What Akamai products do I need to use API Security?

API Security is a vendor-neutral API threat protection solution that does not require the use of other Akamai solutions. It complements existing Akamai API security solutions and ensures customers get comprehensive protection as attacks on APIs have become much more sophisticated, requiring new detection techniques and automated responses.

How do I deploy API Security?

Customers can deploy API Security using the native connector, which makes it seamless to integrate with Akamai Connected Cloud. API Security also has node connectors that support popular platforms (i.e., any CDN, API gateway, or cloud environment).

Can I integrate API Security with my existing tools and workflows?

API Security integrates with your existing data sources, including popular API gateways, cloud providers, container and mesh environments, reverse proxies, CDNs, web application firewalls (WAFs), case management tools, security information and event management (SIEM), and security orchestration automation and response (SOAR) tools.

Do you offer a shift-left option like API Testing?

Yes. Our API Testing solution is now in beta and is an integral part of the API Security platform. Introducing API Testing into your SDLC pipeline is easy with the API Security scan engine. Deployed quickly with a simple command, the scan engine allows you to run dynamic tests against APIs wherever they are in your network. Developers can easily run tests on their laptops to validate code before pushing it to your code repositories.

How does the API Security threat hunting managed service work?

The API Security threat hunting managed service, API Security ShadowHunt, expands your security team with expert analysts skilled in API threat hunting and is ideal for understaffed teams or those lacking API security expertise. Although not a typical 24/7 managed Security Operations Command Center service, Akamai’s threat hunters work when you need them as an extension of your team to detect and report on the most clandestine and obfuscated attacks hiding in your API traffic. Our API Security ShadowHunt team provides immediate notification of any threats in your API estate with a full summary of the incident and remediation recommendations. Monthly reports, including periodic Emerging Threat Reports that suggest actions, are also provided.

How does API Security manage sensitive data?

Prior to shipping API activity data to the API Security platform, it is tokenized to replace sensitive information, which can only be de-tokenized back to the original values by you.

How does API Security help identify and prioritize the discovered APIs that are risky?

API Security highlights APIs that make sensitive data accessible and automatically labels sensitive data by type (e.g., PII, email), making it easy for you to sort through lists that can be overwhelming at times. It also allows you to create your own label categories (or data classifications) and conventions for both APIs themselves and alert types. This will ensure that API and security teams speak a common language that aligns with your business objectives and security concerns.

Why does a data lake matter for investigation and threat hunting capabilities?API Security covers all the OWASP API Top 10 vulnerabilities.

Without a complete view into historical data, which a data lake provides, it’s impossible to truly understand what happened with an API pre- and post-alert and to understand how the anomaly may be affecting other APIs. Without this in-depth historical insight that API Security offers, it’s impossible to conduct proper due diligence, which can lead to missing threats that are hiding in your data, wasting resources trying to identify the root cause, and more. API security solutions that cannot provide you this contextual history are simply nothing more than alert tools.

Why is being a cloud-based platform important for an API security tool?

API security solutions need to be cloud-based because of the data needed to understand where and why API anomalies are occurring. On-premises solutions would not be able to store the volume of data needed to perform behavioral analytics and to keep a data lake to provide historical context into anomalies. The data would have to be dropped after inspection, which would only deliver an alert, but not provide any insight — making it virtually impossible to understand the root cause. API Security uses established detection and response techniques — and is a cloud-based SaaS solution that is platform-agnostic and delivers both behavioral analytic capabilities and a data lake that combine to offer a rich, visual, historical context that can be analyzed.

Do XDR capabilities improve detections for API abuse?

API Security integrated extended detection and response (XDR) principles into its design. XDR innovations advanced security in three important ways: It converged detection and response signals across all the silos noted above into a unified model. It harnessed cloud scale and techniques, like machine learning and behavioral analytics, to monitor large amounts of data over longer time horizons, to deliver more complete and more meaningful security insights — and perhaps more important, could establish baseline behavior to identify deviations. It presented security teams with human-understandable, timeline-based views of security incidents that avoid alert fatigue and make it faster and easier to respond decisively. When implemented and adopted correctly, XDR has a transformational effect on security team productivity and effectiveness. The very nature of business-to-business or machine-to-machine API traffic suggests that XDR principles must be used, because with a vast quantity of traffic, only extended detection can detect needle-in-a-haystack API abuses.

Need cloud computing? Get started now

+1-8774252624

Try Akamai

Under Attack?

+1-8774252624

Products

Cloud Computing
Security
Content Delivery
All Products and Trials
Global Services

+1-8774252624

Cloud Computing

Compute

Build, release, and scale faster with VMs for every workload

See all

Networking

Secure your network, balance traffic, control your infrastructure

See all

Containers

Efficiently orchestrate containerized applications

See all

Developer Tools

Get the most out of your applications with advanced management tools

See all

Storage

Deploy dependable, easily accessible storage and management

See all

Databases

Scale easily with simple and reliable managed databases

See all

Create a Cloud Account

Security

App and API Security

API Security

Discover and monitor API behavior to respond to threats and abuse

App & API Protector

Protect web apps and APIs from DDoS, bots, and OWASP Top 10 exploits

Client-Side Protection & Compliance

Assist with PCI compliance and protect against client-side attacks

Zero Trust Security

Akamai Guardicore Platform

One Zero Trust platform for coverage, visibility, and granular control.

Akamai Guardicore Segmentation

Mitigate risk in your network with granular, flexible segmentation

Secure Internet Access

Proactively protect against zero-day malware and phishing

Hunt

Stop the most evasive threats with proactive threat hunting

Enterprise Application Access

Granular application access based on identity and context

Akamai MFA

Harden against account takeovers and data breaches with phish-proof MFA

Bot & Abuse Protection

Account Protector

Mitigate account abuse and grow your digital business

Content Protector

Stop scrapers, protect intellectual property, and increase conversion

Brand Protector

Detect and mitigate fraudulent representations of your brand

Bot Manager

Welcome the bots you want and mitigate those you don’t

Identity Cloud

Add secure, cloud-based identity management to your websites or apps

INFRASTRUCTURE SECURITY

Edge DNS

External authoritative solution for your DNS infrastructure

Prolexic

Protect your infrastructure from distributed denial-of-service attacks

Content Delivery

APPLICATION PERFORMANCE

Ion

Improve the performance and reliability of your website at scale

API Acceleration

Improve the performance and reliability of your APIs at scale

MEDIA DELIVERY

Adaptive Media Delivery

High-quality video delivery for any screen to global audiences

Download Delivery

Deliver large file downloads flawlessly, every time, at global scale

EDGE APPLICATIONS

EdgeWorkers

Execute custom JavaScript at the edge, near users, to optimize UX

EdgeKV

Distributed key-value store database at the edge

Image & Video Manager

Automatically optimize images and video for every user, on any device

Cloudlets

Predefined apps that run at the edge for specific business needs

Cloud Wrapper

Use an efficient caching layer to improve origin offload

Global Traffic Management

Optimize performance with intelligent load balancing

MONITORING, REPORTING, AND TESTING

DataStream

Low-latency data feed for visibility and ingest into third-party tools

mPulse

Measure the business impact of real user experiences in real time

CloudTest

Site and application load testing at global scale

Solutions

Use Cases
Industry Solutions

+1-8774252624

Use Cases

CLOUD COMPUTING

Media

Deliver an engaging, interactive video experience

SaaS

Build with portability, performance, and efficiency from cloud to client

Gaming

Improve the gamer experience with low latency and high availability

SECURITY

Apps and APIs

Protect your brand by securing apps and APIs from persistent threats

Zero Trust

Solutions for comprehensive coverage, visibility and control

DDoS Protection

Protect your infrastructure from DDoS and DNS attacks

Bot & Abuse Protection

Stop account abuse, sophisticated bot attacks, and brand impersonation

CONTENT DELIVERY

App and API Performance

Improve user engagement through app & API optimization

Media Delivery

Deliver seamless streaming and download experiences to any device

Edge Compute

Build and deploy on the world’s most distributed edge platform

Industry Solutions

Why Akamai

Discover Akamai Connected Cloud

Learn more

Our Platform

Explore our global infrastructure

Learn more

Company

See how we power and protect life online

Learn more

Resources

+1-8774252624

Library

Learn

Learning Hub

Educational resources and training for Akamai products and services

Glossary

Key concepts in security, cloud computing, and content delivery

Security Research

Akamai Security Research

Insights and intelligence from the Akamai Security Intelligence Group

State of the Internet (SOTI) Reports

In-depth analysis of the latest cybersecurity research and trends

Partners

Find a Partner
Become a Partner
Cloud Computing Marketplace

+1-8774252624

Find a Partner

Why Choose an Akamai Partner

Learn about our industry-leading ecosystem of partners

Partner Directory

Find a channel or technology partner

Become a Partner

Contact Us

Contact Sales

Have questions? We can help.

Customer Support

Need technical support? We are here 24/7.

Get support

API Security

Protect all your APIs from increasingly frequent attacks and data theft.

Request demo

Discover — and gain visibility into — all APIs to defend against threats

API Security gives you full visibility into your entire API estate through continuous discovery and real-time analysis. Learn how to identify vulnerabilities and analyze API behavior so you can detect attacks and remediate risk in this fast-growing attack surface.

See product brief

Eliminate a common security blind spot

Discover your complete API estate

Find and inventory all your APIs — including shadow, zombie, and rogue APIs — with continuous discovery and monitoring.

Identify vulnerable APIs

Audit for the API vulnerabilities and misconfigurations that attackers target, including all the OWASP API Top 10.

Mitigate business logic abuse

Use contextual insights to identify risks such as data leakage, suspicious behavior, malicious bots, and API attacks.

How API Security works

Discover

Generate a comprehensive API inventory, including how many — and what type of — APIs you have.

Test

Add security to your CI/CD pipeline, without sacrificing speed, to secure APIs before putting them into production.

Detect

Identify API vulnerabilities and attacks with automated, machine-learning-fueled detection.

Respond

Create advanced workflows to remediate API issues by integrating with your WAFs, SIEMs, and ITSM tools.

What’s the impact of an API security incident?

More than 1,200 security pros reveal how API incidents impact their bottom line, reputation, and teams’ stress levels.

Download report

Gartner^® Market Guide for API Protection

Get ahead of the next big attack vector: API abuse. Learn about product capabilities, vendors, market direction, and more.

Download report

Gartner^® Market Guide for API Protection

Get ahead of the next big attack vector: API abuse. Learn about product capabilities, vendors, market direction, and more.

Download report

Gartner^® Market Guide for API Protection

Get ahead of the next big attack vector: API abuse. Learn about product capabilities, vendors, market direction, and more.

Download report

Features

Assess API traffic with a native connection to Akamai CDN and integrate with your API gateways, load balancers, or WAFs
Discover APIs, domains, and related issues for HTTP, RESTful, GraphQL, SOAP, XML-RPC, and JSON-RPC APIs
Identify the types of sensitive data that your APIs can access and track user access to those APIs
Analyze APIs for OWASP Top 10 API Security Risks and prioritize vulnerabilities by impact for rapid remediation
Understand API context with visualizations of business logic, physical network infrastructure, and API traffic flows

Continuously monitor for compliance with regulatory requirements, industry standards, and internal policies
Use machine learning to identify anomalous usage, API attacks, data leakage, tampering, and policy violations
Block API attacks in real time and set up advanced workflows to accelerate remediation and increase SOC effectiveness
Fully integrate with your existing CI/CD pipelines and automatically run 200+ tests that simulate malicious traffic

Frequently Asked Questions (FAQ)

API Security is a vendor-neutral API threat protection solution that does not require the use of other Akamai solutions. It complements Akamai security solutions and ensures customers get comprehensive protection as attacks on APIs have become much more sophisticated, requiring new detection techniques and automated responses.

API Security and App & API Protector are two different solutions that Akamai offers to protect your business.

App & API Protector discovers and mitigates API threats for all your web apps and APIs that are run through Akamai Connected Cloud. It is capable of blocking any in-line traffic containing potential threats to your business.
API Security is platform-agnostic and provides comprehensive discovery and visibility to all API endpoints enterprise-wide. It provides real-time traffic analysis of API activity and determines specific responses that you should take to mitigate newly exploited API traffic.

When deployed together, App & API Protector and API Security work in-line and offer the most comprehensive and continuous visibility into APIs. They allow you to discover, audit, detect, and respond to API concerns across your full estate. Moreover, the integration between API Security and App & API Protector will enable the most robust and simple implementation of API Security.

Yes, our API testing solution is purpose-built to provide comprehensive coverage of API-specific vulnerabilities. Our solution can help you shift left and bake API security testing into every phase of development.

API Security monitors and protects both east-west and north-south traffic, reviewing all the APIs across your enterprise for anomalies that could indicate a security risk.

API Security identifies which APIs contain personally identifiable information (PII), internal documentation, intellectual property, and more, so you can automate protections for those APIs specifically. All traffic samples are obfuscated — suspicious or not — and are viewable by administrators and contributors only, simplifying your privacy and compliance initiatives.

API Security is platform-agnostic and works in all environments — SaaS, hybrid, and on-prem — including those that are complex and have multiple CDNs, WAFs, and gateways, and are widely distributed APIs across the enterprise (both north-south and east-west). API Security provides enterprise-wide visibility into your API behavior, regardless of where the APIs are discovered.

Akamai API Security features a native connector that enables you to seamlessly send a copy of your Akamai Connected Cloud traffic to Akamai API Security for analysis. This integration is built directly into both API Security and Akamai Connected Cloud, eliminating latency and reducing risk. The native connector automatically discovers and tracks APIs across Akamai-managed environments, helps detect vulnerabilities, and allows customers to block attackers at the edge.

API Security covers all the OWASP API Top 10 vulnerabilities.

Customer Stories

Customer Story

Netskope

Security leader uses Akamai API Security to help keep thousands of customers compliant and tens of thousands of APIs secure.

Read customer story

Customer Story

Aflac

Aflac gains full API visibility and the ability to remediate vulnerabilities with API Security.

Read customer story

Customer Story

DHgate

China-based ecommerce wholesale platform provider addressed the security concerns associated with API inventory with API Security.

Read customer story

API Security Use Cases

Learn how Akamai API Security can safeguard your digital business and its data on several fronts.

Test APIs before putting them into production
Get an enterprise-wide inventory of your APIs
Understand your API risk posture
Monitor API abuse

Test APIs before putting them into production

API Testing is critical for your API security strategy because it helps organizations “shift left” — detecting and fixing vulnerabilities such as business logic abuse earlier in the software development lifecycle (SDLC), before APIs reach production.

With API Testing, you can automatically run 150+ dynamic tests that simulate malicious traffic, including against the OWASP Top 10 API Security Risks. Schedule tests to run automatically at desired intervals at any stage of development.

Get an enterprise-wide inventory of your APIs

Maintaining a comprehensive and continuously updated inventory of all APIs across your organization is crucial for an effective API security strategy. On-demand or daily discovery is insufficient due to the severity of risks associated with API attacks. Moreover, visualizing actual API behavior (API calls) is necessary to enable key team members from security, development, and operations to understand how APIs are being used or misused. This facilitates communication and investigation across your organization’s teams.

API Security offers automated and continuous discovery of APIs across various technologies and infrastructure. It also identifies newly deployed APIs and compares their properties with existing documentation. API Security detects often-missed shadow APIs and known API vulnerabilities, such as those outlined in the OWASP API Security Top 10.

API discovery is an ongoing process, and our continuous monitoring finds new APIs and changes to existing ones around the clock. Security teams gain unparalleled visibility and are the first to know when developers deploy a new API or service.

Understand your API risk posture

APIs fuel every digital product and service an enterprise rolls out. So it’s no surprise APIs are growing in scope and scale. But this proliferation leads to an API sprawl that is reshaping your attack surface.

Today’s attackers look for API vulnerabilities — including software bugs or configuration errors — that they can exploit to:

Gain access to sensitive application functionality
Find, compromise, and/or steal sensitive data
Misuse the API in malicious ways

The OWASP API Security Top 10 provides a helpful summary of some of the most commonly exploited API vulnerabilities and threats that organizations should try to identify and address.

With API security, you can prevent vulnerable and misconfigured APIs from exposing your enterprise to API attacks by promptly notifying security, developer, and API teams of potential risks, configuration errors, and vulnerabilities. You can also easily determine if a partner has set up your API incorrectly or if there are vulnerabilities in the code.

Contextual and conditional alerts work seamlessly within your existing workflows, such as by automatically creating a Jira ticket, enabling you to swiftly resolve any issues.

Monitor API abuse

APIs are designed to be used programmatically, which makes differentiating legitimate usage from attacks and abuse extremely challenging.

While API threats attacks vary in approach, some of the most common ways include:

Business logic abuse. Logic abuse is when a malicious actor exploits application design or implementation flaws to prompt unexpected and unsanctioned behavior benefitting the attackers. Legacy security controls cannot prevent this type of abuse, causing tremendous stress and pressure for CISOs and their teams.
Unauthorized data access. Another common form of API abuse is exploiting broken authorization mechanisms to access data the attackers should not be allowed to access. These vulnerabilities carry many names, such as broken object level authorization (BOLA) and insecure direct object reference (IDOR), as well as broken function level authorization (BFLA).
Account takeover. After a credential theft or even a cross-site scripting attack, an account can be taken over. Once that happens, abuse of even the most well-written and thoughtfully secured API is possible. After all, if you’re not performing behavior analysis, any authenticated activity is considered legitimate.
Data scraping. As organizations make datasets available through public APIs, malicious actors may aggressively query these resources to perform wholesale capture of large, valuable datasets.
Business denial of service (DoS). By asking the back end to perform heavy tasks, API attackers or users can cause “erosion of service” or a complete denial of service at the application layer (a very common vulnerability in GraphQL, but something that can happen with any resource-intensive API endpoint implementation). This can happen through an intentional attack or through overuse by a partner that causes the API to go down for other partners.
Vulnerability exploitation. Technical vulnerabilities in the underlying infrastructure can lead to server compromise. Examples of these types of vulnerabilities range from the Apache Struts vulnerabilities (CVE-2017-9791, CVE-2018-11776, and friends) to the Log4j vulnerabilities (CVE-2021-44228 and friends).

Identifying and mitigating these and other API security risks requires security controls that are sophisticated enough to address this complex and fast-evolving threat landscape.

The API Security solution provides business context that cannot be gained by analyzing technical elements like IP addresses and API tokens alone. Using AI/ML –informed real-time traffic analysis, API Security outputs business context that enables you to do a thorough analysis of what happened before and after an alert, to identify a root cause. API Security also allows you to search APIs by specific entities, such as your users or partners, or even business process entities (invoice, payment, order, etc.), to make it possible to find anomalies that would otherwise go undetected.

Learn from our API security experts

Join us as we dig into the technical side of API security in our If Your APIs Could Talk monthly series.

See webinars

Resources

Infographic

Better Together: Akamai App & API Protector + API Security

Learn why API threats require a new security stance that includes layered protections and natively connected solutions.

View infographic

White paper

Protect Against the OWASP Top 10 API Security Risks

Updates to the Top 10 API Security Risks show new vulnerabilities that demand new mitigation strategies and defenses.

Read white paper

Blog post

API Security: Best Practices for API Activity Data Acquisition

You need the right data to understand and defend APIs. These best practices speed up API discovery and detection of advanced threats.

Read blog

Discover the critical capabilities of API Security

Learn which API Security capabilities can help you prevent attacks through hands-on examples, including:

Discovery and monitoring: Instantly detect and respond to threats with our 24/7 monitoring system
Alerts: Investigate how posture and runtime alerts are handled
Easy integration: Seamlessly integrate with your existing tech stack, no matter the complexity

Schedule your demo in two easy steps:

Submit the form
Book a time with our team

Thanks for your request! An Akamai expert will reach out soon.

Products

Cloud Computing

Cloud Computing

Security

Security

App and API Security

Zero Trust Security

Bot & Abuse Protection

INFRASTRUCTURE SECURITY

Content Delivery

Content Delivery

APPLICATION PERFORMANCE

MEDIA DELIVERY

EDGE APPLICATIONS

MONITORING, REPORTING, AND TESTING

Solutions

Use Cases

CLOUD COMPUTING

SECURITY

CONTENT DELIVERY

Industry Solutions

Why Akamai

Resources

Library

Library

Learn

Security Research

Partners

Find a Partner

Become a Partner

Contact Us

API Security

Discover — and gain visibility into — all APIs to defend against threats

Eliminate a common security blind spot

Discover your complete API estate

Identify vulnerable APIs

Mitigate business logic abuse

How API Security works

Discover

Discover

Test

Test

Detect

Detect

Respond

Respond

What’s the impact of an API security incident?

Gartner® Market Guide for API Protection

Gartner® Market Guide for API Protection

Gartner® Market Guide for API Protection

Features

Frequently Asked Questions (FAQ)

What Akamai products do I need to use API Security?

How is API Security different from Akamai App & API Protector?

Do you offer API testing capabilities?

Does API Security protect east-west traffic?

How does API Security manage sensitive data?

Does API Security protect APIs that don’t pass through a CDN?

Can API Security discover API traffic across Akamai Connected Cloud?

Does API Security cover every OWASP API Top 10 vulnerability?

Customer Stories

Netskope

Aflac

DHgate

API Security Use Cases

Test APIs before putting them into production

Test APIs before putting them into production

Get an enterprise-wide inventory of your APIs

Get an enterprise-wide inventory of your APIs

Understand your API risk posture

Understand your API risk posture

Monitor API abuse

Monitor API abuse

Learn from our API security experts

Resources

Better Together: Akamai App & API Protector + API Security

Protect Against the OWASP Top 10 API Security Risks

API Security: Best Practices for API Activity Data Acquisition

Discover the critical capabilities of API Security

Products

Gartner^® Market Guide for API Protection

Gartner^® Market Guide for API Protection

Gartner^® Market Guide for API Protection