Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Threat researchers recently disclosed a severe vulnerability in a Figma Model Context Protocol (MCP) server, as reported by The Hacker News. While the specific patch is important, the discovery itself serves as a critical wake-up call for every organization rushing to adopt AI. This incident provides a blueprint for a new class of attacks that target the very infrastructure powering the AI Agent Economy. To understand the risk, we must first look at the mechanics of this emerging threat.

AI adoption has fundamentally redefined the role of APIs. They are no longer just conduits for data; they have become the “AI action plane” for autonomous systems. Every AI workflow, agent, and tool call now rides on an API, exposing a critical truth: you cannot secure AI without first securing your APIs. The H2 2025 State of API Security report reveals that this dependency is dangerously outpacing current security practices.

Picture your online shopping site overwhelmed with fake orders, your customer accounts being drained one after another, or your essential APIs flooded by an endless wave of automated attacks. This is the reality businesses face today—thanks to a fully automated army of cyber criminals determined to cause harm. In this digital bot invasion, businesses of all kinds are under urgent pressure to establish defenses that effectively fight this digital threat.

Injection attacks are among the oldest tricks in the attacker playbook. And yet they persist. The problem is that the core weakness, trusting user inputs too much, keeps resurfacing in new forms. As organizations have shifted to API-driven architectures and integrated AI systems that consume unstructured input, the attack surface has expanded dramatically.

Deploying Web Application and API Protection (WAAP) systems is crucial for bolstering cybersecurity defenses. Akamai reported 108 billion API attacks over an 18-month period, underscoring the value of APIs to cybercriminals. Like any new security measure, the initial deployment brings various challenges during the "Day One" process. These Day One challenges should not compromise security effectiveness or disrupt business operations.

For this Cybersecurity Awareness Month, we thought it important to draw attention to some of the most common and dangerous API vulnerabilities. This week, we’re starting with Broken Object Level Authorization (BOLA). BOLA vulnerabilities top the OWASP API Top Ten. And for good reason: they’re startlingly prevalent, remarkably easy to exploit, and can have devastating consequences. So, let’s explore what they are, why they matter, and how you can mitigate them.