Security
  • What is API Security?


About Cloudflare

Cloudflare, Inc. (NYSE: NET) is the leading cloud connectivity company. It enables companies to add speed and security to their workforce, applications and networks everywhere, while reducing complexity and costs. Cloudflare’s Connectivity Cloud provides the most comprehensive, unified platform of cloud-native products and developer tools, giving every organization the control they need to operate, develop and accelerate their business.

Backed by one of the largest and most connected networks in the world, Cloudflare blocks billions of online threats every day for its customers. Cloudflare is trusted by millions of organizations – from the largest brands to entrepreneurs and small businesses to nonprofits, humanitarian groups and governments around the world.

Learn more about Cloudflare’s connectivity cloud at cloudflare.com/connectivity-cloud. Learn more about the latest internet trends and insights at https://radar.cloudflare.com.

Follow us on: Blog | X | LinkedIn | Facebook | Instagram


Forward-Looking Statements

This press release contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, that involve significant risks and uncertainties. In some cases, you can identify forward-looking statements by words such as “may,” “will,” “should,” “expect,” “explore,” “plan,” “anticipate,” “could,” “intend,” “target”, “project”, “consider”, “believe”, “estimate”, “predict”, “potential” or “continue” or contain the negative of these words or other similar terms or expressions referring to the expectations, Obtain strategies, plans, or intentions from Cloudflare. However, not all forward-looking statements contain these identifying words. Forward-looking statements expressed or implied in this press release include, but are not limited to, statements regarding Cloudflare’s products and technology, Cloudflare’s technological development, future operations, growth, initiatives or strategies, future market trends and Comments from Cloudflare CEO. Actual results may differ materially from those expressed or implied by the forward-looking statements due to a number of factors. These include, but are not limited to, the risks detailed in Cloudflare’s filings with the Securities and Exchange Commission (SEC), including Cloudflare’s Quarterly Report on Form 10-Q filed on November 2, 2023, and other documents, which Cloudflare files from time to time with the SEC.

The forward-looking statements set forth in this press release speak only as of the date on which the statements are made. Cloudflare undertakes no obligation to update any forward-looking statements in this press release to reflect events or circumstances after the date of this press release or to reflect new information or the occurrence of unanticipated events, except as required by law. Cloudflare may not achieve the plans, intentions or expectations disclosed in the forward-looking statements, and readers should not place undue reliance on Cloudflare’s forward-looking statements.

©2024 Cloudflare, Inc. All rights reserved. Cloudflare, the Cloudflare logo, and other Cloudflare marks are trademarks and/or registered trademarks of Cloudflare, Inc. in the United States and other jurisdictions. All other trademarks and names referenced herein may be the trademarks of their respective owners.

The source language in which the original text is published is the official and authorized version. Translations will be included for a better understanding. Only the language version that was originally published is legally valid. Therefore, compare translations with the original language version of the publication.

ttn-28