In this episode, Rupesh Chokshi of Akamai breaks down the surge in API and AI-driven threats and explains how Akamai’s new Firewall for AI helps CISOs manage risk without slowing innovation. With real-world data, sharp insights, and practical solutions, this episode is a must-listen.
At RSAC Conference 2025, Rupesh Chokshi, Senior Vice President and General Manager of the Application Security Group at Akamai, joined ITSPmagazine to share critical insights into the dual role AI is playing in cybersecurity today—and what Akamai is doing about it.
Chokshi lays out the landscape with clarity: while AI is unlocking powerful new capabilities for defenders, it’s also accelerating innovation for attackers. From bot mitigation and behavioral DDoS to adaptive security engines, Akamai has used machine learning for over a decade to enhance protection, but the scale and complexity of threats have entered a new era.
The API and Web Application Threat Surge
Referencing Akamai’s latest State of the Internet report, Chokshi cites a 33% year-over-year rise in web application and API attacks—topping 311 billion threats. More than 150 billion of these were API-related. The reason is simple: APIs are the backbone of modern applications, yet many organizations lack visibility into how many they have or where they’re exposed. Shadow and zombie APIs are quietly expanding attack surfaces without sufficient monitoring or defense.
Chokshi shares that in early customer discovery sessions, organizations often uncover tens of thousands of APIs they weren’t actively tracking—making them easy targets for business logic abuse, credential theft, and data exfiltration.
Introducing Akamai’s Firewall for AI
Akamai is addressing another critical gap with the launch of its new Firewall for AI. Designed for both internal and customer-facing generative AI applications, this solution focuses on securing runtime environments. It detects and blocks issues like prompt injection, PII leakage, and toxic language using scalable, automated analysis at the edge—reducing friction for deployment while enhancing visibility and governance.
In early testing, Akamai found that 6% of traffic to a single LLM-based customer chatbot involved suspicious activity. That volume—within just 100,000 requests—highlights the urgency of runtime protections for AI workloads.
Enabling Security Leadership
Chokshi emphasizes that modern security teams must engage collaboratively with business and data teams. As AI adoption outpaces security budgets, CISOs are looking for trusted, easy-to-deploy solutions that enable—not hinder—innovation. Akamai’s goal: deliver scalable protections with minimal disruption, while helping security leaders shoulder the growing burden of AI risk.
Learn more about Akamai: https://itspm.ag/akamailbwc
Note: This story contains promotional content. Learn more.
Guest:
Rupesh Chokshi, SVP & General Manager, Application Security, Akamai | https://www.linkedin.com/in/rupeshchokshi/
Resources
Learn more and catch more stories from Akamai: https://www.itspmagazine.com/directory/akamai
Learn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsac25
______________________
Keywords:
sean martin, rupesh chokshi, akamai, rsac, ai, security, cisos, api, firewall, llm, brand story, brand marketing, marketing podcast, brand story podcast
______________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
The New Front Line: Runtime Protection for AI and API-Driven Attacks | A Brand Story with Rupesh Chokshi from Akamai | An On Location RSAC Conference 2025 Brand Story
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And hello everybody. You're very welcome to RSAC conference 2025. I'm thrilled to have a repression with me from Akamai.
The word is, I just learned Hawaiian rooted means intelligent. Yes. And smart. Which I know you are. We've had many conversations. It's always a pleasure to chat with you, Vipe. Yeah. Yeah. How are things going?
Rupesh Chokshi: Things are going great. Yeah. Thank you so much, uh, for having us. Uh. Uh, you know, a lot of, uh, excitement announcements, a lot of new product capabilities, a lot of great interactions with customers, with industry analysts.
Uh, so super excited. You know, I'm, I'm always amazed with how RSA kind of puts up the show, right? 40,000 plus attendees. I know the whole kind of security community coming together, right? It's a big deal. Big deal. It is a
Sean Martin: big deal. It is a big deal, and I think I've had a lot of conversations with, with CISOs this week, and.
It's been a mix, but I, I think I'm seeing a lot of interest in new technologies, not just from new and [00:01:00] upcoming vendors, but new capabilities from existing, existing vendors they do a lot of work with. Yeah. And, um, of course, you can't get away from the, the two letter, uh, two letter acronym that takes over everything.
Yes. Um, but just because it's, it's real, it's important and we have to pay attention to it. Absolutely. And you and your team certainly have done that. So Yeah. Let, let's start with, uh. Uh, a view of your perspective on the impact ai? That's, that's a two letter word, uh, AI is having on security. It's a double-edged impact, right?
Yeah, absolute. Absolutely. Tell us a little bit about that, what you're saying there.
Rupesh Chokshi: So as, as you mentioned, right, uh, kind of AI front and center, you know, I genuinely believe that we are in the, sort of the golden age of the AI era. Uh, a lot of good, right? Yeah. In terms of what AI brings when it comes to efficiency, productivity.
Uh, when it brings to personalization, there's so many new, innovative ideas that we can bring forward. And then when you kind of [00:02:00] step back and look at it from a security perspective, you have AI security. Mm-hmm. Which is where you are making sure that you're securing the AI applications and gen AI applications, et cetera.
And then you are utilizing AI in cybersecurity. Right. Uh. And, uh, and that is, you know, maybe we start over there and then we'll go to what we are announcing. Yeah. Are your customers actively looking at both angles? Both angles? Right. Good. Uh, and we have been, you know, utilizing ML AI for 10 plus years, uh, making our security products better.
So when you think about, you know, uh, uh, an adaptive security engine, or when you think about bot mitigation, when you think about behavioral DDoS, you know, all of these capabilities that are powered. By AI models that are, you know, very smart. They're in many cases unsupervised, so they're learning by themselves.
Uh, they can see what most of the times a human cannot see in the patterns, in the variables on putting [00:03:00] everything together. And we know that speed is such an important element of fighting cyber attacks and cyber crime. Uh, and AI helps and, and it's unfortunate because it's. It's kind of helping both sides.
Right? Right. It's helping the bad guys with the speed, but it's also helping the good guys. Yeah. At risk of going
Sean Martin: on a tangent, AI is not machine learning. 'cause you talked about learning Yes. On the fly. Yeah. Which you said you've been doing for quite, quite some time now. Right. How important is that element in this scenario?
It's not just having a model with a data set.
Rupesh Chokshi: Right?
Sean Martin: Right. It has to continue to learn.
Rupesh Chokshi: It has to continue to learn. Right. And I think that is the biggest sort of. You know, advantage that we will see as, you know, there's so many different industries that are thinking about, hey, we've been doing automation, or we've been doing data insights, machine learning for a number of years.
Right? So what does the core value of ai, so it's all about the intelligence, the smartness. Mm-hmm. The autonomous aspect of it. The self-learning [00:04:00] becomes very important. Yeah. Uh, otherwise, you know, you're always kind of depending on human beings. Uh, to provide that intelligence and now we're shifting that, uh, uh, to the software with ai.
Sean Martin: Absolutely. So in terms of seeing things, um, I know you, you, your team invests in, uh, analyzing Yes. Trends and traffic and, and and whatnot. What are you seeing both from an API perspective, which probably also touches on the agent ai, right? Yes. As well as, um, just general web, web attacks, which absolutely.
Uh, we're never gonna get away from it. Scenes. Yeah. Yeah. We're never right.
Rupesh Chokshi: And, and we recently, uh, uh, published a, we, what we call as a sodi report, right. Which is the, the state of the internet report. And we look at the data over a period of time, 12 months, 24 months, et cetera. So one or two years. And we found, you know, just again, just the sheer volume of attacks on web applications, on APIs, you know, [00:05:00] 311 billion.
33% rise. Wow. And 50% of that was directed to API attacks. So 150 billion API attacks. Do we know why? Is it just an easier, I think, I think it's two reasons, right? One is that we live in this very hyperconnected economy, right? So APIs are providing that sort of, you know, common language, common framework, data exchange, et cetera.
Uh, so just, you know. Yeah, that's the way modern software is built. Right? And, uh, and what that does is that it creates this kind of new attack landscape, right? The threat vector. And that is why I think, you know, people have, the bad guys have been successful. We've seen data breaches, we have seen, uh, business logic abuse.
We have seen lots of different ways of extracting information or inserting certain things. Right. Uh, through the APIs
Sean Martin: Now, is it the, that the APIs are also exposed, easier to see? And, and, [00:06:00] and maybe not also then monitored. Yes. Yes. 'cause they're only monitoring the app, not the Right. Right. So is that, tell us a little bit about, maybe, maybe even a, a view into a customer to how, how their environment looks that might contribute to that.
Rupesh Chokshi: Absolutely. You know, so we, we will do, you know, when we have preliminary conversations with the customers and say, Hey, you know, I'm interested in API security. And we said, okay, let's go do discovery. Visibility, you know, inventory. Like let's just go. Scan your environments, let's look at what we are seeing.
And you, you kind of step back and say, oh my God, 15,000 APIs. Thousand APIs. Right. 20,000 APIs. And then you think about shadow APIs. Zombie APIs, right? So what what has happened is that the, the customers don't have a good handle on their sort of, you know, attack surface. Right? Right. Uh, now. A lot of customers then, you know, when we go through the data and we are doing the detections and we are looking at the behavioral patterns, we're starting to [00:07:00] show and see, uh, abuse, right?
Right. Real time, you know, the bad. In fact, even through, you know, proof of concepts, we have seen customers getting attacked.
Sean Martin: Uh, and is it just abuse on looking for compromise or is. Is it impacting actual performance and transactions and things like that at all? So I, I
Rupesh Chokshi: think it's, it's sort of like both, but it starts with their, the bad guys are looking for some sort of entry point to then do some data extraction.
Got it. Or even, you know, there, so look, there are so many, uh, industries, whether it's airline, hospitality, retail, they all have loyalty points, right? Yeah. And loyalty programs and all these malicious folks are starting to go in through the APIs and move things around and. And sort of like, you know, gain financially utilizing some other currency, right?
Yeah. And these are easy ways to, to penetrate. Uh, and you know, the enterprises have to do a lot of work to start to kind of build their armor against that. And they're doing that, you know, and then on top of that, [00:08:00] you talk about AI, agenda ai. I mean, that is just like, wow, I was gonna go there next with the
Sean Martin: LLMs and the gente iceberg.
Right? What are you seeing in that from.
Rupesh Chokshi: So we are you, this is like chat botts and chat bots. Yeah. Things that are connected to
Sean Martin: customer databases, all kinds of fun stuff,
Rupesh Chokshi: right? That's right, that's right. And, uh, you know, super excited. We, uh, yesterday announced a new product capability from Akamai market leading firewall for ai.
And the whole idea over there is we're seeing customers across all industry verticals, right? Yeah. Not just financial services or commerce, but high tech, uh. You know, transportation, travel, hospitality, government agencies, uh, manufacturing, et cetera. Thinking about how can you start to utilize the conversational AI agents, how do you do the, you know, chat bots, how do you make it much more, basically they're all after a different experience or productivity gain, right?
So we are starting to see more and more of that put out. Right? And then the CISOs and the [00:09:00] security professionals are like. Oh, well, what do I do? Right? So for us it's, Hey, we focus on runtime AI security. We have a firewall for ai. We can go do at very kind of high scale, scalable capabilities on input output.
Let's go look at what is happening from prompt injection to PII leakage to data sensitivity to toxic language. I mean, there are so many things, right that can go wrong. And that it's using ai,
Sean Martin: I would imagine to Yes. And analyze all this stuff, right? Yeah. Can you gimme a scenario of, of I an example of an a potential attack?
Yeah. And how the firewall helps surface that before it actually Right, right. Absolutely comes to fruition.
Rupesh Chokshi: Um, so we, you know, last year we did some, uh, tech previews as we call them. So before the product is launched, we work with a set of customers to figure out, you know, what we are learning what they're learning.
Uh, so this was one company, you know, won't name the name, but they were focused on [00:10:00] a public facing conversational AI agent. They're in real estate, in, in mortgage and services associated with that. Right? And we looked at it for a period of time to study all the transactions that are taking place. And, uh, off the a hundred thousand requests that we analyzed, 6% of that had something.
Sort of, you know, malicious going on. Wow. Which is a very high number. Right. It's because the bad guys only have to get it right once. Yeah. Right. Uh, so we saw, I'm surprised by that. Yeah. Yeah. We saw some PII leakage. Okay. We saw some toxic language. We saw some prompt injections, which is, you know, different ways of trying to find, you know, information, you know, in roundabout ways.
Right. And the whole point with the LLM or the Gen AI application is to continue to sort of, you know, do. Good or better for the user that it is interacting, right? So if you want to go deeper, it'll continue to go deeper and try to please you. Right? So that [00:11:00] is, that is what we are seeing.
Sean Martin: Yeah. Now is this primarily outside in or do you also see it inside as well?
Rupesh Chokshi: Yeah. Yeah. So outside, in external applications we see that. We see that inside too. And I think the inside or the internal application over there, the use cases are even broader, right? Because, yeah. Every company, like I run an engineering team, so my developers, software developers, like N through on a rupe, we gotta have this, we gotta have that.
We all have our own internal AI agents, whether it is helping us do software development faster, whether it's looking at pricing trends, whether it is looking at customer data, whether it is looking at, uh, you know, so many use case like the financial services folks are heavy into figuring out, right. What are the seasonality.
How's the market gonna move? What do we do? What do we offer? You know, so there's a lot of work happening internal and uh, you know, one of the researchers on my team had done some analysis and said, Hey, even a 0.001% poisoning of the model [00:12:00] can have massive effects. Yeah, yeah. Unacceptable. Unacceptable, right?
Right. But that's the world we live in. It is the world we live in. Hey, you know, we gotta embrace it and security has gotta be an enabler. Yep.
Sean Martin: Which creates the world that the CSOs live in and their teams live in. So I want to, as we wrap here, maybe speak to the security leadership team and, 'cause I presume firewall, it goes through the security.
Yeah, absolute purchasing. Absolutely. Purchasing, absolutely. Process. But as soon as we start talking about AI and data, you have data scientists and you have business teams, and which all this impacts how this comes together. So tell me about how the conversation. With the CISOs sound and look like, and how does it, how do they prepare their, their team, how do they prepare their environment for the new, the new firewall?
And then how do they have that conversation with their, their, uh, data and AI peers to Right, right. To ensure that they're not upsetting that. Right. I know there's a lot of that question, but not a lot. You kind of describe that. Yeah, yeah. Sure, sure.
Rupesh Chokshi: [00:13:00] So, so, so, you know, the one trend that we have seen is that a lot of enterprises, large, medium, small, have started to, you know.
Put ahead of ai, right? Mm-hmm. Hey, somebody who's responsible right across the whole business because they genuinely believe in the power of what AI will deliver. So the CISO teams need to really sort of, you know, have a shared responsibility model working with the stakeholders. That's item number one.
But then when you start to think about security or AI security. I think there are three or four big important areas. So obviously there is the AI runtime, right? So we are seeing a lot of customers saying, Hey, if you have a scalable firewall for ai, if you have the right deployment options, I wanna move forward with that.
Mm-hmm. Right? So you gotta make sure how you kind of protect yourself from a runtime perspective, but then simultaneously look at, you know, discovery, visibility, posture is gonna be very important, similar to what we saw two years ago with API [00:14:00] security. Same applicable over here. Um, then you start to hear more about, you know, testing or ai red teaming, right?
Mm-hmm. Which is very important to say, if I want to do secure by design, if I wanna look at, you know, model scanning or things that is even before I deploy something in production, how do I go about it? Do I have the right kind of tools and capabilities? And then the fourth one would be around sort of, you know, governance and compliance, right?
And I think that is going to be very important because, you know, it's funny because. Does the firewall
Sean Martin: give the, the visibility and the and demonstr ability
Rupesh Chokshi: of that? Yeah. Yeah, yeah. So it'll, it'll, you know, it gives a lot of what I mentioned, uh, and uh, and again, like, you know, CISOs, I think they got their work cut out because the pace at which AI adoption is moving is not the same pace that the budgets are moving.
Right, right. So it's kind of like a mid-year adjustment going on. Yeah, exactly. Uh, yeah, the business
Sean Martin: is rolling. Business rolling. They gotta get on that. Right. Um. So as we [00:15:00] wrap here, Rupesh, um, what's the, what's the goal with the, the, the full Akamai suite? The new AI firewall? Yeah. Yeah. In terms of helping a ciso, we, we know there's a lot of pressure on their shoulders, right?
Yes. They have a lot of, a lot of stress. Perhaps even, um, what's your goal with the, with the solution for them to maybe alleviate some of that, maybe take, shift some of the, uh Right. The, their own risk. Own risk, yeah. Off their own shoulders. Yeah.
Rupesh Chokshi: I think, you know, I'll, I'll touch on two things. Right? Okay.
So what we have heard again and again is this sort of like concept of, you know, frictionless, right, or ease of deployment or ease of use, right? We want security to be an enabler, right? We are a hundred percent aligned. So what we have done with the firewall for AI is that we have made the deployment very easy because we already see a lot of traffic on Akamai Edge and we're able to take that, run it through the detection cloud and provide the decisions back in alert mode, or modify or deny.
To the customers and it's all automated. And [00:16:00] then all of that happens, that kind of industrial grade, scalable, reliable, et cetera, right? So you are, you're kind of not trying to go into the environment and say, Hey, I have a point solution and it's this and it's that, and now you, the customer has to deploy resources, et cetera.
We're making all of that very, very easy. Um, and the second thing is, I think. You need a, a trusted partner, you need somebody who understand this space deeply. Right? So when I talked about in the beginning how we are ourselves utilizing AI to make our security products better, that mindset, that knowledge is gonna be very important.
So having a trusted partner who can guide the organization through this is gonna be very important.
Sean Martin: Yeah. Well, who understands the risk? You see the, you see it. We see it. Yeah. And. Thankfully you've built something to help help CISOs get ahead of that, ahead of that. Absolutely, absolutely. Rupesh. I always, I always enjoy talk, talking with you.
Same here. And, [00:17:00] uh, congratulations on the new release and all the good work you and your team do. And I would encourage everybody to read the report, the soda reports, check out the new AI firewall, connect with rupesh, connect with the Akamai team. Be intelligent with an intelligent partner.
Rupesh Chokshi: Yes.
Sean Martin: And uh.
Itsp magazine.com/rsac two five for all of our coverage, including this story and others from Rupesh and the Akamai team. We'll see you all on the next one.
Rupesh Chokshi: Great. Thank you. Thank you so much.