API Security Tools

JMeter, from Apache, is a load and performance testing tool.

Postman, headquartered in San Francisco, offers their flagship API development and management free to small teams and independent developers. Higher tiers (Postman Pro and Postman Enterprise) support API management, as well as team collaboration, extended support and other advanced…

Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) for Azure, on-premises, and multicloud (Amazon AWS and Google GCP) resources.

Qualys TruRisk Platform (formerly Qualys Cloud Platform, or Qualysguard), from San Francisco-based Qualys, is network security and vulnerability management software featuring app scanning and security, network device mapping and detection, vulnerability prioritization schedule and…

F5's Distributed Cloud API Security provides discovery and deep insights from use of AI/ML. It can be used to block API attacks in real time and eliminate vulnerabilities at their source. The SaaS-based portal enables users to manage and go deep for threat analytics, forensics, and…

Katalon Studio is provided by the vendor as a free and robust automation solution for API, Web and Mobile testing. It is designed to eliminate the complexities of building an automation framework by integrating all necessary test components with built-in keywords and project templates.…

For API-driven organizations, Salt Security is an API security platform that protects internal, external, and third-party APIs. The Salt C-3A Context-based API Analysis Architecture combines coverage and AI-powered big data to discover APIs and exposed sensitive data - continuous…

AppScan (formerly Rational AppScan) is an application security testing solution acquired by HCL Technologies from IBM in late 2018. Appscan supports both dynamic (DAST) and static (SAST) application security testing.

SoapUI is an open source API testing tool supported by SmartBear's community, supporting functional and performance testing of APIs.

Apigee Sense from Google (acquired in late 2016) protects APIs from unwanted request traffic, including attacks from malicious clients. Apigee Sense analyzes API request traffic, identifying patterns that might represent unwanted requests.

Akamai Akamai App & API Protector offers protection for websites, web applications and APIs. An evolution of Kona Site Defender, a web application security platform designed to protect web and mobile assets from targeted web application attacks and DDoS attacks while improving…

Fastly Secure (based on Signal Sciences, acquired December 2020), offers a WAF and RASP solution that protects over 34,000 applications and over a trillion production requests per month. Signal Sciences’ architecture is designed to provide organizations working in a modern development…

UP9 is an API observability and test automation platform for developers, an autonomous microservice testing platform. UP9 aims to reduce developer testing workload with up-to-date service test-coverage using ML-generated and maintained API test code.

StackHawk is a solution designed to make it simple for developers to find, triage, and fix application security bugs, from the company of the same name headquartered in Denver. Scan an application for AppSec bugs in the code, triage and fix with provided documentation, and automate…

Soveren helps identify and protect crown jewels in Kubernetes-based environments. It automatically discovers sensitive data and assets, mapping the flows between them and immediately alerting the user before risks become full-blown incidents.

Netacea is a behavior-based bot management solution that protects enterprise businesses from ever-changing automated threats. It aims to boost operational efficiency, improves customer experience and protects revenue. Deployed on websites, mobile apps, and APIs, and integrating with…

Bright Security is an application & API security testing platform from the company of the same name in San Rafael, California. Bright Security integrates into the user's CI/CD pipeline and enable users to run DAST scans with every build, as well as identify known (7,000+ payloads)…

Haltdos Web Application Firewall blocks application layer DDoS and other attack vectors directed at web-facing applications, while providing protection against data loss. It also has strong authentication and access control capabilities for restricting access to sensitive applications…

Neosec is offers application security and API protection against business abuse and data theft. Built for organizations that expose APIs to partners, suppliers, and users, Neosec discovers all of the user's APIs, analyzes their behavior, audits risk, and stops threats lurking inside.…

NowSecure is a mobile app security software company headquartered in Chicago. The NowSecure Platform aims to deliver fully automated mobile app security testing with the speed, accuracy, and efficiency necessary for Agile and DevSecOps environments. Through static, dynamic, behavioral…

Hopr’s cloud native AMTD platform, a software as a service (SaaS) solution that rotates the identity and secret credentials of containerized workloads at a high frequency to prevent credential theft and wide range of man in the middle (MITM) attacks on application endpoints. The…

Imperva API Security, based on technology acquired with CloudVector in May 2021, provides continuous protection of all APIs using deep discovery and classification of sensitive data to detect all public, private and shadow APIs to empower security teams to implement a positive security…

A cloud application security solution from Cisco, it allows teams to secure APIs, serverless, container, and Kubernetes environments.

open-appsec (openappsec.io) is an open-source initiative that builds on machine learning to provide pre-emptive web app & API threat protection against OWASP-Top-10 and zero-day attacks. It can be deployed as an add-on to Kubernetes Ingress, NGINX, Envoy and API Gateways. The…

AppTrana’s API Protection aims to eliminate API risks and provide robust protection by combining Risk detection, API Threat detection, API Positive Security policies, API-Specific DDoS & Bot modules, and API Discovery. It provides automated API scanning to identify OWASP Top…