Datos Insights: Securing APIs and multicloud in financial services

Chad DavisPrincipal Industry Marketing Manager

According to a recent Datos Insights survey, 57% of financial services firms reported API‑related breaches in the last two years.

That single statistic from the October 2025 Datos Insights report, Securing Financial Services in the Age of Risk: Protecting Multicloud Environments, captures a shift that should change boardroom and budget conversations: open banking, microservices, and multicloud adoption have expanded the attack surface well beyond what legacy perimeter defenses were built to protect.

The result is lost account holder trust, regulatory exposure, and operational disruption—and the new F5-sponsored Datos Insights report explains how security leaders should respond now with a practical WAAP‑first approach.

Why the perimeter is broken

APIs proliferate faster than teams can inventory them. In financial services, the velocity is clear: average API call volume doubled from 2023 to 2024 and more than 85% of banks participate in open banking ecosystems (Datos Insights, October 2025). Attackers have moved from probing external perimeters to compromising authenticated sessions and abusing legitimate APIs. That’s why many financial services organizations are shifting spending toward modern application and API defenses rather than incremental web application firewall (WAF) tweaks.

The percentage of financial services security leaders who are planning to deploy various cyber defenses in 2026. Taken together, these choices signal a clear pivot away from legacy perimeter fixes and toward API‑first, consolidated defenses that can scale across multicloud environments. (Datos Insights, October 2025)

The evolving threat landscape

The threat picture against financial services institutions is now dominated by two forces: AI and persistence. As attackers harness machine learning and large language models for automated reconnaissance and phishing, security teams must respond with AI‑driven behavioral analytics and dynamic policy controls.

Nation‑state groups have demonstrated long‑term persistence in critical infrastructure, while criminal groups combine social engineering with API exploitation—the Scattered Spider pattern shows how a help‑desk compromise plus an SSO API exploit can become a rapid path to lateral movement and data exfiltration.

Added to this is the “harvest now, decrypt later” strategy: attackers hoard encrypted data today with the intention of breaking it offline at a later date as post-quantum computers evolve, increasing the potential long‑term value that hackers can extract from every breach.

Risk managers are prioritizing data protection and vendor‑risk resilience, with significant investments also aimed at countering AI‑driven threats. (Datos Insights, October 2025)

What modern WAAP actually delivers

Web application and API protection (WAAP) is more than a marketing term. It unifies WAF, API discovery and schema learning, bot management, distributed denial-of-service (DDoS) protection, runtime anomaly detection, and threat intelligence into one operational plane. The Datos Insights report highlights the capabilities that matter most for financial services:

• AI‑driven behavioral analytics that detect anomalous authenticated sessions and distinguish human from agentic activity
• Continuous API schema learning and runtime enforcement to spot deviations and prevent abuse
• Moving‑target defenses such as endpoint rotation and schema randomization that raise the attacker’s cost
• Integration of machine‑readable threat intelligence and mappings to the MITRE ATT&CK and D3FEND frameworks for automated mitigation
• Protocol‑aware protections (gRPC, FAPI 2.0, OAuth/OIDC) so security fits the API stack rather than being bolted on

Market signals are clear, and vendors are investing where customers need them to: Datos projects that the market for WAAP services will grow from roughly $10 billion in 2025 to $25 billion by 2033.

Architecture and metrics that prove progress

Security leaders should demand platforms that provide discovery/inventory, automated enforcement, and measurable outcomes. The Datos Insight report flags two key performance indicators (KPIs) to consider: mean time to mitigation (how quickly attacks are stopped) and runtime coverage (the percentage of production traffic protected by WAAP). Vendors should be able to show these alongside discovery rates and false‑positive performance.

Financial services security leaders will need to prioritize API security in their 2026 budgets and roadmaps, while consolidating point tools into integrated WAAP where it reduces operational complexity (and cost). Security leaders should also focus on deploying AI behavioral analytics and advanced bot defenses to catch authenticated-user abuse. Enforcing protocol-specific controls for financial-grade protection and integrating MRTI and map detections for automated response will also be key. Finally, be sure to track WAAP KPIs and align them with business risk owners and compliance requirements.

Next steps

If you are setting security priorities or preparing a 2026 budget briefing, the October 2025 Datos Insights report—Securing Financial Services in the Age of Risk: Protecting Multicloud Environments—is a practical briefing you can use with your execs and board.

The report contains helpful figures and tables (including the six WAAP KPIs, Table A on API attack trends, and protocol guidance), a technical MRTI example mapping CVEs to defenses, and a case study of the Scattered Spider campaign that shows the timeline defenders can use to test their own posture.

Download the full report here.

If you’re ready to get started, book a briefing with an F5 representative to map the findings to your environment and prioritize the WAAP capabilities that will reduce your business risk.

About the Author

Chad DavisPrincipal Industry Marketing Manager

More blogs by Chad Davis