Fastly report reveals fast moving AI adopters are paying the price with 80 day longer recovery times, higher breach costs and expanding attack surfaces
Fastly, Inc. (NASDAQ: FSLY), a leader in global edge cloud platforms, today published the findings from its fourth annual Global Security Research Report.
It reveals that AI-first businesses – those integrating AI into key processes and offerings from the outset rather than as a secondary enhancement – are hurtling towards a cybersecurity crisis by failing to modernize security in step with AI’s rapid expansion across IT infrastructure.
These businesses report taking nearly seven months on average to fully recover from cybersecurity incidents, 80 days longer than businesses that do not identify as AI-first.
The implications of this nearly three-month delay are significant in today’s real-time economy. The financial toll of a cybersecurity incident for AI-first businesses exceeds that of non-AI-first businesses by more than 135%.
This increased financial impact reflects both the longer recovery timelines and a higher rate of AI-specific compromise. In fact, roughly half (44%) of AI-first organizations claim that AI was directly exploited in their most recent security incident, compared to just 6% for non AI-first organizations.
AI-native systems expanding potential attack surface
For Southeast Asian organizations, it was found that 69% of the respondents reflected that AI (or the use of AI tools or models) was a contributing factor for the most recent cybersecurity incidents.
These findings highlight how AI-native systems expand the potential attack surface, introducing new layers like agentic workflows, and decentralized data flows, all of which complicate defense.
Marshall Erwin, CISO at Fastly
“The speed of AI adoption is reshaping security infrastructure almost overnight. For AI-first businesses, the priority isn’t to slow down innovation, it’s to modernise security at the same rate,” said Marshall Erwin, CISO at Fastly.
“That means securing AI and inference infrastructure, monitoring and throttling unwanted AI crawler activity, anticipating the rise of shadow AI and shoring up your outer perimeter,” he added.
“AI is no longer a single tool – it’s becoming an integral part of business operations. This creates new challenges for security teams, from tracking its deployment to understanding its impact during incident recovery,” said Rachel Ler, AVP of Asia at Fastly. “Companies that establish clear AI governance today will gain a decisive advantage tomorrow.”
At the same time, practices such as AI scraping are adding cost and complexity to already stretched infrastructure, driving operational disruption and pushing spend into six-figure territory.
“There is a major shift happening in terms of what organizations are responsible for defending,” continued Erwin. “The challenge is no longer confined to malicious actors and isolated security incidents. Instead, it’s about managing an infrastructure footprint that is growing rapidly and, often, invisibly.”
Risks no longer theoretical; they’ve become a reality
Rachel Ler, AVP of Asia at Fastly
For many businesses, these risks are no longer theoretical; they’ve become a reality. AI scraping alone has become a material cost centre for nearly seven in 10 (67%) Southeast Asian organizations, with average annual infrastructure impacts exceeding USD372,330.
These costs are just the beginning. The top four negative impacts as a direct result of AI activity for Southeast Asian organizations are operational disruption (53%), increased infrastructure expenses (51%), security incidents or data leakage (50%), and reported issues impacting online visitors – from sluggish load times to broken functionality (35%).
For many, the reality is creeping costs and architectural complexity.
To respond, organisations are investing heavily in security tools built for this new era. Web application firewalls (72%), API discoverability and security solutions (66%), and agentic discoverability (64%) have emerged as the leading areas of investment. However, the response is far from complete.
Meanwhile, four in five (83%) respondents from Southeast Asian organizations are concerned about DDoS attacks targeting AI agents.
More than half (61%) say they need additional AI-specific security expertise to effectively defend their systems, while 59% report increased pressure on existing teams to manage AI risks.
“From unmonitored agentic activity to escalating scraping costs, the risks are real, operationally and commercially. As a result, Web Application and API Protection (WAAP) tools are becoming business-critical solutions because they provide essential visibility and control organizations need to secure innovation at the edge,” noted Erwin.
To find out how to modernize your organization’s security infrastructure and implement steps to recover more quickly from cybersecurity incidents, download the report today.
About the Fastly research
This research surveyed 2,000 key IT decision makers with an influence in cybersecurity, in large organizations spanning multiple industries across North, Central and South America, Europe, Asia-Pacific and Japan.
The interviews were conducted online by Sapio Research in Q4 2025 using an email invitation and an online survey.
Fastly’s powerful and programmable edge cloud platform helps the world’s top brands deliver online experiences that are fast, safe, and engaging through edge compute, delivery, security, and observability offerings that improve site performance, enhance security, and empower innovation at a global scale.
Compared to other providers, Fastly’s powerful, high-performance, and modern platform architecture empowers developers to deliver secure websites and apps with rapid time-to-market and demonstrated, industry-leading cost savings.
Organizations around the world trust Fastly to help them upgrade the internet experience, including Reddit, Universal Music Group, Bukalapak, Banyan Tree, Dusit Thani, and Central Food.
Learn more about Fastly at https://www.fastly.com, and follow us @fastly.
