Application-layer attacks have become one of the most common and consequential methods adversaries use to gain access and compromise organizations, according to Contrast Security. These attacks target the custom code, APIs, and logic that power applications, often slipping past detection tools such as Endpoint Detection and Response (EDR) and network-based defenses such as Web Application Firewalls (WAFs).
The average application is targeted by attacks more than 14,000 times each month (Source: Contrast Security)
Enterprise security’s risk lies in the application layer
Recent reports from Verizon (DBIR 2025) and Google Mandiant (M-Trends 2025) confirm what many security leaders already suspect: components of the application layer are among the most targeted and least protected parts of the enterprise. This trend includes hackers’ heightened focus on cloud environments, which heavily depend on application-layer services and interfaces, such as critical components like cloud-based single sign-on (SSO) web portals that store centralized authority.
But those reports raised an even bigger question: What’s actually happening inside the applications we build and run every day?
Contrast’s report confirms that applications and APIs are the battleground of choice for attackers.
“We’re seeing a fundamental shift in how applications are being attacked,” said Jeff Williams, CTO and Founder of Contrast Security. “AI is making it easier than ever for adversaries to launch targeted, viable attacks at scale, while tools like WAFs, SAST, and EDR remain blind to what’s happening inside the application while it’s running.”
Application layer attacks grow in volume and complexity
The volume and variety of attacks targeting the application layer have expanded significantly. This shift reflects both the growing reliance on custom software and APIs and the evolving tactics of adversaries who have learned where defenses are often weakest. The primary challenge for SOC teams is that threat detection at the application layer is not feasible with network or endpoint signals, it requires deeper visibility to spot attacks embedded deep within the application stack.
On average, apps contain 30 serious vulnerabilities. AI-generated code is increasing the problem, and third-party libraries are accelerating the risk.
On average, applications get 17 new vulnerabilities each month, but developers fix only 6. Hackers start exploiting new flaws in just 5 days, while it takes about 84 days to patch even the most serious ones.
Application attacks are happening more often than ever, with the average app targeted every 3 minutes. Each month, an average app faces 81 confirmed attacks that slip past other defenses, mostly involving untrusted deserialization, method tampering, OGNL injection, and similar techniques, which vary by industry and tech stack.
Teams shift to runtime protection and app visibility
A few attack techniques, once difficult before AI, now account for the majority of risk. Focusing on what’s currently exploitable allows teams to regain control.
To manage the growing risks, security teams are evolving their strategies to address the visibility gap at the application layer. That includes moving beyond reactive defenses and adopting runtime protection models that can detect and stop attacks from within running applications.
Report findings show how shared telemetry across SecOps, AppSec, and development teams helps organizations focus on the threats and vulnerabilities that pose the greatest real-world risk. This unified, contextual approach enables faster response, more targeted remediation, and reduced alert fatigue across security workflows.
