Licensed for Distribution

Market Guide for API Protection

29 May 2024 - ID G00811586 - 18 min read

By Dionisio Zumerle, Aaron Lord, and 2 more

Cybersecurity attacks that use APIs as an attack vector constitute a major threat to organizations and their sensitive data. This Market Guide can help security and risk
management leaders understand which specialized products can assist in securing their organization’s APIs, and how.

Overview
Key Findings
APIs — especially shadow and dormant ones — are causing data breaches among organizations that, on average, exceed the magnitude of other breaches. Many of these breaches can be attributed to
access control misconfigurations.

Security leaders require additional security capabilities to protect their APIs beyond basic, but necessary, security policy enforcement such as rate limiting, token validation, session management and
transport security — especially in industry verticals with high-security requirements.

API protection products provide discovery, security posture management and runtime protection to identify APIs and their exposures, and protect APIs from abuse and access violations.

While the early adopters of API protection have been acquiring products from specialized vendors, the market is rapidly consolidating with offerings from web application and API protection (WAAP), API
management and cloud infrastructure and platform service (CIPS) providers competing with stand-alone API protection providers.

Recommendations
Start using API protection products to discover and categorize your organization’s APIs. Identify critical APIs that are publicly exposed and provide access to sensitive data.

Perform a continuous security posture management assessment over the inventoried APIs to identify and provide recommendations to fix their potential exposures.

Prepare for the additional workload that runtime protection may create. The behavioral anomaly detection that API runtime protection employs may be challenging to manage internally and may be better
handled if outsourced to the API protection provider or a managed security services provider.

Assess the API protection capabilities provided by your incumbent WAAP or API gateway provider before investigating specialized API protection vendors. Opt for a shorter-term subscription if you decide to
go for a product from a stand-alone vendor.
Market Definition
API protection products protect APIs from exploits, abuse and access violations, and assist in remediating API exposures. These products perform API discovery and posture management and provide runtime
protection. API protection products may be delivered as cloud-based or on-premises solutions.

API protection products serve to provide capabilities to organizations that need to protect their data assets primarily from attacks against the first-party APIs they expose publicly. They also need to provide
coverage for the internal APIs and the third-party APIs that they may consume. API products deliver a catalog of inventoried APIs, a prioritized list of remediations of API exposures and alerts on suspicious or
malicious activity on APIs.

Mandatory Features
Perform API discovery by inspecting resources such as edge traffic, application workloads and code repositories.

Secure APIs through at least one of the following approaches:

Perform API posture management by identifying misconfigurations and unsecured implementations within APIs or underlying API infrastructure such as API gateways, and provide remediation guidance.

Perform API runtime protection by identifying malicious or anomalous API behavior and alerting on or blocking such behavior.

Common Features
Provide API security governance by allowing users to define desired security policies and security configurations, and inspect and assess APIs for compliance with those policies.

Identify sensitive data sent over first- or third-party API requests or responses, and enforce security policies.

Provide API security testing by identifying vulnerabilities using techniques such as dynamic application security testing and fuzzing.

Provide ways to ease and automate deployment of the API protection product components on the end-user organization’s network or cloud instances.

Market Description
Security is the top concern for organizations when it comes to API strategies, with 37% of respondents considering security among their top challenge, according to the 2024 Gartner API Strategy Survey. 1 API
security breaches are a major concern among organizations, especially with API traffic increasing and API breaches becoming more frequent. Current data indicates that the average API breach leads to at
2,3,4
least 10 times more leaked data than the average security breach.

Approach: Most organizations begin protecting APIs by focusing first on those that are homegrown (first-party APIs), public-facing and provide connectivity to critical applications. Organizations also look at
API protection tools as they make extensive use of third-party APIs, including APIs provided by SaaS platforms, as well as specialist APIs for payments, mapping, recruitment and other purposes. They use API
protection in order to monitor and sometimes block sensitive data sent to third parties.

Industries: Organizations in banking, financial services, insurance and online retail industries verticals are particularly interested in specialized API protection products, although enterprises from all industries,
especially highly regulated ones, are inquiring about the market.

Delivery: Depending on the vendor and the architecture, API protection products may be delivered as a cloud-based service or on-premises. Depending on the end-user organization architecture, certain
integrations of the product may be in the cloud-based instances that the organization uses, in the organization’s edge network and/or within the organization’s on-premises workloads.
End users: Security practitioners are the primary end users of API protection tools. These products generate remediation guidance and responses that have an impact and trigger collaboration with various
groups, such as developers, security operations, platform engineering, and infrastructure and operation teams.

Capabilities: API protection tools focus on providing three main capabilities (see Figure 1):

1. API discovery

2. API security posture management

3. API runtime protection (or API detection and response)

These align with the traits of modern application security products (see How to Protect Your Cloud-Native Applications in Production).

Figure 1: API Protection Tool Deployment and Functionality

Discovery
API protection products automatically identify and create an inventory of the APIs that an organization has produced or are actively being used. Security leaders often mention that the main objective of this
exercise is to identify dormant (also known as “zombie”) and shadow (also known as “rogue”) APIs. Both of these types of APIs are problematic because they are not visible to the organization and thus do not
abide by the organization’s security policies.

There are a variety of techniques for discovery, and the more techniques a product can offer, the more complete the discovery is. Some of the techniques used include inspecting traffic, inspecting code
repositories, instrumenting containers (e.g., with a Kubernetes DaemonSet or Sidecar, or via Linux eBPF [Note 2]). Techniques also include integrating and querying existing infrastructural components such as
WAAP and API gateways. Some providers also discover APIs using application security testing (AST) techniques such as interactive AST (IAST), web crawling and static analysis of the code of a mobile app.

Posture Management
The API protection product assesses the inventoried APIs for misconfigurations or unsecure implementations. For example, the API could present sensitive data in URLs, or return sensitive data in response
without authentication. Many of the most frequently encountered issues can be found in the OWASP API Security Top 10 list. 5 Tools are also able to create reports for compliance with various regulations.

Solutions increasingly try to evaluate the risk of each misconfiguration and prioritize them based on characteristics such as the criticality of the API, and whether it is publicly exposed. Tools also provide
recommendations on how to remediate misconfigurations. Most tools are also able to ingest description files such as OAS/Swagger and GraphQL schemas, and then compare the actual traffic with the
absorbed schema during runtime (see Note 3).

The main recipients of this guidance are security teams, infrastructure teams and developers. “Developer enablement” — how easily a developer can act upon receiving the guidance to remediate the finding —
is one of the most critical aspects of an API protection tool. The tool could simply refer to the vulnerability along with a generic definition. It could provide a detailed explanation, accompanied by a video, or it
could even provide customized code to replace the existing code and fix the exposure. ASPM and AST tools are also serving these aspects and could be used in concertation where needed.

Runtime Protection
Runtime protection focuses on recognition of patterns of behavior that indicate malicious usage of the API during runtime. For example, an attacker’s incoming request demands data for an account with a
number that does not match the account for which the API client is authenticated. The anomaly detection engine is typically trained with datasets of similar attacks and is able to recognize the attack.

Additionally, the solution will ingest data related to normal behavior from the API. Most solutions are able to operate after a relatively short period of ingesting data. Depending on the solution and how invasive
the security leaders setting up the solution want to be, products are able to issue remediation tickets or to act directly on the infrastructure to block an attacker.

Any innovation that uses behavioral anomaly detection will inevitably present false positives. Anomalous behavior does not always mean something is malicious, and current machine learning can only go so
far in determining business logic in order to triage findings. If an organization already has a substantial security operations center (SOC), this will probably not pose a problem. For other organizations, it is
important to have a managed service in place — either from the vendor itself or from a third-party managed security service provider (MSSP).
Market Direction
Cybersecurity Consolidation and API Protection
The API protection market has not been immune to cybersecurity platform consolidation. Of the nine representative vendors mentioned in Innovation Insight for API Protection in 2022, two have been acquired
by WAAP vendors and are being offered as an additional API security capability. We expect the API protection space to produce a limited number of best-of-breed vendors that will remain stand-alone and
expand their portfolio of cloud, application and data security offerings. Others will become parts of broader application security offerings.

Although many organizations today prefer stand-alone API protection products, we expect further market activity that will make it easier for organizations to deploy WAAP that includes API protection-specific
capabilities. Additional market activity expected includes mergers and acquisitions (M&A) between WAAP and API protection vendors, WAAP offerings that build up API protection capabilities, and expansion
of certain existing API protection vendors into web and cloud-native application security protection.

Gartner clients often inquire about whether they can use existing cloud-native application protection platform (CNAPP) solutions to provide API protection capabilities. Although a limited number of CNAPP
vendors have entered the API protection space, this is a concrete possibility in the future. 6

3,7
We also see partnerships to complement capabilities between established API gateway or CIPS providers, and specialized API protection vendors. In addition to WAAP vendors, we also see security vendors
8
from other areas such as application security or security operations enter this space with dedicated offerings.

We also see API management providers that develop and release specialized stand-alone API protection modules, in addition to the security policy enforcement that they currently provide. 9 While some
organizations, especially smaller ones, can benefit from that approach, many large organizations do prefer having separate security tools.

Maturity of API Protection Products

In the first deployments of runtime protection, we have witnessed Gartner clients that complain about too many false positives, as we have seen issues with the products in terms of integration with the
existing infrastructure (e.g., API gateways). This is a sign that the technology is still maturing — API threat protection is heading into the Trough of Disillusionment in Gartner’s Hype Cycle for Application
Security, 2023.

Licensing, Pricing and Market Conditions

Licensing and pricing are in evolution and are challenging for organizations to manage. Security leaders are able to justify spending for API protection products based on the magnitude of the threat and the
fact that cybersecurity budgets keep increasing (see The 2024 CIO and Technology Executive Agenda: Franchise Digital Delivery). Most vendors license their products based on either number of API
endpoints or number of API calls. Most security leaders acquire these products with a primary need to discover their APIs, which makes it difficult to negotiate the right API volume option for them.

Certain vendors license per node, which even though it can vary, is a more predictable model because most organizations are aware of the number of nodes they have. The volatility of the market adds another
factor of uncertainty for pricing. Many of the stand-alone vendors entered the market with very aggressive expectations for growth and exit, accompanied by significant venture capital (VC) funding, especially
in the 2020 to 2021 time frame.

The recent geopolitical changes that raised inflation, including resultant interest rate rises and cost cutting, impacted the market and obliged some of these vendors to lower the expectations and valuations,
and settle for longer exit strategies with milder expected growth. The same market pressures also forced vendors to eliminate the substantial discounts we observed for first-year subscriptions, raising prices
for buyers of API protection products.
Emerging and Evolving Capabilities
API security governance is an emerging capability. It allows the administrator of the tool to define and enforce security policies. Unlike posture management, this is a top-down enforcement. It also allows for
compliance reports for specific regulations to be generated automatically.

Another emerging capability is the ability to understand sensitive data flows and enforce remediating actions. API protection tools are able to identify data flows. Some tools have limited ability to identify
personally identifiable information (PII) and other kinds of sensitive data. Most tools currently do not yet provide full data loss prevention (DLP) capabilities, such as categorizing data and applying sensitivity
labels or taking actions to block the sensitive data from exfiltrating. API protection providers are currently working to strengthen their capabilities for this use case. At the same time, organizations can obtain
DLP functionality for similar use cases from their security service edge (SSE) and SaaS security posture management (SSPM) tools.

Market Analysis
The API Security Landscape

API protection is an important component of a complete API security program. API protection does not equate to API security. Proper access control and security policy enforcement are primordial. API protection tools
build on that.

Access control is typically provided by identity and access management (IAM) systems in conjunction with API gateways. Security policies such as transport security and rate limiting are provided by API
gateways and WAAP products. Research Index: Everything You Should Do to Address API Security provides a full list of research reports that are relevant in an API security project.

API security has a broad scope, and use cases vary. While many API security projects focus, at least at first, on protecting publicly exposed APIs, there are many other use cases that may require additional or
different tools than API protection tools, such as:

Internal connectivity of east-west APIs that may benefit from microsegmentation

Mobile app scenarios that may require app shielding

Open banking and other API integration use cases that may find their basis in API gateways and integration platform as a service (iPaaS), with the focus being on access control

API Security Posture Management and API Security Testing

Posture management and testing are closely related. Theoretically, the main difference between the two is that posture management does not actively test the API as testing like dynamic application security
testing (DAST) and fuzzing do. Instead, posture management analyzes the operation of the API to identify misconfigurations. Practically, there is significant overlap in the outcomes and findings that these two
approaches provide. Theoretically, posture management is better positioned to identify business logic exposures, and less on technical vulnerabilities, because it identifies API behaviors rather than responses
to technical attacks.

Some API protection vendors offer stand-alone API security testing as part of their broader offering. This type of testing is meant to be applied throughout the development life cycle, with an emphasis on the
earlier stages and usage by developers. Posture management is typically applied at the later stages. To provide valuable findings, posture management needs to observe the operation of the API.

In the market, we see some vendors that primarily use API security testing techniques, but offer an API protection product, for a security buying audience.
In-Line Deployment Versus Out-of-Band Integration
Unlike WAAP products, most API protection products do not require installation as an in-line component. Some products allow the option to provide an in-line component if needed. Some products, to be able
to respond and block threats, integrate with components such as the incumbent WAAP.

Representative Vendors
The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings.

Vendor Selection
Table 1 introduces a list of representative vendors that provide API protection capabilities. Not all vendors provide the full range of discovery, posture management and runtime protection capabilities. Certain
vendors are focused on identifying API vulnerabilities and provide an offering that includes discovery, testing and posture management. Other vendors are focused on runtime protection and provide an initial
activity of discovery and categorization of the APIs, and subsequently monitor the APIs for malicious events. Increasingly, vendors try to close gaps in their offerings by either partnering with vendors that have
complementary offers in the space or expanding their own offers.

Table 1: Representative Vendors in API Protection

Vendor Product

42Crunch API Security Platform

Akamai API Security

Akto Akto Cloud, Akto Self-hosted

APIsec APIsec Enterprise

Cequence Security API Sentinel

Cloudflare API Gateway

Data Theorem API Secure

Escape Escape

F5 Distributed Cloud API Security

FireTail FireTail

Ghost Security Ghost Platform

Google Cloud Apigee Advanced API Security

Graylog Graylog API Security

Imperva Imperva API Security

Levo Levo.ai

Microsoft Defender for API

a
Noname Security API Security

NSFOCUS Web Application & API Protection

Operant API Threat Protection

Orca Security API Security

Ping Identity PingIntelligence for APIs

 Prophaze API Security

Salt Security API Protection Platform

ThreatX API Protection, Runtime API and Application Protection (RAAP)

Traceable API Security Platform

Wallarm Advanced API Security

a
On 7 May 2024, Akamai announced the intent to acquire Noname Security (see Akamai Announces Intent to Acquire API Security Company Noname).

Source: Gartner

Market Recommendations
Start using API protection products to discover and categorize your organization’s APIs. Identify critical APIs that are publicly exposed and provide access to sensitive data.

Perform a continuous security posture management assessment over the inventoried APIs to identify and provide recommendations to fix their potential exposures. Ensure you deploy the products in a
production environment to ensure the findings are meaningful.

Prepare for the additional workload that runtime protection may create. The behavioral anomaly detection that API runtime protection employs may be challenging to manage internally and may be better
handled if outsourced to the API protection provider or a managed security services provider.

Assess the API protection capabilities provided by your incumbent WAAP or API gateway provider before investigating specialized API protection vendors.

Opt for a shorter-term subscription if you decide to go for a product from a stand-alone vendor. Secure a yearly subscription with negotiated terms for second and third when selecting a product from a
stand-alone API protection vendor. Do not commit for a long term in a volatile, consolidating market.

Evidence
1
2024 Gartner API Strategy Survey. This survey was conducted online from 27 February through 8 March 2024 to understand the API strategy of organizations through API usage, API styles and AI APIs. In
total, 89 IT leaders who are Research Circle members, a Gartner-managed panel, participated. The respondents were screened based on their knowledge about the use and priorities of APIs in their
organizations. They were primarily from North America (n = 43), EMEA (n = 33), Asia/Pacific (n = 10) and Latin America (n = 3). Disclaimer: The results of this survey do not represent global findings or the
market as a whole, but reflect the sentiments of the respondents and companies surveyed.

2
API Data Breach Tracker, FireTail.
3
Cost of a Data Breach Report 2023, IBM X-Force.

4
List of Data Breaches and Cyber Attacks in 2023 — 8,214,886,660 Records Breached, IT Governance.

5
OWASP Top 10 API Security Risks — 2023, OWASP API Security Project team.

6
Orca Security Expands Coverage of Industry’s Most Comprehensive Cloud Security Platform With First Agentless API Security Solution for Multi-Cloud Environments, Orca Security.

7
42Crunch and Microsoft’s Defender for Cloud Partner to Deliver End-to-End API Security, 42Crunch.

8
Graylog Acquires Resurface.io’s API Security Solution, Graylog.

9
Apigee Rolls Out New AI-Powered API Protection Features, TechCrunch.

Note 1: Gartner’s Initial Market Coverage

This Market Guide provides Gartner’s initial coverage of the market and focuses on the market definition, rationale for the market and market dynamics.

Note 2: eBPF Definition

Extended Berkeley Packet Filter (eBPF):

A technology that allows executing programs within a kernel (typically Linux) without requiring modifications to the kernel

Increasingly utilized in cybersecurity by workload and application security tools

Allows monitoring and inspection of cloud-native applications

Note 3: Schema Drift Analysis Definition

Schema drift analysis:

The ability to compare the pattern of the traffic with the ingested or created schema

Referred to by providers of API protection as also schema drift analysis and API contract analysis

© 2024 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. It
consists of the opinions of Gartner's research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner
disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not
be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research
organization without input or influence from any third party. For further information, see "Guiding Principles on Independence and Objectivity." Gartner research may not be used as input into or for the training or development of generative
artificial intelligence, machine learning, algorithms, software, or related technologies.

About Careers Newsroom Policies Site Index IT Glossary Gartner Blog Network Contact Send Feedback

© 2024 Gartner, Inc. and/or its Affiliates. All Rights Reserved.