The report confirms that APIs have become the dominant attack vector. 87% of all organizations experienced an API-related security incident in 2025 . The commerce industry faced more than 200 billion application and API attacks between 2024 and 2025
. API web attacks grew 9% between Q4 2024 and Q4 2025, surpassing traditional web application attacks in volume
.
Layer 7 DDoS attacks are exploding. Akamai reports these attacks surged 104% over two years (2023–2025), with a 61% year-over-year increase from 2024 to 2025 alone . Commerce faced nearly three trillion Layer 7 DDoS attacks between 2024 and 2025
. Retail was hit hardest — 84% of all Layer 7 DDoS attacks on commerce targeted the retail vertical
.
The rise of agentic commerce — where AI agents autonomously shop, transact, and interact on behalf of users — has fundamentally reshaped the threat landscape. Attackers are actively exploiting the trust gap between human and machine-driven interactions .
Threat actors weaponize AI bots to automate advanced attacks that exploit session flows, authentication mechanisms, and API business logic, and to build and manage fake identities at scale . Malware accounted for 56.5% of endpoint threat activity from November 2025 to April 2026, indicating that agentic workflows expand the endpoint attack surface
.
The report warns that benign AI shopping agents and malicious bots now look nearly identical, making traditional bot detection alone insufficient .
In response, Akamai announced its unified Agentic Security Framework on June 15, 2026, for its Bot & Agent Control solutions . The framework connects identity, observability, trust, and edge security into a single, real-time decisioning layer at the edge
. It comprises six tightly integrated pillars
:
Ecosystem partners include Visa, Experian, Skyfire, Ping Identity, Auth0, and Tollbit . Notably, Visa contributes its Trusted Agent Protocol (TAP) to cryptographically verify AI shopping agents and prevent fraud across Akamai Cloud
. The framework is designed to answer the core identity, intent, and trust questions raised when AI agents act on behalf of users
.