Wallarm, the recognized leader in API security, has built a globally distributed API honeypot spanning 14 locations. It baits attackers by simulating real API environments—REST, XML-RPC, GraphQL, and more—and records every exploit in shocking detail.
The data reveals that modern attackers prioritize APIs over traditional web apps. They discover newly deployed endpoints at breakneck speed, averaging just 29 seconds, with the slowest clocking at 34. From port opening to a valid API call, it often takes under a minute. Once they find an unprotected API, active exploitation happens almost immediately.
Wallarm observed attackers using about 50 IP addresses, each sending 50 requests per second, totaling 2,500 RPS. With minimal cloud costs—$50–$150 per IP monthly—and only around 20 Mbps of bandwidth, they pull off stealthy yet large-scale data theft. By batching API calls through protocols like XML-RPC or GraphQL, attackers can extract 10 million user records in as little as 6 seconds.
A single-request approach takes around 66 seconds to achieve the same haul, while older-style web scraping might drag on for 1,666 seconds.
This new breed of automated, cost-effective assault underscores why ports 80 and 443 alone aren’t enough. Attackers scan a wide range of ports for anything left exposed or misconfigured. They also zero in on popular API products and known CVEs, leveraging the smallest security gaps to breach entire systems and vanish with critical data.
APIs now surpass regular web applications as top targets because they offer rapid, high-volume access to user data. With attackers discovering endpoints in under half a minute, defenses must respond just as fast.
Traditional monitoring often misses these bursts of malicious traffic, especially when bandwidth usage hovers around 20 Mbps—far below typical DDoS volumes.
Wallarm’s honeypot research shows that real-time API visibility and security governance are vital. Teams need to track every endpoint, patch or segment risky services, and block suspicious traffic instantly.
Even widely used or brand-name API products can’t bank on default settings. Attackers hunt them first, looking for quick wins.
This worldwide dataset clarifies one truth: APIs are fueling business growth, and attackers chase that growth. A single exposed API can compromise millions of records in mere seconds.
Organizations must react with layered protections that scale as quickly as the threats do. Wallarm’s research proves it’s no longer a question of whether attackers will come for your APIs but when—and in today’s threat landscape, “when” is measured in seconds.
You can check the full Api Honeypot report [PDF].