Indusface has released its Annual State of Application Security Report. The report highlights a 20% increase in cyberattacks in India from Q1 to Q4 2024, with over 7.15 billion attacks blocked across all sites protected by AppTrana. Each site faced an average of 6.9 million attacks, underscoring the urgent need for Indian businesses to strengthen cybersecurity defences in 2025.

DDoS attacks remained a global concern, with 2.46 billion incidents recorded in 2024. APIs emerged as a critical area of focus, as they experienced 30% more attacks per host than websites, and API-related DDoS attacks in India were 166% higher than web-based DDoS attacks. Bot-driven attacks surged by 48%, affecting nine out of ten websites, with a 132% spike during the holiday season as attackers exploited high-traffic periods. Given most customers businesses target Indian markets, most of these attacks originate from India.

Attacks on website vulnerabilities increased by 94%, while attacks on API vulnerabilities skyrocketed by 873% from Q1 2024 to Q4 2024. A significant factor in this rise may be the widespread use of large language model (LLM) tools like ChatGPT, which allow novice hackers to easily discover and use scripts that exploit open vulnerabilities.

Cyberattacks varied significantly across industries, with businesses facing targeted attack patterns based on their sector. The retail and e-commerce sector faced relentless attacks, with each website experiencing over a million cyber incidents. DDoS attacks in the sector increased tenfold from Q1 to Q4, as fraud bots exploited payment systems through credential stuffing and carding attacks. Similarly, the manufacturing sector witnessed 1.37 million attacks per site, with DDoS incidents surging sixfold over the year. In the manufacturing sector, attackers primarily targeted supply chains, ERP systems, and production functions, causing operational disruptions and finding new ways to demand ransom.

The Banking, Financial, and Insurance Services (BFSI) sector saw twice as many attacks per site compared to the global average. The Insurance sector faced a 2.5X increase in bot-driven threats and an 8X surge in vulnerability attacks from Q1 to Q4 2024, underscoring the need for robust vulnerability management and faster patching.

Healthcare remained one of the most vulnerable sectors, with 100% of monitored healthcare websites encountering bot-driven attacks. The rise in automated cyber threats posed significant risks to patient data security and hospital infrastructure. Meanwhile, small and medium-sized enterprises (SMEs) were disproportionately affected, experiencing 236% more DDoS attacks than large enterprises due to relatively weaker security infrastructure and limited access to dedicated cybersecurity teams.

“Cybercriminals are constantly evolving their tactics, leveraging different attack vectors based on industry, application type, and company size. APIs, for example, face 2x attacks per host when compared to web apps. Similarly, the insurance industry faces 2.5x more bot attacks per app compared to other industries,” said Ashish Tandon, Founder and CEO of Indusface. “Security teams can stay ahead by investing in all-in-one, AI-powered AppSec platforms that adapt quickly to these evolving threats. However, even with AI, manual oversight is essential to prevent AI hallucinations and ensure uninterrupted business operations. This balanced approach that combines the agility of AI with human expertise helps us protect business critical applications of 5000+ global customers” Added Ashish.

The report also found that 26,000 critical and high-severity vulnerabilities were identified in 2024, yet 33% remained unpatched for over six months, leaving organisations exposed. Virtual patching successfully blocked all the attacks on these open vulnerabilities, proving essential in cases where patching was delayed or unavailable. However, only 38% of security leaders in India are utilising this unique feature of WAF(s).

With stricter cybersecurity regulations from SEBI, RBI, and other regulatory bodies, businesses must ensure faster vulnerability detection, real-time patching, and continuous security monitoring. Automated security solutions will be essential in 2025, particularly for SMEs struggling with security resource constraints. Additionally, WAAP solutions with AI-driven bot mitigation, behavioral analysis, and adaptive security models will help mitigate API and bot-driven attacks.