New research from Salt Security shows that most CISOs lack full visibility into their API environments, even as they acknowledge the expanding API attack surface. The 2025 Salt Security CISO Report, API Blindspots and Breakthroughs: How CISOs Are Approaching API Risk, found that although 73% of CISOs consider API security a high or critical priority for the year ahead, only 17% have a fully developed and implemented strategy—underscoring a widening gap between awareness and effective action.
The 2025 How CISOs Are Approaching API Risk Survey Report research, conducted by Global Surveyz Research, features insights from 300 CISOs from France, Germany, Italy, the United Kingdom and the United States, all of whom work at companies with more than 1,000 employees. The CISOs surveyed work across a number of industries including financial services, healthcare, transportation, retail and software.
Organizations are rapidly scaling their API environments to bolster innovation, accommodate growing customer demands and boost operational efficiency. Salt Security’s 2025 State of API report revealed that 30% of organizations reported a 51-100% growth in the number of APIs they manage over the past year, with 25% of respondents experiencing growth exceeding 100%. Evidently, APIs play a critical part in an organization’s ability to innovate, especially in the era of AI; however, scale and pace of adoption can strain resources and complicate security efforts. This discrepancy is further underscored by the 2025 How CISOs Are Approaching API Risk Survey report.
Confidence and Visibility
The report also revealed that only 19% of CISOs globally have full visibility and confidence in tracking APIs across their organization. Among large enterprises, only 27% report full oversight. For smaller organizations, the number shrinks to 12%. This general lack of visibility poses a persistent and growing security risk to organizations, with many easily exploitable shadow APIs potentially lurking within an environment.
What’s more, around three-quarters (74%) of CISOs admit to constantly uncovering APIs that they did not know existed. A further 9 in 10 CISOs can’t confirm that they’re free of unmanaged APIs, highlighting widespread uncertainty and visibility gaps in API environments. In smaller organizations, CISOs are nearly three times less likely to feel assured about their API inventories.
Innovation vs. Security
Similarly, the report uncovered a disparity between the pace of development, adoption and security, with modern development moving quickly. The research found that three-quarters (75%) of APIs are updated weekly or daily. However, two-thirds (66%) of organizations only audit for shadow or unmanaged APIs on a monthly or quarterly basis. This creates a dangerous window of 4 to 12 weeks of blindspots, allowing unmanaged changes to introduce risk. Only 34% of organizations globally have adopted continuous, automated auditing to close this visibility gap and match the speed of API change.
Protection and Tools
The research found that legacy tools are the primary line of defence for most CISOs. To secure APIs, 76% of CISOs rely on WAFs and 72% on API Gateways. Despite their limitations, 85% express confidence that these tools can block business logic attacks – threats that they weren’t designed to stop. These tools cannot prevent attacks that exploit legitimate, intended functionalities to access sensitive data; they only detect known signatures of malicious activity. Worryingly, only 39% of organizations are adopting best-of-breed API security solutions built for the changing threat landscape.
“There is an evident overconfidence in legacy tooling to protect against uniquely modern and complex threats,” said Michael Callahan, Chief Marketing Officer of Salt Security. “These tools were not built with the threats faced by organizations today in mind, especially as the threat landscape has evolved so quickly and unpredictably in recent years. Legacy tech paired with a lack of visibility over the entire API ecosystem presents a worrying picture for CISOs aiming to secure their organization effectively. Modern issues need modern solutions that are scalable, efficient, and effective.”
The Future of API Security
The data shows that a strategic shift is essential to ensuring the security of all APIs. Organizations are under-resourced, revealing that only 16% of security leaders feel they are adequately staffed to triage and respond to the volume of API-related security alerts in real-time. Increasing personnel isn’t a scalable solution, rather bridging the gap requires a modern approach that addresses the core themes of speed, visibility and threat detection head-on.
Earlier this year, Salt unveiled Illuminate to revolutionise API security by providing instant, total visibility into an organization’s API landscape. The platform helps CISOs to secure business innovation. It offers an attacker’s view to find and eliminate vulnerable APIs, enforces governance and compliance automatically and uses AI to stop behavioral attacks in real-time.
To read the full ” API Blindspots and Breakthroughs: How CISOs Are Approaching API Risk Survey ” report, visit the website here.
Related News:
Salt Security Launches Salt Cloud Connect for AWS: Instant API Protection
Salt Security and Wiz Partner to Unite Cloud and API Security Solutions
Methodology
The 2025 research, conducted by Global Surveyz Research, features insights from 300 CISOs from France, Germany, Italy, the United Kingdom and the United States, all of whom work at companies with more than 1,000 employees. The CISOs surveyed work across a number of industries including financial services, healthcare, transportation, retail and software.
