Shadow API usage surges 900%

An image of , News, Shadow API usage surges 900%

Cequence Security, the leading provider of Unified API Protection (UAP), today released its second half 2022 report titled, “API Protection Report: Holiday Build-up Shows 550% Jump in Unique Threats.” Developed by the CQ Prime Threat Research Team, the report is based on the analysis of approximately one trillion API transactions spanning various industries over the second half of 2022 and seeks to highlight the latest API threat trends plaguing organisations today.


As compared to other reports based on survey and qualitative data, this threat report covers actual tactics, techniques, and procedures (TTPs) employed by threat actors targeting consumer-facing, business-to-business (B2B), and machine-to-machine APIs. It serves as a critical resource for decision-makers, security professionals, and other stakeholders tasked with safeguarding their organisation.

APIs have exploded and can be found in nearly everything we do online – logins, payments, transfers, online banking, autonomous driving, and everything else. Driven by modular, cloud-native applications, mobile device ubiquity, digital assistants and smart-home appliances, APIs are the connective tissue for all things digital. The explosive growth in API use is understandable, given the business benefits of an API-first application development methodology.


“API breaches have plagued numerous high-profile organisations in recent months, elevating the need for CISOs to prioritise API protection. Attackers are getting more creative and specific in their tactics, and traditional protection techniques are no longer enough,” said Ameya Talwalkar, CEO and founder of Cequence Security. “As attack automation becomes an increasingly prevalent threat against APIs, it’s critical that organisations have the tools, knowledge and expertise to defend against them in real- time.”

The second half of 2022 (June 1 to December 31) marked a significant turning point in the security landscape. The Cequence CQ Prime Threat Research Team observed a noteworthy shift in cybercriminals’ tactics, techniques and procedures (TTPs). In several high-profile incidents, application programming interfaces (APIs) emerged as a primary attack vector, posing a new and significant threat to organizations’ security posture.


Key findings include:

● Shadow APIs Spike 900%, Highlighting a Lack of API Visibility: In the second half of 2022 alone, approximately 45 billion search attempts were made for shadow APIs, marking a 900% increase from the 5 billion attempts made in the first half of 2022.

● Holiday Season Sees 550% Increase in Unique Threats: There was a 550% increase in the number of unique TTPs employed by attackers, rising from approximately 2,000 in June to a staggering 11,000 towards the end of 2022.

● Attackers Increasingly Combine API and Web Application Security Tactics: From June 2022 to October 2022, attackers favoured traditional application security tactics; however, as the holidays approached, there was a 220% surge in API security tactics.

● Attack Surface Sprawl Highlights the Telecom API Protection Challenge: Most re-tool attempts in the telecom industry were entirely new TTPs, which shows that the threat tactics utilised are diverse, sophisticated, and persistent.

● New OWASP API Threat Category API8 – Lack of Protection from Automated Threats, Validated: The CQ Threat Research Team previously identified the need for API10+ to go beyond the OWASP API Top 10 to include protection against automated attacks. The threat report findings and the addition of API8: – Lack of Protection from Automated Threats in the OWASP API Security Top 10 2023RC confirm the past observations made by Cequence and endorse the inclusion of native bot mitigation capabilities to a robust API security program.


The report clearly demonstrates that the API threat landscape is constantly evolving, and organisations need to be vigilant in protecting their APIs and web applications from automated threats (bots) and vulnerability exploits. Attackers are becoming more sophisticated and API-specific in their tactics, and traditional protection techniques continue to provide ineffective defence.


“Our research is vital in providing organisations with the necessary tools and knowledge to mitigate attacks in real-time,” Talwalkar continued. “By staying ahead of the curve and understanding the latest attack methods and tools, organisations can achieve Unified API Protection and build the awareness and confidence needed to protect their APIs from even the most sophisticated attacks.”

The rise in the utilization of API security TTPs underscores the importance for organizations to adopt a comprehensive and proactive approach to their API security posture. By conducting regular API threat surface assessments, API specification anomaly detection, and implementing real-time automated threat (bot) detection and mitigation measures, businesses can prevent attacks from progressing beyond the reconnaissance stages, limiting the impact of any potential business disruption and security events.

To protect against these threats, it’s important to adopt a comprehensive approach to API security that considers the perspectives of attackers, defenders, and developers, along with governance, risk, and compliance (GRC) officers. Each viewpoint has specific qualities that need to be addressed to ensure a comprehensive security posture. Defenders should be focusing on key metrics, detection tools, and mechanisms to mitigate potential threats. Developers and defenders need to satisfy the perspective of GRC officers by being able to check inventory and ensure APIs are following instructions while not exposing sensitive data. Developers should focus on integrating security measures into the CI/CD pipeline and improving the resilience of APIs to automation attacks. By taking a comprehensive approach to API security and considering these various viewpoints, organizations can better protect their systems and data from emerging threats.


● To find out more, register for the webinar on Thursday, June 22, 2023 “API Protection Report: Second Half Findings” at 11 am PST, 11 am BST and 11 am AEST via


About Cequence Security

Cequence Security, the pioneer of Unified API Protection, is the only solution that unifies API discovery, inventory, compliance, dynamic testing with real-time detection and native mitigation to defend against fraud, business logic attacks, exploits and unintended data leakage. Cequence Security secures more than six billion API transactions a day and protects more than two billion user accounts across our Fortune 500 customers. Learn more at

An image of , News, Shadow API usage surges 900%

Ameya Talwalkar

Over the last 10 years, Ameya Talwalkar has built strong engineering teams specializing in enterprise and consumer security in Silicon Valley, Los Angeles, Madrid, Pune, and Chengdu. Before co-founding Cequence Security, he was Director of Engineering at Symantec, where he was responsible for its anti-malware software stack that leverages network Intrusion prevention and behaviour and reputation technologies, and anti-virus engines. Under his leadership, Symantec developed an advanced version of network intrusion prevention technology that blocks more than two billion threats a year. Ameya holds a Bachelor of Engineering in Electrical Engineering from the University of Mumbai’s Sardar Patel College of Engineering (SPCE).

AI alignment: teaching tech human language

Daniel Langkilde • 05th February 2024

However, Embodied AI refers to robots, virtual assistants or other intelligent systems that can interact with and learn from a physical environment. In order to do this, they’re built with sensors that can gather data from their surroundings, with this they also have AI systems that help them analyse data they collect, and ultimately learn...

CARMA announces acquisition of mmi Analytics

Jason Weekes • 01st February 2024

CARMA announces acquisition of mmi Analytics, expanding expertise in Beauty, Fashion, and Lifestyle sectors The combined organisation is set to redefine the landscape of media intelligence, providing unparalleled expertise and comprehensive insights for PR professional and marketers in the exciting world of beauty, fashion and lifestyle.

Managing Private Content Exposure Risk in 2024

Tim Freestone • 31st January 2024

Managing the privacy and compliance of sensitive content communications is getting more and more difficult for businesses. Cybercriminals continue to evolve their approaches, making it harder than ever to identify, stop, and mitigate the damages of malicious attacks. But, what are the key issues for IT admins to look out for in 2024?

Revolutionizing Ground Warfare Environment with Software-Enabled Armored Vehicles

Wind River • 31st January 2024

Armoured vehicles which are purpose-built for mission-critical operations are reliant on control systems that provide deterministic behaviour to meet hard real-time requirements, deliver extreme reliability, and meet rigorous security requirements against evolving threats. Wind River® has the partners and the expertise, a proven real-time operating system (RTOS), software lifecycle management techniques, and an extensive track...

The need to prove environmental accountability

Matt Tormollen • 31st January 2024

We are currently in the midst of one of the most consequential energy transitions since records began. The increasing availability of clean electrons has motivated businesses in the UK and beyond to think green. And for good reason. Being environmentally conscious attracts customers, appeases regulators, retains staff, and can even gain handouts from government. The...

Fuelling Innovation in Aftermarket

Jim Monaghan • 31st January 2024

One section of the motor trade is benefitting from the cost-of-living crisis: with consumers keeping their cars for longer, independent repairers are in huge demand. But they are also under pressure. Older cars need more repairs. They require more replacement parts, tyres and fluids. With car owners looking for value and a fast turn-around, independents...

The return of the five-day office week

Virgin Media • 25th January 2024

Virgin Media O2 Business has today published its inaugural Annual Movers Index, revealing four in ten companies are back to the office full time, despite widespread travel delays and disruptions With 2023 cementing the cost-of-living crisis, second hand shopping and public transport use surged as Brits sought to save money Using aggregated and anonymised UK...