Marcelo Delima | Senior Manager, Global Solutions Marketing
More About This Author >
Marcelo Delima | Senior Manager, Global Solutions Marketing
More About This Author >
Critical infrastructure (CI) organizations are, as the name suggests, some of the most important in the global economy. They’re also some of the most technologically complex and, crucially, vulnerable. Their security must reflect that.
Cyber attackers have always adapted—but with artificial intelligence, they now move at machine speed. AI gives adversaries the ability to uncover vulnerabilities instantly, probe APIs endlessly, and exploit flaws that human testers would never spot. Software and APIs remain their favorite targets, but the tactics used to strike them have changed beyond recognition.
This, in part, is why this year’s Cybersecurity Awareness Month theme, “Secure Our World,” resonates so strongly. The Thales 2025 Data Threat Report for Critical Infrastructure reveals the challenges modern CI organizations face, how they’re tackling them, and how updating software fits into the equation.
Simple as it sounds, patching and updates shut down the easiest pathways for AI-powered attackers. Combined with smarter defenses that detect anomalies in real time and adapt as quickly as the threat, it’s one of the most powerful ways organizations can stay safe online.
AI is Expanding the API Attack Surface
API numbers are exploding, in large part due to increasing AI deployments. And, while CI organizations lagged slightly behind the market in AI deployment last year, that’s no longer the case: in 2025, they show equal adoption across all five phases of AI integration, with 33% of organizations in the advanced “deployment” and transformation” phases of AI adoption.
AI runs on APIs, using them to fetch data, connect services, and power real-time intelligence. The more organizations adopt AI, the more APIs they spin up, and the larger their attack surface becomes.
In fact, two-fifths (39%) of CI respondents reported having more than 500 APIs in use, and one in five operate over 1000 APIs. As AI adoption accelerates, these numbers will only continue to grow, expanding exposure to vulnerabilities in both code and the software supply chain.
Over half (58%) of respondents said that code vulnerabilities are a major concern for application security, placing it as the top response. The solution? Embedding security across the software’s lifecycle, not just at production.
AI-Driven API Attacks Put Organizations at Risk
To make matters worse, AI is making API attacks more frequent and sophisticated.
In the past, attackers scanned for outdated libraries or unpatched services. AI does this too but faster, and with far more persistence. It can read API documentation, map functions, and test them with thousands of inputs in seconds. Where a human tester might probe dozens of possibilities, AI probes thousands, watching closely for even the smallest inconsistency to exploit – all the more reason to update software regularly.
What’s more, AI can uncover business logic flaws—the hidden cracks in how systems are designed. A checkout API that validates price but not currency. A service that checks identity but ignores location. These aren’t missing patches; they’re flaws in intent. And when software is outdated, those cracks become even easier to exploit.
AI also makes attacks harder to detect. Malicious requests are shaped to look like normal traffic, with payloads that morph in real time to bypass signature-based defenses. The goal is to blend in—remaining invisible until the damage is already done.
Organizations Prioritize API Security, But Overlook Key Controls
This rapid growth of APIs and increasing sophistication of attacks has prompted CI organizations to look closer at application security. While shift-left controls are the top-cited priority for application protections, CI respondents also emphasized other foundational production controls, such as:
- Dynamic application security testing
- API security tools
- Web application firewalls
But it’s not all good news. While secrets management leads among DevOps security concerns, only 9% of respondents identified it as the single most effective technology for data protection, despite the high risk associated with secrets management failures, which can expose authentication data such as API keys. And, considering how many APIs are now in use, this is a bigger risk than ever.
However, organizations should also prioritize defenses that are as fast, adaptive, and relentless as the AI-powered attacks launched upon them:
- Anomaly detection builds a profile of “normal” API behavior—such as request sizes, frequency, and endpoint usage—and flags even the slightest deviation within seconds.
- Automated containment acts immediately: throttling suspicious IPs, invalidating tokens, or forcing reauthentication before attackers gain ground.
- Proactive testing closes the loop. AI-driven fuzzing and simulations can uncover logic flaws before attackers do, while regular updates to software and frameworks ensure defenses start from the most secure baseline.
This isn’t a one-time exercise. It has to be woven into the development cycle and continuously refined as both systems and threats evolve.
GenAI Security Concerns Abound
AI is expanding the attack surface – but the risks extend far beyond that. CI organizations report significant concerns across multiple dimensions, including but not limited to ecosystem changes (73%), integrity (64%), trust (53%), confidentiality (47%), and availability (42%).
The good news is that security is clearly a priority. Nearly three-quarters of organizations are already investing in AI-specific tools and services, with nearly half of that funding (55%) coming from existing budgets and 19% coming from newly allocated resources.
Still, the rapid adoption of GenAI heightens the risk of missteps. Hasty implementations can increase the likelihood of data breaches, as illustrated by vulnerabilities discovered in the DeepSeek GenAI model shortly after its V3 release. Since these architectures are new terrain for many security teams, strengthening data security measures – and updating software regularly - must remain a top priority.
In an AI World, Don’t Forget About the Cloud
While AI and APIs dominate the conversation, the cloud remains a critical security concern for CI.
Half of CI data stored in the cloud is sensitive, yet only 2% of organizations have encrypted 80% or more of it, far below other industries like financial services (14%).
At the same time, cloud reliance is accelerating: CI organizations now use an average of 2.1 IaaS providers, with over a quarter relying on three or more. SaaS adoption has also surged, jumping 23% in a year to an average of 102 applications—well above the average for all industries.
Although AI seems to be the primary focus, CI organizations must not neglect their cloud security and treat it as a strategic priority, with stronger encryption, consistent policies across providers, and visibility into sprawling SaaS ecosystems.
Secure Our World with Smart Defense
Smarter defenses are the only answer to all the challenges today’s organizations face. Real-time anomaly detection, automated containment, proactive testing, and layered controls that protect both applications and the sensitive data inside them. Thales CipherTrust Data Security Platform and Imperva WAAP and API Security deliver exactly that—locking down information and guarding the pathways into it, even as attackers evolve.
In security, speed and adaptation decide who wins. Smarter threats require smarter defenses. And in the age of AI, organizations that see early, act fast, and protect deeply will hold the advantage.
For more insight into the critical infrastructure threat landscape, download the Thales 2025 Data Threat Report Summary: Critical Infrastructure.