Fastly, Inc. published the findings from its fourth annual Global Security Research Report. It reveals that AI-first businesses – those integrating AI into key processes and offerings from the outset rather than as a secondary enhancement – are hurtling towards a cybersecurity crisis by failing to modernise security in step with AI’s rapid expansion across IT infrastructure. These businesses report taking nearly seven months on average to fully recover from cybersecurity incidents, 80 days longer than businesses that do not identify as AI-first.
The implications of this nearly three-month delay are significant in today’s real-time economy. The financial toll of a cybersecurity incident for AI-first businesses exceeds that of non-AI-first businesses by more than 135%. This increased financial impact reflects both the longer recovery timelines and a higher rate of AI-specific compromise. In fact, roughly half (44%) of AI-first organisations claim that AI was directly exploited in their most recent security incident, compared to just 6% for non AI-first organisations. For Southeast Asian organisations, it was found that 69% of the respondents reflected that AI (or the use of AI tools or models) was a contributing factor for the most recent cybersecurity incidents. These findings highlight how AI-native systems expand the potential attack surface, introducing new layers like agentic workflows, and decentralised data flows, all of which complicate defence.
“The speed of AI adoption is reshaping security infrastructure almost overnight. For AI-first businesses, the priority isn’t to slow down innovation, it’s to modernise security at the same rate,” said Marshall Erwin, CISO at Fastly. “That means securing AI and inference infrastructure, monitoring and throttling unwanted AI crawler activity, anticipating the rise of shadow AI and shoring up your outer perimeter.”
“AI is no longer a single tool – it’s becoming an integral part of business operations. This creates new challenges for security teams, from tracking its deployment to understanding its impact during incident recovery,” said Rachel Ler, AVP of Asia at Fastly. “Companies that establish clear AI governance today will gain a decisive advantage tomorrow.” At the same time, practices such as AI scraping are adding cost and complexity to already stretched infrastructure, driving operational disruption and pushing spend into six-figure territory.
“There is a major shift happening in terms of what organisations are responsible for defending,” continued Erwin. “The challenge is no longer confined to malicious actors and isolated security incidents. Instead, it’s about managing an infrastructure footprint that is growing rapidly and, often, invisibly.”
For many businesses, these risks are no longer theoretical; they’ve become a reality. AI scraping alone has become a material cost centre for nearly seven in 10 (67%) Southeast Asian organisations, with average annual infrastructure impacts exceeding USD372,330.
These costs are just the beginning. The top four negative impacts as a direct result of AI activity for Southeast Asian organisations are operational disruption (53%), increased infrastructure expenses (51%), security incidents or data leakage (50%), and reported issues impacting online visitors – from sluggish load times to broken functionality (35%). For many, the reality is creeping costs and architectural complexity.
To respond, organisations are investing heavily in security tools built for this new era. Web application firewalls (72%), API discoverability & security solutions (66%), and agentic discoverability (64%) have emerged as the leading areas of investment. However, the response is far from complete. Four in five (83%) respondents from Southeast Asian organisations are concerned about DDoS attacks targeting AI agents. More than half (61%) say they need additional AI-specific security expertise to effectively defend their systems, while 59% report increased pressure on existing teams to manage AI risks. “From unmonitored agentic activity to escalating scraping costs, the risks are real, operationally and commercially. As a result, Web Application and API Protection (WAAP) tools are becoming business-critical solutions because they provide essential visibility and control organisations need to secure innovation at the edge,” noted Erwin.
To find out how to modernise your organisation’s security infrastructure and implement steps to recover more quickly from cybersecurity incidents, download the report today.
