India faced a staggering wave of cyber threats in 2024, with API and bot attacks hitting unprecedented levels, according to the latest Annual State of Application Security Report from Indusface, a global Application Security SaaS provider.

Indusface’s AppTrana platform blocked over 7.15 billion attacks in India last year — a 20% increase from Q1 to Q4. Each protected site faced an average of 6.9 million attacks, highlighting the growing sophistication of threats.

One of the most concerning trends was the 873% spike in API vulnerability attacks, now surpassing web-based threats. APIs saw 30% more attacks per host, while API-related DDoS incidents in India were 166% higher than web-based equivalents. Meanwhile, bot-driven attacks rose by 48%, affecting nine out of ten websites, with a sharp 132% surge during the holiday season.

“These figures show that cybercriminals are evolving fast, leveraging newer attack vectors like APIs and bots that many businesses are still not equipped to defend against,” said Ashish Tandon, Founder and CEO of Indusface. “Security teams must adopt AI-driven AppSec platforms that combine machine agility with human oversight to tackle these threats effectively.”

A Sector-Wide Crisis

Sectors across the board witnessed tailored attacks. The retail and e-commerce sector faced over a million cyber incidents per site, with DDoS attacks increasing tenfold due to fraud bots exploiting payment systems. The manufacturing industry experienced 1.37 million attacks per site, primarily targeting supply chains and production functions. The BFSI sector saw double the global average in attacks, with the insurance industry noting an 8X rise in vulnerability exploits. In healthcare, 100% of monitored sites were hit by bots, posing serious threats to patient data. Small and medium-sized enterprises (SMEs) endured 236% more DDoS attacks than larger firms due to weaker cybersecurity infrastructure.

AI Tools and Security Gaps

The increasing accessibility of large language model (LLM) tools like ChatGPT enabled even inexperienced attackers to exploit open vulnerabilities. Indusface detected 26,000 critical vulnerabilities in 2024, and 33% remained unpatched for over six months. Virtual patching proved essential but was underutilized, with only 38% of Indian security leaders leveraging this feature.

The Road Ahead

With tighter regulatory mandates from SEBI, RBI, and others, businesses must step up on real-time monitoring and patching. For resource-strapped SMEs, automated, AI-powered Web Application and API Protection (WAAP) solutions will be crucial.

“As APIs expand and bots grow more sophisticated, static defenses no longer suffice,” added Tandon. “We need adaptive, AI-led strategies backed by human expertise to stay ahead of the curve.”