AppSec in Q1 2025: Trends from Fastly's Latest Report

In the world of cybersecurity, worst-case scenarios can often take center stage. Visions of hyper-advanced, AI-driven attacks fill our feeds. But what's the reality? Fastly's Q1 2025 Threat Insights Report cuts through the noise, offering a clear picture of the web application and API security landscape, and it might surprise you.

The Myth of the Unique Attack

The report reveals that the commerce industry’s attack volume doubled from 15% in Q1 2024 to 31% in Q1 2025, signaling a shift in attacker focus. Additionally, the report found that 37% of all observed internet traffic is from automation tools or bots, with 89% of that bot traffic classified as unwanted, further illustrating the challenges faced by online businesses.

A recurring takeaway from our latest report: the vast majority of attacks aren't the one-of-a-kind, tailored threats we often hear about. Instead, attackers frequently employ established methods, launching the same payloads across numerous organizations. Think of it as a spray-and-pray approach. For the past two years, XSS and SQLi have remained the most prevalent attack methods, with little significant change in their share of overall attacks. In Q1 2025, XSS still made up the bulk of attacks, showing only a 4% increase from the previous year. This consistency reveals that attackers often stick to what works, relying on widely known vulnerabilities.

One of the most significant actionable findings from the report is that 28% of all observed web attacks originated from IP addresses listed on the Fastly Network Learning Exchange (NLX), a real-time threat intelligence feed. NLX shares confirmed malicious IP addresses across customer environments, allowing for preemptive detection and blocking of threats. When an IP exceeds attack thresholds, it’s flagged, added to NLX for 24 hours, and anonymously shared, preventing potential damage before it occurs when used as part of a blocking rule.

Other key findings include:

• Cross-Site Scripting (XSS) remains the most prevalent attack type, accounting for 40% of all observed attack traffic, up from 35% in Q1 2024

• Compromised password attempts averaged over 1.3 million per day, underscoring the scale of account takeover (ATO) activity

• Search Engine Crawlers make up 66% of wanted bot traffic, and the High Technology and Education industries received the largest distribution of this wanted bot type

But what does this mean for you?

• Don't chase shadows: Focus on bolstering defenses against known and existing attack vectors

• Leverage shared intelligence: Take advantage of resources like Fastly’s NLX to stay ahead of emerging threats

• Understand risks: Be aware of specific threats targeting your sector (like the increased focus on High Tech)

Fastly’s quarterly threat insights report draws from 6.5 trillion monthly requests* across Fastly’s Next-Gen WAF, Bot Management, and DDoS Protection solutions, which collectively help secure over 130,000 apps and APIs** across a wide range of industries, including leading e-commerce, streaming, media and entertainment, financial services, and technology companies. Our suite of security products is designed to mitigate these common attacks without the need for constant manual rule updates. It automatically adds signals for widespread attacks like XSS and provides virtual patches for zero-day and N-day vulnerabilities.

Stay up to date with the Fastly Security Research Team, who continuously publishes a range of valuable resources, including blogs, CVE notices, new Next-Gen WAF rules, open-source tools, tutorials, and more, aimed at keeping our customers informed about the latest security developments.

We are excited to share this report with you and look forward to seeing how our findings align with experiences on your own applications and APIs. To explore the attack observations and analyses in greater depth, read the full report.

* Trailing six-month average as of April 22, 2025

** As of April 22, 2025