API Security

Discover, profile and protect APIs in real time.
API Security Front
API Security Back

APIs expose applications and sensitive data to the internet, making them prime targets for attackers. 92% of organizations have experienced at least one security incident related to insecure APIs in the last 12 months, that can cause loss of business revenues and privacy violations.

Learn about the latest trends in API security

Secure Your APIs with Confidence

Prisma Cloud provides complete API discovery, risk profiling and real-time protection integrated into our cloud-native application protection platform. Protect all APIs against the OWASP API Top 10 attacks, manage vulnerabilities, ensure compliance and protect them at runtime.
  • Continuous visibility into APIs.
  • Prioritize API risks with context.
  • Protect APIs in real-time across leading attack vectors.
  • Inline and out-of-band deployment.
  • Full lifecycle protection and integration into your CI/CD pipeline.
  • API discovery
    API discovery
  • API risk profiling
    API risk profiling
  • Real-time protection
    Real-time protection
  • Flexible deployment options
    Flexible deployment options
  • Virtual patching
    Virtual patching


Our Approach to API Security

API Discovery

Discover and take inventory of all your APIs, both internal and external. Gain visibility into all APIs, including rogue APIs, zombie APIs and shadow APIs.

  • Autodiscover APIs

    Automatically detect external, internal and third-party API services in all your cloud-native environments.

  • Identify all APIs

    Get a detailed view of exposed APIs — including unknown, shadow and zombie APIs — to understand the attack surface.

  • Track observations

    Explore real-time and historical metrics on security coverage, traffic activity, attack types and traffic sources, along with API observations and unprotected web applications discovery.

API Discovery

API Risk Profiling

Profile your APIs to help prioritize risk. Gain insights with contextual information from business logic, sensitive data, workload vulnerabilities, API traffic and more.

  • Profile API risks

    View all risk factors based on workload vulnerabilities, exploit data and application context.

  • Detailed API observations

    Get visibility into the API request and response to find sensitive data, security flaws and to generate OpenAPI specifications.

  • Audit APIs

    Generate the basis of an OpenAPI schema and API definitions.

  • Advanced analytics for investigations

    Use analytics to observe API events in aggregate from different points of view. Filter them and dive into individual events for incident investigations.

  • API change detection

    Continuously monitor APIs for changes leading to unwanted risk as development teams make frequent changes and updates to APIs.

API Risk Profiling

Real-Time Protection

Identify and stop the attacks that web application firewalls (WAFs) and API gateways miss. Protect APIs in real-time from the OWASP API Security Top 10 risks, as well as advanced DoS threats, bot attacks, file upload attacks and access control issues.

  • Secure APIs against Layer 7 attacks

    Simplify enforcement of positive API definitions based on OpenAPI, Swagger file or manual customization.

  • Protect APIs against abuse

    Protections cover OWASP API Security Top 10 including SQL injection, cross-site scripting, code injection and more.

  • Manage bot risks

    Gain visibility and protection into bad bots, known good bots, headless browsers and other automation frameworks accessing protected web applications and APIs, including static and dynamic detections.

  • Stop DoS attacks

    Enforce the rate limit on IPs or sessions to protect against high-rate and "low-and-slow" application-layer DoS attacks.

  • Control Access

    Restrict access to your APIs based on geographical locations, IP ranges and client types.

  • Enforce secure file uploading policies

    For applications that allow users to upload files, enforce file upload restrictions based on file extension and content.

Real-Time Protection

Virtual Patching

When vulnerabilities are discovered, exploit kits are often released before a patch becomes available. Protect against unpatched vulnerabilities and give your development team time to fix the issue.

  • Reduce risk until official patches are released

    Use virtual patching to create a safeguard against exploits until the underlying service can be patched.

  • Add custom API security rules for signatures from your team

    Take advantage of custom rules — a guided, autocomplete way to secure against exploits when your research teams identify vulnerabilities.

  • Protect against zero-day exploits

    Automatically receive updated rules from our Unit 42® Threat Research team and choose how to apply them.

Virtual Patching

Flexible Deployment Options

Gain insights into all API-related risks — and without impacting application performance. Get both visibility and protection with inline and out-of-band deployment options, depending on your application’s requirements.

  • Inline agent-based protection

    Get real-time visibility, alerting and protecting against API abuse and web-based attacks.

  • Out-of-band visibility

    Utilize full application-layer visibility into APIs and detect and alert against application-layer attacks in near-real time, without applying any latency or risk to the application.

  • Auto scale capability

    As your application grows in your deployment, the number of defenders grows, ensuring full and uninterrupted protection of your application.

Flexible Deployment Options
Prisma Cloud
Prisma Cloud
Prisma® Cloud is the most complete cloud-native application protection platform (CNAPP) in the industry, providing the broadest security and compliance coverage for infrastructure, workloads and applications. This extensive protection spans the entire cloud-native technology stack, as well as the development lifecycle and multicloud and hybrid environments.

Prisma Cloud Related Modules

mobile thumbnail banner
thumbnail banner

Web App Security

Protect web applications across any cloud-native architecture, public or private.

mobile thumbnail banner
thumbnail banner

Web Application & API Security

Protect against Layer 7 and OWASP Top 10 threats in any public or private cloud.


Valuable WAAS Documents