How is API Security different from the API protections in App and API Protector?

App and API Protector includes inline API protections (rate limiting, basic abuse detection, OpenAPI-aware enforcement) that run in line at the edge against known-bad patterns and rate thresholds. Akamai API Security runs out-of-band on traffic mirrors and uses behavioral analytics to find shadow APIs and detect business-logic abuse. The two products layer. App and API Protector blocks what the inline rules can identify. API Security finds what the inline rules cannot see and feeds findings back to App and API Protector for enforcement.

What is API discovery and why does it matter?

API discovery is the platform's identification of every API the customer is actually serving based on real traffic. Most enterprise programs do not have a complete inventory of the APIs they serve. The platform surfaces shadow APIs (running but undocumented), zombie APIs (deprecated but still serving), and APIs that came in through acquisitions or were spun up outside the security review process. Customers Merito has worked with consistently find APIs in the discovery beat that no one had documented. Discovery is the first month of every engagement.

What kinds of attacks does behavioral analytics catch?

The behavioral platform is the right architecture for the categories signature-based tools cannot catch. Account takeover, broken object level authorization (BOLA), broken function level authorization (BFLA), scraping, bulk data exfiltration, and abuse of legitimate API contracts (price scraping, inventory exhaustion, refund manipulation) are the dominant detection categories. The common factor is that individual requests are well-formed and authenticated. Only the pattern across requests reveals the abuse.

Does Akamai API Security require an OpenAPI catalog?

No. The platform infers the API inventory from real traffic. An OpenAPI catalog provides useful context where it exists, but it is not a prerequisite. Customers without a complete or accurate catalog get value on day one because discovery does not depend on the catalog being correct.

How does Akamai API Security compare to Salt Security or Noname?

All three vendors run behavioral-analytics platforms for API security. Akamai's depth shows up in the closed-loop integration with App and API Protector for inline enforcement at the Akamai edge, in the platform's traffic-mirror deployment model that is non-disruptive to onboard, and in the breadth of the discovery surface that the Neosec heritage produces. The right answer depends on existing edge tooling, the customer's gateway footprint, and how regulated the workload is.

How is Akamai API Security licensed?

Akamai API Security is licensed by API traffic volume and number of monitored APIs. The closed-loop integration with App and API Protector is an optional add-on for customers running both products. Pricing is annual subscription with usage-banded pricing. Merito sells the license and scopes the discovery beat, baseline tuning, and analyst operating model as separate services.

Akamai • Application security

Akamai API Security

Akamai API Security baselines normal API behavior across the customer's full traffic, discovers shadow APIs the security team did not know existed, and detects business-logic abuse that signature-based WAFs cannot see. Runs out-of-band on traffic so deployment is non-disruptive and discovery starts the day onboarding completes.

Merito sells Akamai API Security and runs the discovery beat, behavioral baselining, and threat-hunting workflow that turn the platform's findings into a working API security program.

Get API Security pricing Talk to a Merito API Security specialist

Best for: AppSec leaders responsible for API security across enterprise API surfaces, Financial services and fintech architects with open-banking exposure, E-commerce and marketplace teams with public-facing API products
Hosting: SaaS
Time to value: Discovery beat starts the day onboarding completes. First behavioral baselines stable in two to four weeks. Production threat-hunting operating model and case-management discipline live in eight to twelve weeks.
Security posture: GDPR, HIPAA-aligned design, SAML SSO
Last reviewed: 2026-04-27

What it is

Akamai API Security in the enterprise stack

Akamai API Security is the behavioral-analytics API security platform Akamai built from the Neosec acquisition (closed Q2 2023). The platform discovers all APIs the customer is actually serving, including shadow APIs that no one in security knew existed, baselines normal behavior per endpoint and per consumer, and detects business-logic abuse and data-exfiltration patterns that signature-based WAFs are blind to.

Discovery is the first move and the most actionable insight the platform produces. Most enterprise programs do not have a complete inventory of the APIs they serve. The platform sees real traffic, infers the API surface, and surfaces every endpoint with risk scoring against authentication, sensitive data handling, and consumer behavior. Customers Merito has worked with consistently find APIs in the discovery beat that no one had documented and no one was protecting.

Behavioral baselining is the second move. The platform learns normal request patterns per API and per consumer over time. Anomalies trigger alerts for security analysts. Business-logic abuse (account takeover, broken object level authorization, broken function level authorization, scraping, abuse of legitimate API contracts) is the category of attack that signature-based tools cannot catch because the requests are individually well-formed. The behavioral platform is the right tool for the category.

Akamai API Security pairs with Akamai App and API Protector for closed-loop blocking. When the behavioral analytics flag an abuse pattern, App and API Protector enforces the block in line at the edge. The two products layer rather than compete, and the dominant Merito recommendation for customers with significant API surface area is both products together.

Ideal use cases

Initial API discovery against an unknown or partially documented API surface
Behavioral baselining and detection of business-logic abuse
Threat hunting against suspected account-takeover or data-exfiltration patterns
API posture management and continuous audit of authentication and sensitive-data handling
Closed-loop blocking pairing API Security detection with App and API Protector enforcement

What it is best at

Where Akamai API Security earns its seat

Discovery breadth

The platform sees real traffic and surfaces every API the customer is serving, including shadow APIs that no one in security knew about. Most competing products require a known catalog as input. Akamai's depth here comes directly from the Neosec heritage.

Behavioral analytics for business-logic abuse

Account takeover, BOLA, BFLA, scraping, and abuse of legitimate API contracts are the categories signature-based tools cannot catch because the requests are individually well-formed. Behavioral baselining is the right architecture for the category.

Out-of-band deployment is non-disruptive

The platform runs on traffic mirrors rather than in line, so deployment does not change the request path. Discovery starts the day onboarding completes; the customer does not need to re-architect ingress to get value.

Core capabilities

Akamai API Security capabilities, grouped by outcome

API discovery

Continuous identification of every API the customer is actually serving, with risk scoring.

Traffic-derived inventory
Real traffic produces the inventory rather than a customer-supplied OpenAPI catalog. Surfaces APIs that exist but were not documented and APIs that exist but were forgotten.
Shadow and rogue API detection
Identifies APIs serving from production infrastructure that are not in the customer's known inventory. Includes APIs that survived deprecation, APIs from acquired companies, and APIs spun up outside the security review process.
Per-API risk scoring
Each discovered API gets a risk score across authentication posture, sensitive-data handling, consumer behavior, and recent anomaly volume. Drives prioritization for the customer's security team.

Behavioral baselining

Per-endpoint and per-consumer behavioral models that drive anomaly detection.

Endpoint baselines
Each API endpoint gets a normal-behavior baseline covering request rate, payload shape, response distribution, and error patterns.
Consumer baselines
Per-API-key and per-token baselines for consumer behavior. Catches a single consumer behaving abnormally even when total API traffic looks normal.
Anomaly clustering
Anomalous requests cluster into events for analyst review rather than producing per-request alerts. Reduces analyst toil compared with raw alert streams.

Business-logic abuse detection

Detection of attack categories signature-based tools cannot catch.

Account takeover detection
Behavioral signals consistent with credential stuffing, session hijacking, and post-login lateral movement.
BOLA and BFLA detection
Broken Object Level Authorization and Broken Function Level Authorization patterns identified by anomalous object-id access patterns and unauthorized function invocation.
Scraping and data-exfiltration patterns
Behavioral indicators of large-scale enumeration, scraping, and bulk data extraction even when individual requests pass authentication.
Abuse of legitimate API contracts
Patterns where authenticated consumers use the API in ways consistent with abuse rather than the documented contract (price scraping, inventory exhaustion, refund manipulation).

Threat hunting workspace

Analyst-facing workflow for investigating anomalies.

Investigation queue
Anomaly clusters land in an analyst queue with full request context, behavioral baseline comparison, and recommended next steps.
Query workspace
Analysts query historical traffic to validate hypotheses about specific behavioral patterns and consumer behavior.
Case management
Cases include findings, evidence, and decision trail. Cases hand off cleanly to the customer's broader incident response process.

Closed-loop integration

Where API Security findings flow back into runtime enforcement.

App and API Protector blocking
When API Security flags an abuse pattern, App and API Protector enforces the block in line at the edge. Closes the loop between detection and enforcement without manual policy authoring.
API gateway integrations
Findings flow into Apigee, Kong, MuleSoft, and AWS API Gateway for in-gateway enforcement on traffic that does not traverse Akamai.
SIEM and ticketing forwarding
Cases and high-severity findings flow into Splunk, Sentinel, ServiceNow, and Jira for cross-tool detection and incident response.

Where it fits in the stack

How Akamai API Security connects to the rest of your landscape

Akamai platform (native)

Native

Akamai App and API ProtectorClosed-loop blocking when API Security flags an abuse pattern. App and API Protector enforces the block in line.
Akamai DataStreamTraffic and finding telemetry forwarded into the customer's analytics surface.
Akamai Identity CloudIdentity context for consumer-keyed behavioral baselines and account-takeover detection.

API gateways (certified)

Certified

Apigee, Kong, MuleSoft, AWS API GatewayFindings flow into customer-managed API gateways for in-gateway enforcement on traffic that does not traverse Akamai.
Tyk, Ambassador, GraviteeLighter-weight gateway integrations for customers running open-source or smaller-footprint API gateways.

SIEM and ticketing (certified)

Certified

Splunk, QRadar, Microsoft Sentinel, ChronicleCases and high-severity findings forwarded for cross-tool detection engineering and incident response.
ServiceNow, Jira, PagerDutyCases hand off into the customer's case-management and on-call workflow.

Custom integrations

Custom

Internal data lakesBehavioral telemetry exported into customer-managed data lakes for cross-tool detection engineering.
Custom anomaly handlersCustomer-specific automation handlers for high-severity findings, including account suspension and rate-limit adjustments.
Custom posture-management reportingCustomer-specific evidence packages for API security posture in PCI, HIPAA, and SOX audits.

Deployment and implementation

How it rolls out

Hosting: SaaS (Global)
Implementation complexity: Moderate
Typical time to value: Discovery beat starts the day onboarding completes. First behavioral baselines stable in two to four weeks. Production threat-hunting operating model and case-management discipline live in eight to twelve weeks.
Prerequisites: Traffic mirror configuration agreed with the customer's network team
OpenAPI catalog (where available) for context, though not required
Named API security analyst or analyst pool
Case-management and incident-response operating model agreed
What Merito usually handles: Akamai API Security runs as SaaS with traffic mirrored from the customer's API ingress. Deployment is out-of-band and non-disruptive. Merito handles traffic-mirror configuration, the discovery beat against the surfaced inventory, behavioral baseline tuning, and the analyst operating model that turns findings into cases the customer's security team works.

Licensing and packaging

How it is bought

Model: Subscription
What to expect: Akamai API Security is licensed by API traffic volume and number of monitored APIs, with optional add-ons for closed-loop integration with App and API Protector. Pricing is annual subscription with usage-banded pricing. Merito sells the license and scopes the discovery beat, behavioral baseline tuning, and analyst operating model as separate services.
Editions and modules: Akamai API Security
Discovery, behavioral baselining, business-logic abuse detection, threat-hunting workspace, and case management.
Best for: Programs needing comprehensive API security across discovered and known APIs.
Closed-loop with App and API Protector
Adds inline enforcement at the Akamai edge for abuse patterns API Security detects.
Best for: Customers running both Akamai API Security and App and API Protector wanting enforcement without manual policy authoring.
Common expansion areas: Add Akamai App and API Protector for inline enforcement of API Security findings
Add Akamai DataStream for high-volume telemetry forwarding
Add MAPS Assessment for API security program scoping
Extend gateway integrations into Apigee, Kong, MuleSoft, and AWS API Gateway

Merito services

How Merito helps you win with Akamai API Security

Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.

API Security Implementation

Traffic-mirror configuration, discovery beat against the customer's API surface, behavioral baseline tuning, and analyst onboarding.

Explore service 02

MAPS Assessment

AppSec program scoping for API security adoption alongside Salt Security, Noname, and other behavioral-analytics platforms.

Explore service 03

DevOps Consulting

API discovery findings flowing into developer ticketing and posture remediation in CI/CD. API gateway-side enforcement integrations.

Explore service 04

Premium Support

Named engineer, priority SLAs, and release-window coverage for Akamai API Security in production.

Explore service 05

Managed Services

Long-term run support including ongoing baseline tuning, threat-hunting case operations, and behavioral-analytics maturity progression.

Explore service 06

Staff Augmentation

Merito-placed API security analysts embedded on long-running programs running the threat-hunting queue alongside the customer's team.

Explore service

Akamai API Security licensing

Buy API Security from the partner that runs the discovery beat and tunes the baselines.

Behavioral analytics pays back when discovery is run first and baselines are given time to stabilize. Buy the license through Merito and get the discovery, the analyst operating model, and the closed-loop integration with App and API Protector together.

Request API Security pricing

Merito point of view

Discovery is the first move and the most actionable insight the platform produces. Skip it and the program starts a step behind.

The customers Merito has worked with on Akamai API Security all find APIs in the discovery beat that no one had documented and no one was protecting. The platform sees real traffic, infers the API inventory, and surfaces shadow endpoints. The first month should be a discovery-led engagement with the customer's security team rather than a behavioral-detection rollout. Going straight to detection-and-response without that discovery beat skips the most actionable insight the product produces.

Behavioral baselining is the second move and pays back over a longer arc. The platform learns normal patterns per API and per consumer over weeks of traffic. Premature alerting against thin baselines produces noise. Merito's standard rollout treats the first eight to twelve weeks as baseline-tuning weeks during which the analyst operating model is built against ground-truth attack categories the customer's industry actually faces.

Akamai API Security is sometimes scoped as a replacement for the API protections inside App and API Protector. It is not. App and API Protector blocks known-bad signatures and rate-limits in line at the edge. API Security finds shadow APIs and detects behavioral patterns the inline WAF cannot see. Programs with significant API surface run both products together. The closed-loop integration where API Security findings drive App and API Protector enforcement is the right architecture.

What buyers usually underestimate

Skipping the discovery beat in favor of an immediate detection-and-response rollout
Pushing alerts to analysts before behavioral baselines have stabilized
Treating API Security as a replacement for the inline WAF rather than as the layer that finds what the WAF cannot see
Not closing the loop between API Security findings and App and API Protector enforcement
Letting the case-management operating model drift, so findings accumulate without analyst follow-up

Related from Merito

Continue exploring Akamai API Security on Merito

Akamai API Security FAQs

Consultation request

Talk to Merito about Akamai API Security

Share your API surface, current API security tooling, and the abuse categories you are most worried about. A Merito API Security specialist follows up within one business day.

Discovery first

Find the shadow APIs in month one

The platform sees real traffic and surfaces every API the customer is actually serving. Customers consistently find APIs no one had documented.

Behavioral analytics

Catch what signature WAFs cannot

Account takeover, BOLA, BFLA, scraping, and abuse of legitimate API contracts. The categories where individual requests look legitimate but the pattern reveals abuse.

Next step

Discover the APIs nobody documented. Then defend them.

An Akamai API Security engagement with Merito starts with discovery against the customer's actual API surface. The shadow APIs surface in the first month. The behavioral baselines stabilize in the next two months. Then the program runs.

Book an API Security consultation

Akamai API Security

Merito sells Akamai API Security and runs the discovery beat, behavioral baselining, and threat-hunting workflow that turn the platform's findings into a working API security program.

How it rolls out

Hosting

SaaS (Global)

Implementation complexity

Moderate

Typical time to value

Discovery beat starts the day onboarding completes. First behavioral baselines stable in two to four weeks. Production threat-hunting operating model and case-management discipline live in eight to twelve weeks.

Prerequisites

Traffic mirror configuration agreed with the customer's network team
OpenAPI catalog (where available) for context, though not required
Named API security analyst or analyst pool
Case-management and incident-response operating model agreed

What Merito usually handles

Akamai API Security runs as SaaS with traffic mirrored from the customer's API ingress. Deployment is out-of-band and non-disruptive. Merito handles traffic-mirror configuration, the discovery beat against the surfaced inventory, behavioral baseline tuning, and the analyst operating model that turns findings into cases the customer's security team works.

How it is bought

Model

Subscription

What to expect

Akamai API Security is licensed by API traffic volume and number of monitored APIs, with optional add-ons for closed-loop integration with App and API Protector. Pricing is annual subscription with usage-banded pricing. Merito sells the license and scopes the discovery beat, behavioral baseline tuning, and analyst operating model as separate services.

Editions and modules

Akamai API Security
Discovery, behavioral baselining, business-logic abuse detection, threat-hunting workspace, and case management.
Best for: Programs needing comprehensive API security across discovered and known APIs.
Closed-loop with App and API Protector
Adds inline enforcement at the Akamai edge for abuse patterns API Security detects.
Best for: Customers running both Akamai API Security and App and API Protector wanting enforcement without manual policy authoring.

Common expansion areas

Add Akamai App and API Protector for inline enforcement of API Security findings
Add Akamai DataStream for high-volume telemetry forwarding
Add MAPS Assessment for API security program scoping
Extend gateway integrations into Apigee, Kong, MuleSoft, and AWS API Gateway

Talk to Merito about Akamai API Security

Share your API surface, current API security tooling, and the abuse categories you are most worried about. A Merito API Security specialist follows up within one business day.

Discovery first

Find the shadow APIs in month one

The platform sees real traffic and surfaces every API the customer is actually serving. Customers consistently find APIs no one had documented.

Behavioral analytics

Catch what signature WAFs cannot

Account takeover, BOLA, BFLA, scraping, and abuse of legitimate API contracts. The categories where individual requests look legitimate but the pattern reveals abuse.