API Security Market

Overview
A Comprehensive Guide to
API Security Vendors
Disclaimer

About this Guide:

This analysis and comparison is based on research of public-facing
documentation and content and is intended to educate and inform
the market about how different solutions address API security
requirements. We welcome feedback to make this evaluation more
accurate. If you see any errors, connect with us and we’ll work on
updating the content.

2
Modern applications, composed of microservices and cloud-native architectures, enable rapid innovation and
the creation of business value. Enabling collaboration and partnership in the market, APIs are the cement
in the foundation of modern applications. Managing API security risks is a rapidly growing challenge facing
engineering, IT, and security leaders. This comprehensive comparison guide is based on a collection of 14 API
Security Tool Requirements, organized into 5 groups. Specifically, an API security tool must be able to account
for the following overarching security requirements:

API Security Requirements Overview

API Discovery and Risk Management - Find, catalog, and analyze ALL APIs in an application

• API Disovery

• API Risk Management

• API Change Dectection

• Usage Analysis

• 3rd Party API Risk

Detection and Blocking of Attacks - Detect and thwart adversarial attacks

• OWASP Top 10 Attacks - Legacy

• OWASP API Top 10 Attacks

• DDoS Protection

User Behavior Attacks - Detect and mitigate fraud and abuse of APIs

• User Identification & Behavior Analytics

• Bot Mitigation

• Fraud Detection

Data Flow Analytics - Leverage data to enable threat hunting and analytics

• Sensitive Data Flow

• Analytics & Threat Hunting

Deployment Options - Deploy and detect both:

• Inline / Agent-based

• Out-of-Band / Agentless

The API security tool landscape consists of many different entries, from traditional firewall/edge-based
protection solutions to solutions that leverage modern techniques like distributed tracing and observability to
see inside of API traffic to detect potential anomalies and attacks.
The API Security Market Overview

The sections below, provide a deeper dive into each of the above nine solutions based on the
fourteen API Security Requirements.

• Signal Sciences - 32%

• Noname - 45%

• Salt Security - 50%

• 42Crunch - 21%

• Neosec - 68%

• Cequence - 57%

• Data Theorem - 36%

• Wib - 57%

• Traceable AI - 96%

Note: The % score is based on the number of API Security requirements the tool meets divided by the number
of API Security requirements (14). Partial = ½ credit.

4
Signal Sciences - 32%

Signal Sciences offers a WAF that can protect

your web application based on security
signatures.

Considerations
Just Web Protection

Cybercriminals have expanded their attack

campaigns to both web and API applications,
looking for an easy way to breach your
security defenses and steal your sensitive
data. Without a solid defense against
web and API attacks, you end up with a
hole in your security protection, allowing
cybercriminals to gain an easy foothold in
your organization.

Real API Security

APIs expose business logic, and attackers

often exploit your business logic to abuse
your APIs. Understanding API context
and transaction/data flows are crucial to
detecting and defending against business
logic attacks. You need a solution that
understands an application’s business logic.
Purpose-built to detect and block business
logic attacks by analyzing transactions and
data flow – helping to thwart sophisticated
API attacks that target your mission-
critical application’s sensitive data. Suggest
evaluating how to block business logic
attacks such as BOLA.
API Parameter Definition

The problem with OpenAPI parameter files right from the start was that they were difficult
to update and maintain, pulling the developer away from the serious work of developing new
software features. If a developer doesn’t update that API parameter file, it can leave the door wide
open for a cybercriminal to target and exploit your API application.
5
Sensitive Data Tracking

Maintaining an API catalog that highlights sensitive data, like PII, PCI, etc exposure is a
critical step in mitigating data breaches. Consider evaluating how Signal Sciences will detect
and prevent unauthorized sensitive data from flowing through your APIs.

Security Data Lake

Historical data about attempted API attacks is a crucial need for security teams to improve
their security posture over time. You need a solution that is built on a security data lake
that enables EDR-like capabilities that enterprise security teams have been using for years.
Customers will be able to perform threat hunting, post-forensic analysis and track sensitive
data flows across their API-driven applications.

6
Noname Security - 43%

Noname Security is built on the idea that

protecting an application’s APIs should be
centered on getting as much information
from across an application’s API estate but
misses the mark by not focusing on the
root cause of API-driven data breaches –
business logic flaws.

Considerations
Business Logic

APIs expose business logic, and attackers

often exploit your business logic to abuse
your APIs. Understanding API context
and transaction/data flows are crucial to
detecting and defending against business
logic attacks.

Real-Time Protection

API attacks are fast and hard to detect

because they often look like regular business
traffic. Organizations need deployment
options that takes minutes to set up. This
includes an in-app agent option for real-
time protection, blocking threats as they
come, and an agentless option that can be
deployed outside the application depending
on your requirements.

Web Protection

Cybercriminals have expanded their attack campaigns to both Web and API applications,
looking for an easy way to breach your security defenses and steal your sensitive data.
Without a solid defense against web and API attacks, you end up with a hole in your security
protection, allowing cybercriminals to gain an easy foothold in your organization.

7
Salt Security - 50%
Salt Security first arrived on the scene in
2016.

With the rise of API applications, attackers

are now targeting the business logic flaws
and API vulnerabilities that turn up with
every software release. Unless your security
protection can understand your application
business logic and how it changes over time,
it opens the door for attackers to discover
and exploit your application vulnerabilities.

Considerations
Real-Time Protection

API attacks are fast and hard to detect

because they often look like regular business
traffic. Organizations need deployment
options that takes minutes to set up. This
includes an in-app agent option for real-
time protection, blocking threats as they
come, and an agentless option that can be
deployed outside the application depending
on your requirements.

Sensitive Data Tracking

Maintaining an API catalog that highlights

sensitive data, like PII, PCI, etc exposure is
a critical step in mitigating data breaches.
Evaluate how Salt will detect and prevent
unauthorized sensitive data from flowing
through your APIs.

Security Data Lake

Historical data about attempted API attacks is a crucial need for security teams to improve
their security posture over time. You need a solution that is built on a security data lake
that enables EDR-like capabilities that enterprise security teams have been using for years.
Customers will be able to perform threat hunting, post-forensic analysis and track sensitive
data flows across their API-driven applications.
8
Web Protection

Cybercriminals have expanded their attack campaigns to both Web and API applications,
looking for an easy way to breach your security defenses and steal your sensitive data.
Without a solid defense against web and API attacks, you end up with a hole in your security
protection, allowing cybercriminals to gain an easy foothold in your organization.

9
42Crunch - 21%

42Crunch provides a platform that enables an

automated set of tools that help to secure APIs
throughout the software development cycle.
Built around a positive API security model
based on the Open API/Swagger file, 42Crunch
can help automate security checks throughout
your CI/CD pipelines. Throughout the process,
it can execute detailed security checks,
providing security scores and remediation
advice to developers. This finalized contract is
used to provide real-time security enforcement
with their API firewall.

Considerations
Open API File-Based Protection

The problem with OpenAPI parameter files

right from the start was that they were difficult
to update and maintain, pulling the developer
away from the serious work of developing
new software features. If a developer doesn’t
update that API parameter file, it can leave the
door wide open for a cybercriminal to target
and exploit your API application. Traceable is
able to automatically discover and update all
API parameter changes, without the need to
maintain an OpenAPI file, ensuring that your
API Security is automated and up-to-date.

Business Logic Understanding

APIs expose business logic, and attackers often exploit your business logic to abuse your APIs.
Understanding API context and transaction/data flows are crucial to detecting and defending
against business logic attacks. Suggest exploring how 42Crunch can detect and block business
logic attacks.

Continued on next page...

10
Sensitive Data Tracking

Maintaining an API catalog that highlights sensitive data, like PII, PCI, etc exposure is a
critical step in mitigating data breaches. You need a solution that has the ability to pinpoint
your sensitive data and identify and visualize each API flow across your applications, allowing
you to identify insecure or vulnerable APIs that could lead to a devastating data breach.

Security Data Lake

Historical data about attempted API attacks is a crucial need for security teams to improve
their security posture over time. You need a solution that is built on a security data lake
that enables EDR-like capabilities that enterprise security teams have been using for years.
Customers will be able to perform threat hunting, post-forensic analysis and track sensitive
data flows across their API-driven applications.

11
Neosec - 68%

Neosec is an intelligent application security

platform based on data and behavioral
analytics. Neosec is the XDR equivalent for
API security.

Considerations
Data Collection

Neosec collects data from existing API

activity happening around the application
itself, without deploying sensors of sidecars.
Is Neosec working with all the data? How
does it understand internal application
logic without deriving it from what it see’s
externally?

Real-Time Enforcement

Neosec blocking capability is through

integrations with 3rd party vendors such as
API gateways and proxies, which can delay
enforcement by seconds.

Web Protection & API Protection

Neosec focuses on API security only, not web

application protection too.

Cybercriminals often target both web and

API applications of an organization, looking
for an easy unprotected way to access
sensitive data. Not having an integrated
and complete security solution that covers
both web and API security is an invitation to
cybercriminals to target your organization.

12
Cequence - 57%

Cequence Security was founded in 2015

as a bot mitigation and fraud prevention
company. More recently, Cequence
repositioned itself as an API Security vendor
with the introduction of API Sentinel.
However, API Sentinel offers basic API
discovery and visibility features that are
common across most API Security vendors.
Beyond that, it doesn’t offer any focused API
Security features that are required to protect
mission-critical applications. Despite the new
API Sentinel product introduction, Cequence
is still primarily a bot mitigation company
with basic API Security coverage.

Considerations
Understanding of Business Logic

APIs expose business logic, and attackers

often exploit your business logic to abuse
your APIs. Understanding API context
and transaction/data flows are crucial to
detecting and defending against business
logic attacks.

API Security Data Lake

Historical data about attempted API attacks

is a crucial need for security teams to Sensitive Data Tracking
improve their security posture over time.
You need a solution that is built on a security Maintaining an API catalog that highlights
data lake that enables EDR-like capabilities sensitive data, like PII, PCI, etc exposure is a
that enterprise security teams have been critical step in mitigating data breaches. You
using for years. Customers need the ability need a solution that has the ability to pinpoint
to perform threat hunting, post-forensic your sensitive data and identify and visualize
analysis and track sensitive data flows across each API flow across your applications,
their API-driven applications. allowing you to identify insecure or vulnerable
APIs that could lead to a devastating data
breach.
13
Data Theorem - 36%

Data Theorem is a provider of application

security analysis software. Data Theorem can
discover and inventory all your APIs. Data
Theorem’s analyzer engine continuously
scans mobile and web applications in search
of security flaws and data privacy gaps. IT
can discover and inventory your APIs and
discover potential API vulnerabilities. By
integrating with your CI/CD pipeline, it can
remediate potential security issues such as
authentication, authorization, encryption, etc.

Considerations
Real-Time Protection

API attacks are fast and hard to detect

because they often look like regular business
traffic. Organizations need deployment
options that takes minutes to set up. This
includes an in-app agent option for real-
time protection, blocking threats as they
come, and an agentless option that can be
deployed outside the application depending
on your requirements.

Security Data Lake

Historical data about attempted API attacks

is a crucial need for security teams to
improve their security posture over time.
You need a solution that is built on a security
Business Logic Understanding
data lake that enables EDR-like capabilities
that enterprise security teams have been APIs expose business logic, and attackers
using for years. Customers need the ability often exploit your business logic to abuse
to perform threat hunting, post-forensic your APIs. Understanding API context and
analysis and track sensitive data flows across transaction/data flows are crucial to detecting
their API-driven applications. and defending against business logic attacks.

14
Wib - 57%

Wib is a relatively new vendor in the API

Security landscape. The company provides
API Security across the entire API software
development lifecycle like many other
vendors in the industry. Wib, which claims to
protect APIs through the entire API software
development lifecycle, does not provide
rich business context needed to identify
vulnerabilities and prevent API attacks in
real time. Wib is able to meet just over half
of the API security requirements delivering
8 out 14, meeting the basic needs of some
organizations.

Considerations
Real-Time Protection

API attacks are fast and hard to detect

because they often look like regular business
traffic. Organizations need deployment
options that takes minutes to set up. This
includes an in-app agent option for real-
time protection, blocking threats as they
come, and an agentless option that can be
deployed outside the application depending
on your requirements.

Security Data Lake

Historical data about attempted API attacks Web Protection

is a crucial need for security teams to
improve their security posture over time. Cybercriminals have expanded their attack
You need a solution that is built on a security campaigns to both Web and API applications,
data lake that enables EDR-like capabilities looking for an easy way to breach your
that enterprise security teams have been security defenses and steal your sensitive
using for years. Customers need the ability data. Without a solid defense against web and
to perform threat hunting, post-forensic API attacks, you end up with a hole in your
analysis and track sensitive data flows across security protection, allowing cybercriminals to
their API-driven applications. gain an easy foothold in your organization.
15
Traceable AI - 96%

Traceable AI collects API traffic across

the entire application landscape and uses
context-based behavioral analytics AI engine
to discover APIs and what data they expose,
block known and unknown attacks, and
provide threat analytics and forensics.

Traceable AI uses both agentless

deployment options, including out-of-band
traffic mirroring and language agents to be
closer to the code for enhanced API call
level troubleshooting and analytics. Based
on this approach Traceable is able to address
almost all of the API Security Requirements,
delivering 13 ½ out of 14 requirements.

Considerations
Complete API Catalog

Due to close integration into the application,

Traceable AI is able to detect and maintain a
complete and accurate API Catalog.

Real-Time Protection

Traceable is able to deliver real-time in-app

blocking and agentless deployment options.

Understanding of Business Logic

Traceable AI is able to detect and block

sophisticated API attacks that focus on
Business logic exploits that can lead to
sensitive data exposure.

Security Data Lake for Threat Hunting

Traceable’s data lake enables EDR-like capabilities that enterprise security teams can
perform threat hunting, post-forensic analysis and track sensitive data flows across their API-
driven applications.

Continued on next page... 16

Sensitive Data Tracking

Traceable has the ability to pinpoint sensitive data and identify and visualize each API flow
across applications, allowing teams to identify insecure or vulnerable APIs that could lead to
a devastating data breach.

Learn more about how Traceable AI provides complete API Security coverage.

17
API Security Tool Requirements
API Discovery and Risk Detecting and Blocking Attacks
Management
OWASP Top 10 Attacks - Legacy
API Discovery Detection and blocking of the OWASP Top
10 vulnerabilities, which provide guidance
Ensures that you always have an up-to-
to developers and security professionals
date inventory of your organization’s APIs.
on the most critical vulnerabilities that are
Continuously discovers and inventories
commonly found in web applications.
all APIs, including shadow APIs of an
organization. Provides change notification OWASP API Top 10 Attacks
when API has been added, modified, or
deprecated. Detection and blocking of the OWASP API
Top 10 vulnerabilities. Protects against
API Risk Monitoring BOLA, mass assignment, and business logic
flaws.
Continuously updated endpoint risk
scoring based on the likelihood and DDoS Protection
impact of a cyberattack. Example risk-
score criteria are: external vs internal API, DDoS (distributed denial of service)
unauthenticated, has a global user-base, protection foils malicious traffic coming
and handles sensitive data. from multiple network points before
reaching their destination, minimizing
API Change Detection the impact of the attack while ensuring
legitimate traffic flow.
The ability to detect and flag changes in
API specifications, configuration, and/or
parameter details so that unexpected and
potentially insecure changes (malicious or Detecting and Blocking Attacks
not) can be caught and validated before
problems arise.
Usage Analysis User Identification & Behavior Analytics
Helps to track and understand usage Uses advanced user identification and
patterns of APIs, monitor performance of analytics technologies, including machine
APIs, diagnose issues between APIs and learning and deep learning, to discover
applications. abnormal and risky behavior by users,
machines, and other entities interacting
3rd-Party API Risk with your applications.
Discover 3rd party APIs that integrate Bot Mitigation
with your application that might pose an
unknown risk to your organization. Bot mitigation is the process of minimizing
risk to applications, websites, APIs, etc.
from malicious bot traffic. Bot mitigation
solutions use different techniques to
identify, manage and block bad bots while
allowing legitimate bots to operate.

18
Fraud Detection Deployment Options
Fraud detection protects customer
and enterprise information, assets,
accounts, and transactions through Inline / Agent-based
the real-time, near-real-time, or batch
analysis of activities by users and other A deployment option that uses an in-app
defined entities (such as kiosks). It uses agent which sits in line with the application.
background server-based processes that In-app agents are typically libraries that
examine users’ and other defined entities’ can be linked in at runtime without code
access and behavior patterns and typically alteration. Typically inline/agent-based
compares this information to a profile of deployments can provide deeper system-
what’s expected. level insights for better overall visibility and
control points for more direct application
protection.
Out-of-Band/Agentless
Data Flow Analytics
An out-of-band agentless deployment
means that functionality is achieved
Sensitive Data Flow without requiring any application code
changes and that there is no agent in the
Prevent sensitive data exposure. Identify path of the application communications.
API endpoints that handle sensitive data. This is typically achieved either through
See meta-data details of all data used traffic mirroring or from log and metrics
collection from infrastructure devices. Out-
by all endpoints. Identify external facing
of-band/agentless typically do not provide
and internal APIs handling sensitive as deep a set of application data as agent-
data. Identify APIs endpoints without based data collection.
authentication.

Analytics & Threat Hunting

An explorable data lake of all transaction
details which can be filtered, sorted, and
searched to find meaningful data, discover
trends, and gain insights. Explorability of this
data collection enables threat hunting and
forensics.

19
About us.
Traceable was founded by third-time entrepreneur Jyoti
Bansal and Sanjay Nagaraj. Bansal and Nagaraj saw the massive
adoption of cloud-native architectures firsthand during their
time at AppDynamics and founded Traceable as a result to
protect applications from next-generation attacks.

Traceable applies the power of machine learning and

distributed tracing to understand the DNA of the application,
how it is changing, and where there are anomalies in order
to detect and block threats, making businesses more secure
and resilient.

Traceable.ai

220314