The year of the robot

Author
Brian Joe
Published on
January 9, 2025
Read time
10
Brian Joe
January 9, 2025
10
min

The year of the Robot


2025 will be a huge year for tech. I never thought that I'd be writing a work related blog post about robots, but technology has advanced so much in the last 12 months, setting up 2025 to be a groundbreaking year for tech.Self driving cars, robots, AGI - these are all things that have a realistic chance of shipping this year which is super exciting, but also terrifying.  Fairly sure we're going to have a "where were you when" moment this year. That said, all these changes are not only going to drastically transform the way we live and work, but  also present new challenges for information security.  

WAF is going to be the front line for a lot of these new emerging systems, but there's a lot of improvements that need to happen in the space. This article will explore the new threats to WAFs in 2025.

New Threats to WAFs in 2025

The increasing sophistication of AI agent technology, robotics, and APIs has given rise to a new generation of cyber threats. These threats are more complex, adaptive, and difficult to detect than ever before. The following table summarizes some of the key threats facing WAFs in 2025:

AI-Powered Attacks

There is a distinction between AI-powered and AI-assisted threats. AI-powered attacks, like deepfake video scams, have been limited to date. AI-assisted threats are more common, where AI helps threat actors create variants of existing malware or better phishing email lures7. However, by 2025, malicious use of multimodal AI will be used to craft an entire attack chain. As multi-modal AI systems gain the ability to integrate text, images, voice, and sophisticated coding, threat actors will leverage them to streamline and automate the entire pipeline of a cyberattack7.

One example of an AI-powered attack is the use of deepfakes to scam individuals. In one instance, scammers impersonated a company's chief financial officer during a video conference call and convinced a finance worker to pay them $25 million2. AI can also be used to automate social engineering attacks by engaging with targets on social media, building trust, and gathering information to personalize attacks8.

While large language models (LLMs) like GPT-3/-4 have enabled astonishing breakthroughs in generative AI, they also present security challenges. One challenge is adapting LLMs to specific needs. Developers often use extensive manual adjustments to prompts to adapt an LLM to their requirements, which can lead to deep model dependence for AI applications. Other methods used include fine-tuning results using human feedback loops and improving relevance and accuracy through run-time queries to authoritative external datasets (i.e., Retrieval-Augmented Generation, or RAG)9.

Growing API Vulnerabilities

APIs are a primary target for attackers in the age of agentic AI10. Agentic AI systems are capable of perceiving, reasoning, acting, and learning, and APIs are the backbone of these systems10. Attackers are escalating their use of AI-driven bots, supply chain breaches, and multi-vector campaigns to exploit API vulnerabilities10. Smarter, stealthier bots will exploit APIs for credential stuffing, data scraping, and automated account takeovers10.

The increasing volume of APIs and threats has made API discovery a critical focus for organizations in 202511. According to a recent industry report, 57% of organizations suffered an API-related data breach in the past two years, with 73% of those experiencing three or more incidents12. API-related security issues now cost organizations up to $87 billion annually11. Furthermore, 65% of organizations believe that generative AI applications pose a serious risk to APIs13.

Some specific examples of API breaches that occurred in 2024 include:

  • A buggy API at a messaging company led to unauthorized access to 650,000 sensitive messages, exposing passwords and allowing penetration testers to retrieve confidential data14.
  • An exposed Trello API compromised the data of over 15 million users by linking private email addresses to Trello accounts14.
  • An API vulnerability in the social media platform Spoutible exposed user data, including bcrypt hashes of passwords14.

Emergence of Robotic Systems

As robots become more interconnected, they are increasingly vulnerable to various cyber threats, including Denial of Service (DoS) attacks, spoofing, and man-in-the-middle attacks5. These attacks can disrupt operations, steal sensitive data, and cause significant financial losses to businesses5.

Humanoid robots, which rely heavily on AI algorithms, are particularly vulnerable to adversarial attacks. In these attacks, malicious actors feed manipulated or misleading data into the AI system to exploit its decision-making process15. For example, in a factory setting, adversarial input could cause a robot to malfunction, leading to poor or dangerous decision-making15.

Another significant risk is supply chain attacks. Robots often rely on components and software sourced from third-party vendors, and if any of these components are compromised, they could serve as a backdoor for cybercriminals15.  Integrating cybersecurity measures into existing robotic systems can be complex and challenging5

Robotic systems begin to bridge the gap between the digital world and the physical world, raising the stakes for security professionals.  While publicly disclosed incidents specifically targeting robotic systems are relatively rare (likely due to underreporting) , there have been some notable security incidents and research findings highlighting the vulnerabilities of these systems:   

  • Remote takeover of a Jeep Cherokee: Researchers demonstrated how they could remotely take control of a Jeep Cherokee by exploiting vulnerabilities in the vehicle's Uconnect infotainment system . This incident highlighted the potential for attackers to manipulate critical vehicle functions, posing significant safety risks.   
  • Vulnerabilities in industrial and home robots: In 2017, IOActive discovered over 50 security vulnerabilities in six different robots, including popular models like NAO and Pepper, as well as industrial robots from Universal Robots and Rethink Robotics . These vulnerabilities could allow attackers to manipulate robot movements, disable safety features, and even gain access to sensitive data.   
  • Healthcare robot vulnerabilities: In 2022, Cynerio researchers found five vulnerabilities in Aethon TUG autonomous robots used in hospitals across the United States . These vulnerabilities could allow attackers to disrupt hospital operations, steal sensitive patient data, or even manipulate robot behavior, potentially endangering patients.  

These incidents demonstrate the growing need for robust cybersecurity measures in robotic systems. As robots become more prevalent and interconnected, organizations must prioritize security to prevent potential harm, data breaches, and operational disruptions.   

Why Traditional WAFs Struggle

Traditional WAFs, while still valuable for basic protection, face several challenges in addressing the evolving threat landscape:

  • Reliance on Static Rules: Traditional WAFs rely on predefined rules and signatures to detect and block attacks. This approach is ineffective against new or sophisticated attacks that do not match known patterns17. They often need help with real-time detection and response to complex, adaptive bots18.
  • Limited Visibility: Traditional WAFs often have limited visibility into application logic, user workflows, and data structures. This makes it difficult to detect attacks that exploit vulnerabilities in these areas19.
  • Inability to Adapt: Traditional WAFs are not designed to adapt to the dynamic nature of cyber threats. They often require manual updates to address new vulnerabilities and attack techniques20.
  • Challenges with API Security: Traditional WAFs often struggle to secure APIs due to the complex authorization mechanisms, protocol variations, and payload structures used by APIs21. They are not effective at protecting against API attacks like those in the OWASP API Top 1022
  • Cloud Environment Challenges: Applying WAFs in cloud environments presents specific challenges, such as complex deployment scenarios in Kubernetes and poor management efficiency with multiple clouds24.

Today, only 19% of organizations rate their traditional security solutions as highly effective in protecting APIs12. Despite 85% of IT leaders expressing confidence in their organization's security capabilities, 55% have experienced an API security incident in the past year27. This highlights the need for more advanced solutions to address the evolving threat landscape.

The Rise of WAF Agents

Agent-based WAFs represent a new approach to web application and API security28. These WAFs use AI agents to monitor and analyze traffic, detect anomalies, and mitigate threats in real-time. Here's why agent-based WAFs are superior solutions:

  • Adaptive Learning: Agent-based WAFs use machine learning to continuously learn and adapt to new threats. This allows them to detect and block attacks that traditional WAFs would miss29.
  • Behavioral Analysis: Agent-based WAFs can analyze user behavior and identify anomalies that may indicate malicious activity. This helps to detect attacks that are not based on known signatures or patterns30.
  • Contextual Awareness: Agent-based WAFs have a deeper understanding of application logic, user workflows, and data structures. This allows them to detect attacks that exploit vulnerabilities in these areas29.
  • Real-time Threat Intelligence: Agent-based WAFs can integrate with threat intelligence feeds to stay updated on the latest threats and vulnerabilities. This helps to proactively block attacks before they can cause damage17.
  • Automated Response: Agent-based WAFs can automate incident response processes, reducing the time it takes to respond to threats. This helps to minimize the impact of attacks17.
  • Human-in-the-Loop Oversight: Implementing "human-in-the-loop" oversight enables agents to work autonomously while human experts review decisions after they've been made32. This provides a layer of human control and accountability, mitigating the risks of unintended consequences.

Web Application and API Protection (WAAP) is an important concept in this context. WAAP refers to cloud-based services created to safeguard vulnerable APIs and web applications33. Cloud WAAP services provide various security modules, including bot mitigation, WAF, API protection, and protection against DDoS attacks33.

Proactive security measures, such as those employed by agent-based WAFs, can significantly reduce the number of alerts and allow security teams to focus on real threats23.

Conclusion

As AI agent technology, robotics, and APIs continue to advance, the threat landscape will become increasingly complex. Traditional WAFs will struggle to keep pace with these changes, making agent-based WAFs a necessity for organizations looking to protect their web applications and APIs. By leveraging the power of AI, agent-based WAFs offer a more adaptive, intelligent, and effective approach to security, ensuring that organizations can stay ahead of the curve in the ever-evolving cyber battlefield.

References

1. Emerging Threats to Critical Infrastructure: AI Driven Cybersecurity Trends for 2025, accessed January 6, 2025, https://www.captechu.edu/blog/ai-driven-cybersecurity-trends-2025

2. AI could empower and proliferate social engineering cyberattacks | World Economic Forum, accessed January 6, 2025, https://www.weforum.org/stories/2024/10/ai-agents-in-cybersecurity-the-augmented-risks-we-all-need-to-know-about/

3. Breaking Down the OWASP Top 10 API Security Risks 2023 (& What Changed From 2019), accessed January 6, 2025, https://www.veracode.com/blog/research/breaking-down-owasp-top-10-api-security-risks-2023-what-changed-2019

4. OWASP API Security Top 10 Vulnerabilities: 2023 - APIsecurity.io, accessed January 6, 2025, https://apisecurity.io/owasp-api-security-top-10/

5. Consolidating market leadership in robotic cybersecurity - Alias Robotics, accessed January 6, 2025, https://news.aliasrobotics.com/consolidating-market-leadership-in-robotic-cybersecurity-alias-robotics/

6. The Achilles' Heel of Automation: Why Robot Security Can't Be an Afterthought in Manufacturing - Founder Shield, accessed January 6, 2025, https://foundershield.com/blog/robot-security-in-manufacturing-automation/

7. 2025 Forecast: AI to supercharge attacks, quantum threats grow, SaaS security woes, accessed January 6, 2025, https://www.scworld.com/feature/cybersecurity-threats-continue-to-evolve-in-2025-driven-by-ai

8. Generative AI Security: Emerging Attack Vectors and Mitigation Strategies - Medium, accessed January 6, 2025, https://medium.com/@petertou12/generative-ai-security-emerging-attack-vectors-and-mitigation-strategies-c0de90edb446

9. Five Back-to-the-Future Predictions for AI in 2025 - The Fast Mode, accessed January 6, 2025, https://www.thefastmode.com/expert-opinion/38803-five-back-to-the-future-predictions-for-ai-in-2025

10. 2025 Predictions: What Lies Ahead for API Security and Bot Management, accessed January 6, 2025, https://securityboulevard.com/2024/12/2025-predictions-what-lies-ahead-for-api-security-and-bot-management/

11. Application and API Security in 2025: What Will the New Year Bring? - Thales CPL, accessed January 6, 2025, https://cpl.thalesgroup.com/blog/application-security/application-api-security-2025

12. Traceable Releases 2025 State of API Security Report - AI-Tech Park, accessed January 6, 2025, https://ai-techpark.com/traceable-releases-2025-state-of-api-security-report/

13. Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attacks, and Generative AI Increase Risks | Cybersecurity Dive, accessed January 6, 2025, https://www.cybersecuritydive.com/press-release/20241030-traceable-releases-2025-state-of-api-security-report-api-breaches-persist/

14. It's 2024 and the API Breaches Keep Coming - Salt Security, accessed January 6, 2025, https://salt.security/blog/its-2024-and-the-api-breaches-keep-coming

15. Robotics and AI: Emerging Cyber Threats in Autonomous Systems, accessed January 6, 2025, https://cyberlabsservices.com/robotics-and-ai-emerging-cyber-threats-in-autonomous-systems/

16. Robotics cyber security: vulnerabilities, attacks, countermeasures, and recommendations - PMC - PubMed Central, accessed January 6, 2025, https://pmc.ncbi.nlm.nih.gov/articles/PMC7978470/

17. Why AI is Essential for Solving Problems Beyond WAFs: A Deep Dive - Camenta Systems, accessed January 6, 2025, https://www.camentasystems.com/resources/blog-article/why-ai-is-essential-for-solving-problems-beyond-wafs-a-deep-dive

18. How Bots and Bad Actors Bypass Web Application Firewalls (WAFs) | CHEQ, accessed January 6, 2025, https://cheq.ai/blog/how-bots-and-bad-actors-bypass-web-application-firewalls-wafs/

19. AI-Powered WAFs vs. Traditional Firewalls: Protecting Your Web Applications - Medium, accessed January 6, 2025, https://medium.com/@seekmeai/ai-powered-wafs-vs-traditional-firewalls-protecting-your-web-applications-51f5bf46de8e

20. The Need for Next-Generation Web Application Firewalls (WAFs) in Modern Threat Landscape | A10 Networks, accessed January 6, 2025, https://www.a10networks.com/blog/the-need-for-next-generation-web-application-firewalls-wafs-in-modern-threat-landscape/

21. Modern API Security Risks and Challenges Solved with Web App and API Protection (WAAP) Solutions - F5, accessed January 6, 2025, https://www.f5.com/company/blog/modern-security-risks-challenges-solved-web-app-api-protection

22. Blog: 11 Reasons Your WAF Can't Secure Your APIs - Traceable AI, accessed January 6, 2025, https://www.traceable.ai/blog-post/11-reasons-your-waf-cant-secure-your-apis

23. Why WAFs Help, But Aren't Enough for API Security - Levo.ai, accessed January 6, 2025, https://www.levo.ai/resources/blog/why-wafs-help-but-arent-enough-for-api-security

24. Six Challenges of Applying WAF in the Cloud and How to Solve Them | by Carrie - Medium, accessed January 6, 2025, https://medium.com/@carriesafelinewaf/six-challenges-of-applying-waf-in-the-cloud-and-how-to-solve-them-02e4c95db7a0

25. Protecting Your APIs in the Wild: A Deep Dive into WAF and API Gateway Integration, accessed January 6, 2025, https://dev.to/apisix/protecting-your-apis-in-the-wild-a-deep-dive-into-waf-and-api-gateway-integration-56an

26. Why does WAF matter in API security? - Traefik Labs, accessed January 6, 2025, https://traefik.io/blog/why-does-waf-matter-in-api-security/

27. API Security Perspectives 2025 report from Kong Inc | App Developer Magazine, accessed January 6, 2025, https://appdevelopermagazine.com/api-security-perspectives-2025-report-from-kong-inc/

28. Beyond ChatGPT: How AI Agents are Shaping the Future of Cyber Defense and Offense, accessed January 6, 2025, https://www.radware.com/blog/security/beyond-chatgpt-how-ai-agents-are-shaping-the-future-of-cyber-defense-and-offense/

29. How secure are your web applications with WAF and AI-based WAFs? - Globalbiz Outlook, accessed January 6, 2025, https://globalbizoutlook.com/how-secure-are-your-web-applications-with-waf-and-ai-based-wafs/

30. AI-powered WAFs vs traditional firewalls: Protecting your web applications - AI News, accessed January 6, 2025, https://www.artificialintelligence-news.com/news/ai-powered-wafs-vs-traditional-firewalls-protecting-your-web-applications/

31. Mitigate Emerging Risks and Security Threats from AI Agents, accessed January 6, 2025, https://securitymea.com/2024/09/10/mitigate-emerging-risks-and-security-threats-from-ai-agents/

32. What are the risks and benefits of 'AI agents'? - The World Economic Forum, accessed January 6, 2025, https://www.weforum.org/stories/2024/12/ai-agents-risks-artificial-intelligence/

33. What is Web Application and API Protection (WAAP) - Imperva, accessed January 6, 2025, https://www.imperva.com/learn/application-security/web-application-and-api-protection-waap/

34. How Does a WAF Work? - Security Boulevard, accessed January 6, 2025, https://securityboulevard.com/2023/05/how-does-a-waf-work/

35. How does a WAF mitigate vulnerabilities? - F5, accessed January 6, 2025, https://www.f5.com/company/blog/how-does-a-waf-mitigate-vulnerabilities

36. Why Do I Need API Security if I Have a WAF and API Gateway? - Cequence Security, accessed January 6, 2025, https://www.cequence.ai/blog/api-security/why-do-i-need-api-security-if-i-have-a-waf-and-api-gateway/

37.  accessed December 31, 1969, https://pulse.latio.tech/p/wtf-is-cloud-application-detection

38. State of 'State of Cloud Security' Reports: Insights or Self-Owns ..., accessed January 6, 2025, https://ramimac.me/state-of-cloud-security

39. What Is Behavioral Cloud Application Detection & Response (CADR ..., accessed January 6, 2025, https://www.armosec.io/blog/cloud-application-detection-response-cadr/

40. How to build an offensive AI security agent - Anshuman Bhartiya, accessed January 6, 2025, https://www.anshumanbhartiya.com/posts/hackagent

41. How to build a defensive AI security agent with RAG, accessed January 6, 2025, https://www.anshumanbhartiya.com/posts/defenseagent

Meet a Co-Founder

Want to learn more about WAF and API security? Speak with an Impart Co-Founder!

Meet a Co-Founder

See why security teams love us

Get a demo