In 2024, over 7.15 billion cyberattacks were blocked across Indian websites—each site facing nearly 6.9 million attacks on average
The State of Application Security India 2025 report by Indusface offers a detailed account of the rising cybersecurity challenges faced by Indian organisations and the evolving strategies to combat them. The data points to a sharp surge in attack volumes, particularly targeting APIs and web applications, highlighting the urgent need for robust, adaptive, and automated security solutions.
In 2024, over 7.15 billion cyberattacks were blocked across Indian websites—each site facing nearly 6.9 million attacks on average. Alarmingly, API endpoints witnessed 30 per cent more attacks than websites and over 166 per cent higher DDoS incidents, showcasing their growing vulnerability. These trends were exacerbated during the holiday season, where attack volumes spiked by 132 per cent due to reduced vigilance and delayed patching.
The report further reveals that attacks on API vulnerabilities increased by a staggering 873 per cent, while attacks on website vulnerabilities grew by 94 per cent. This sharp escalation is partly attributed to the easy availability of LLM tools such as ChatGPT, which are being misused by less experienced cybercriminals to exploit known weaknesses.
Industry-specific insights also raise red flags. The BFSI and insurance sectors reported 2x and 2.5x more bot attacks respectively than other industries. SMBs faced 236 per cent more DDoS attacks than enterprises, struggling with limited resources and part-time security support.
To address these risks, the report recommends continuous monitoring via managed WAAP solutions, AI-powered behavioural models, and automated API scanning integrated into CI/CD pipelines. However, adoption remains low—only 32 per cent of respondents use virtual patching, and 36 per cent do not scan APIs at all.
With regulatory scrutiny tightening and threats growing more sophisticated, the report makes it clear: proactive, risk-based application security is no longer optional—it’s mission-critical.
