Executive Summary
Your WAF inspects requests it can see; your API security platform’s first job is to tell you which APIs you didn’t know you had — because you can’t protect, or block, what you can’t see.
Salt Security, Akamai (the former Noname Security), Imperva, and Traceable (now Harness API Security) anchor a category that exists because the rest of the security stack was built for a different attack surface. A WAF matches signatures against payloads it understands; an API gateway brokers and meters traffic it was configured for. Neither one knows that a developer stood up an undocumented endpoint last sprint, that an authenticated user can increment an object ID and read someone else’s records, or that a “legitimate” sequence of valid calls is quietly scraping your entire inventory. API security is the control built to see and stop exactly that.
The market splits three ways — standalone API-security specialists that lead with discovery and behavioral runtime detection, WAAP platforms that bundle API security alongside WAF and bot defense, and API-gateway add-ons that bolt protection onto the lifecycle layer — and the camps blur further as agentic AI, MCP servers, and LLM-backed endpoints become a fast-growing new surface that almost nobody has inventoried.
This guide provides a vendor-neutral evaluation framework for 8 leading platforms, weighing discovery completeness, posture and spec governance, and runtime protection against the OWASP API Top 10 — so you choose against where your real API risk sits, not against whichever tool your incumbent vendor happens to bundle.
Why API Security Matters for Enterprise Strategy
APIs are now the connective tissue of every digital business — mobile apps, partner integrations, microservices, and AI agents all talk over them — and that makes the API layer the single richest attack surface most enterprises own. The risks that matter here are not the classic injection flaws a WAF was built for; they are authorization and logic failures unique to APIs. Broken Object Level Authorization (BOLA) — an authenticated user manipulating an ID to reach data that isn’t theirs — has sat at the top of the OWASP API Security Top 10 since the list began, and it is invisible to signature-based tooling because every request looks perfectly valid.
Two forces make this urgent in 2026. First, API sprawl has outrun governance: shadow APIs nobody documented and zombie APIs nobody retired now outnumber the endpoints security teams actually track, and you cannot apply policy to an estate you can’t enumerate. Second, agentic AI has detonated a new surface almost overnight — autonomous agents call internal APIs to act, the Model Context Protocol (MCP) wires them to tools and data, and LLM-backed endpoints introduce prompt-injection and data-exfiltration paths that traditional API rules never anticipated. The platform you pick should treat API discovery as a continuous, attacker’s-eye process and extend cleanly to AI-driven traffic, because that is where the next wave of exposure is landing.
Sourcing & Architecture Decision
Nobody builds an API security platform in-house — the discovery models, OWASP API Top 10 coverage, and behavioral runtime detection represent years of engineering against a moving target, and home-grown logging plus a few gateway rules is not a substitute. The real decision is architectural and organizational: standalone specialist versus WAAP-bundled versus gateway add-on, out-of-band traffic analysis versus inline enforcement, and whether discovery or runtime protection is the problem you most need to solve first.
Frame it around your starting pain and your traffic path, not a feature grid. If you don’t even have an inventory, lead with discovery and posture; if you have a known, high-value API under active abuse, lead with inline runtime protection; if consolidation and a single edge bill dominate, a WAAP platform may win even at some loss of behavioral depth. Decide deliberately whether the tool sits out-of-band (mirroring traffic, zero latency, detect-and-alert) or inline (proxy or gateway plugin, able to block but in the request path), because that choice shapes both coverage and risk.
| Your Situation | Recommended Path | Rationale |
|---|---|---|
| No real API inventory — shadow and zombie endpoints unknown | Discovery-led API security specialist | Continuous traffic-based discovery and posture come first — you can’t govern or protect what you can’t see; Salt, Akamai API Security (Noname), and Cequence lead with attacker’s-eye discovery and inventory. |
| A known, high-value API under active abuse (BOLA, ATO, scraping) | Inline runtime protection | When you need to block now, an inline engine that enforces in the request path matters more than out-of-band analytics — Wallarm, Traceable (Harness), and Imperva enforce against the OWASP API Top 10 in line. |
| Consolidation mandate — one edge vendor for WAF, bot, and API | WAAP platform with first-class API security | If a single edge bill and one console win the day, a WAAP whose API security is genuinely first-class (not web rules pointed at an API) is defensible — Akamai, Imperva, F5, Wallarm; weigh the behavioral-depth trade-off. |
| Mature API gateway already in place (Apigee, Kong, MuleSoft) | Out-of-band analysis off the gateway | Specialists ingest gateway logs or mirror traffic to add discovery and behavioral detection the gateway lacks, without re-architecting the data plane — Salt, F5 Distributed Cloud, and Cequence integrate this way. |
| Mobile- and cloud-native, shift-left AppSec culture | Build-time + runtime API/AppSec testing | Teams that want APIs hacked in CI and traced from client to cloud favor a testing-and-discovery heritage over a pure runtime proxy — Data Theorem and Traceable tie API findings back to mobile, code, and the pipeline. |
Key Capabilities & Evaluation Criteria
Weight these domains against your own API estate, traffic path, and starting pain. Most API-security RFPs over-index on a long list of detectable attack types — every serious vendor claims OWASP API Top 10 coverage. What actually separates platforms is the completeness of discovery (you are only as protected as the endpoints you found), the strength of behavioral runtime detection for authorization and business-logic abuse, and whether the platform can enforce in line when you need it to. Score discovery and runtime detection together, because a platform that catalogs everything but can’t catch an in-progress BOLA attack is an inventory tool, not a security control.
| Capability Domain | Weight | What to Evaluate |
|---|---|---|
| API Discovery & Inventory | 25% | Continuous, traffic-based discovery of shadow and zombie APIs; coverage across edge, gateways, mesh, and cloud; sensitive-data classification (PII/PCI/PHI) per endpoint; attacker’s-eye external discovery; and how the platform finds APIs it was never explicitly pointed at |
| Runtime Threat Detection & Protection | 25% | Behavioral, ML-driven detection of BOLA/BOPLA, broken authentication, and credential stuffing/account takeover; business-logic abuse and sensitive-flow defense (API6); attack-sequence correlation over time; and whether the platform can enforce/block in line or only detect and alert |
| Posture & Spec Governance | 20% | OpenAPI/spec conformance and drift detection, positive-security schema enforcement, authentication and configuration posture rules, compliance mapping (PCI DSS, HIPAA, GDPR, SOC 2), and prioritized, ownable remediation rather than an undifferentiated alert pile |
| Deployment Model & Architecture Fit | 15% | Out-of-band (traffic mirroring, gateway/log ingestion, zero latency) vs. inline (proxy, sidecar, gateway plugin) options; protocol coverage for REST, GraphQL, gRPC, SOAP, and WebSockets; SaaS vs. self-hosted/air-gapped; and integration with your existing edge, mesh, and gateways without re-architecting traffic |
| AI & Agentic-API Coverage | 10% | Discovery of LLM-backed, MCP, and agent-to-API endpoints; detection of prompt injection and data exfiltration through AI responses; visibility into shadow MCP and third-party AI data flows; and how the roadmap treats agentic traffic as a first-class surface rather than an afterthought |
| Shift-Left Testing & CI/CD Integration | 5% | Pre-production API security testing and fuzzing tied to discovered specs, CI/CD pipeline gates, ticketing and SIEM/SOAR export, and how cleanly findings route to the developers who own the endpoint |
Vendor Landscape
The market splits into three camps that increasingly overlap. Standalone API-security specialists lead with continuous discovery and behavioral runtime detection, treating the API estate as the primary thing to find and defend. WAAP platforms fold API security into a broader edge service alongside WAF, bot management, and DDoS, winning on consolidation and a single bill. And the lines blur further as edge and gateway vendors acquire or build their way into API security — most visibly Akamai, which acquired Noname Security in 2024 and now ships it as Akamai API Security. Most shortlists end up comparing across these camps: a discovery-led specialist against a WAAP bundle against a gateway-adjacent analyzer.
Positioning is also being reshaped by ownership. Traceable merged into Harness in early 2025 and is now Harness API Security, folded into an AI-native DevSecOps suite; Imperva was acquired by Thales in late 2023, anchoring its API security inside a broader data-and-application-security portfolio; and Noname is now Akamai. We profile eight platforms that together cover every realistic starting point — discovery-led, runtime-led, WAAP-bundled, and shift-left — and call out current ownership for each, because in this category the logo on the contract changed recently for several of the leaders.
Strengths: Pioneer of the dedicated, discovery-first API security category; agentless, out-of-band deployment mirrors traffic from cloud and gateways (Kong, Apigee, MuleSoft) with zero latency and no re-architecture; behavioral ML surfaces BOLA, credential stuffing, account takeover, and data exfiltration without code-level signals; early, visible push into agentic-AI and MCP discovery. Considerations: Out-of-band model detects and alerts rather than blocking in line, so inline enforcement means pairing with a gateway or WAAP; full value depends on feeding it enough real traffic to learn baselines; premium, enterprise-oriented pricing and sales motion.
Strengths: The former Noname Security, acquired by Akamai in 2024 for roughly $450M and now sold as Akamai API Security; strong full-lifecycle coverage — posture management, runtime protection, and API security testing — with flexible SaaS or self-hosted (including air-gapped) deployment; combines with Akamai’s App & API Protector, bot, and DDoS to make API security part of an integrated edge platform. Considerations: Mid-integration into Akamai’s portfolio and go-to-market, so packaging and roadmap are still settling; enterprise pricing and sales motion suit larger estates; the deepest value assumes you lean into the broader Akamai edge stack rather than the API module alone.
Strengths: Long-standing WAAP and data-security leader (acquired by Thales in December 2023); combines ML-driven API discovery, schema enforcement, runtime BOLA detection, and bot defense in one platform, layered on a WAF, RASP, and database-activity-monitoring heritage no pure API startup matches; consistent policy across cloud and on-prem suits regulated, hybrid estates. Considerations: Portfolio breadth and the post-acquisition integration into Thales add packaging and organizational complexity; behavioral API depth, while strong, sits inside a broad suite rather than a single-purpose focus; premium pricing; the unified console spans more than smaller teams need.
Strengths: Built on OpenTelemetry distributed tracing, so it follows a request from client through every microservice hop, giving unusually rich context for business-logic abuse and attack-sequence detection; strong GenAI/LLM API protection (prompt-injection and AI-data-exfiltration detection); now Harness API Security after the 2025 merger, landing API security inside an AI-native DevSecOps and software-delivery suite. Considerations: Distributed-tracing approach delivers most when instrumentation is broadly deployed, which is an adoption effort; the platform is mid-integration into the wider Harness suite, so positioning and packaging are evolving; richest value assumes buy-in to the DevSecOps platform story.
Strengths: Unifies API security and next-gen WAF into one inline, cloud-native WAAP that enforces (blocks) in the request path across multi-cloud and Kubernetes; protection beyond the OWASP API Top 10 to account takeover, malicious bots, and L7 DDoS; early, aggressive move into agentic-AI protection — defending autonomous systems against prompt injection and manipulation. Considerations: Inline deployment means the engine sits in the traffic path, with the sizing and availability planning that implies; discovery and posture, while solid, are less of a standalone strength than the discovery-led specialists; smaller footprint and brand than the edge incumbents.
Strengths: Unified API protection that pairs discovery, posture, and testing with unusually strong bot and abuse defense — credential stuffing, account takeover, inventory hoarding, scraping, fake-account creation — via behavioral fingerprinting; API Spyder gives an attacker’s-eye view of externally exposed APIs; flexible SaaS, on-prem, or hybrid deployment. Considerations: Strongest where API abuse and automated fraud are the primary problem, so buyers chasing pure posture governance should weigh fit; brand and channel are smaller than the edge giants; full lifecycle value assumes adopting discovery, testing, and defense together rather than one module.
Strengths: API security delivered on F5’s Distributed Cloud (SaaS WAAP) with discovery extended out-of-band across NGINX, Kong, Apigee, and effectively any gateway or proxy, including air-gapped environments; testing broadened across the OWASP API Top 10 (BOLA, broken auth, BOPLA, broken function-level auth); the same WAF/WAAP engine spans edge, NGINX at the app, and BIG-IP for consistent policy. Considerations: Full value leans on the broader F5 platform (Distributed Cloud, NGINX, BIG-IP) rather than a single API SKU; behavioral runtime depth trails the discovery-led specialists in some areas; you assemble the right mix of F5 products rather than buying one focused tool.
Strengths: AppSec heritage spanning API, mobile, web, and cloud (CNAPP), so API findings tie back to the mobile apps and cloud services that call them; continuous discovery and attack-surface management with an external, attacker’s-eye view; actively hacks and tests APIs and surfaces issues in the CI pipeline; recognized strength in cloud-native and API security testing. Considerations: Heritage is testing-, discovery-, and posture-led rather than an inline runtime-blocking proxy, so pure in-line enforcement means pairing with another control; breadth across mobile, cloud, and API can be more than an API-only buyer needs; behavioral runtime detection is less the center of gravity than for the runtime-led platforms.
Pricing Models & Cost Structure
API-security pricing rarely turns on a flat per-seat number — the unit of measure varies widely and is what actually drives the bill. Common bases include API traffic volume (calls or throughput), the number of discovered or protected APIs/endpoints, the number of environments or applications, and edition tier. Discovery-led SaaS specialists tend to meter on traffic or API count; WAAP-bundled platforms wrap API security into a broader edge or application-security contract; and gateway-adjacent and self-hosted options price on capacity or deployment scope. The headline figure tells you little until you model it against your real API estate and traffic.
Watch two traps. First, discovery often reveals far more APIs than you expected — which is the point — and if pricing meters on protected-API or traffic count, your bill can scale with the very sprawl you bought the tool to find, so confirm how growth is metered before you sign. Second, the cheapest tier frequently omits runtime protection or inline enforcement — i.e. the blocking capability you most need — leaving you with discovery and dashboards but no defense; price the edition that actually enforces against the OWASP API Top 10, not the one that merely watches.
| Vendor | Pricing Model | Relative Tier | Key Cost Drivers |
|---|---|---|---|
| Salt Security | SaaS subscription by API traffic / scope | Premium | API call volume, number of environments, runtime detection and posture modules, deployment scope |
| Akamai API Security (Noname) | Enterprise subscription (SaaS or self-hosted) | Premium | Number of APIs/environments, runtime + posture + testing modules, self-hosted vs. SaaS, bundling with Akamai edge |
| Imperva API Security | Modular subscription within WAAP suite | Premium | Protected apps/APIs, modules deployed (API, WAF, bot, RASP, data), cloud vs. on-prem form factor, support tier |
| Traceable (Harness) | Subscription by traffic / environment | Moderate–Premium | API traffic, instrumented environments, runtime + testing modules, bundling within the Harness platform |
| Wallarm | Subscription by requests / nodes | Moderate | Request volume, number of protected applications/APIs, inline node capacity, AI-protection add-ons |
| Cequence | Subscription by API traffic / deployment | Moderate–Premium | API transaction volume, deployment model (SaaS/on-prem/hybrid), discovery + testing + bot-defense modules |
| F5 Distributed Cloud API Security | SaaS consumption within Distributed Cloud | Moderate–Premium | Traffic/throughput, discovery sources and proxies covered, WAAP and bot add-ons, broader F5 platform footprint |
| Data Theorem API Secure | Subscription by APIs / assets covered | Moderate | Number of APIs and cloud/mobile assets, testing and ASM scope, CNAPP modules, scan frequency |
Implementation & Rollout
Sequence the rollout discovery-first, then posture, then runtime enforcement — and never turn on blocking before you understand normal. The riskiest move is enforcing inline policy on traffic you haven’t baselined, which is how you break a legitimate partner integration on day one. Connect, discover, govern posture, then enforce, starting with a low-risk API before your crown-jewel endpoints.
Integrate the platform with your edge, gateways (Apigee, Kong, MuleSoft), mesh, and cloud — via traffic mirroring, log ingestion, or sidecar — and let it run discovery against real traffic. Reconcile the surfaced inventory against what you thought you had, flag shadow and zombie APIs, and classify which endpoints touch sensitive data (PII/PCI/PHI).
Load OpenAPI specs, turn on conformance and drift detection, and apply posture rules for authentication, configuration, and compliance (PCI DSS, HIPAA, GDPR, SOC 2). Prioritize remediation by sensitivity and exposure, assign endpoint owners, and retire or document the zombie APIs discovery surfaced — all before enforcing anything.
Run runtime detection in monitoring mode to baseline normal behavior, validate BOLA, account-takeover, and business-logic-abuse detection against real and simulated attacks, and triage false positives. Switch a low-risk API to inline blocking (or alert-to-block) first, watch for breakage, then promote tier-1 APIs with a documented rollback path.
Roll out to the remaining estate, extend coverage to AI, MCP, and LLM-backed endpoints, and wire findings into SIEM/SOAR and the CI/CD pipeline so issues route to endpoint owners. Make discovery, posture review, and false-positive triage a standing process with clear ownership, and review detection efficacy and cost against the original model on a recurring cadence.
Selection Checklist & RFP Questions
Use this checklist during evaluation to confirm each shortlisted platform covers what actually decides an API security deployment — not just a long list of detectable attacks.