Akamai API Security is an enterprise API protection platform that combines the capabilities of Noname Security (acquired by Akamai in June 2024) with Akamai’s global edge network infrastructure.
What is Akamai API Security?
Akamai API Security provides comprehensive protection for APIs across their entire lifecycle, from development through production.
The platform discovers all APIs in your environment, assesses their security posture, detects threats in real time, and enables active testing during development.
Following Akamai’s acquisition of Noname Security, the platform gained access to Akamai’s edge network spanning more than 4,100 locations worldwide.
This integration enables API security enforcement closer to the source of traffic while maintaining the advanced detection capabilities Noname developed for API-specific threats.
The solution operates without requiring agents or inline deployment, analyzing API traffic through out-of-band inspection.
This approach provides visibility into API behavior without introducing latency or becoming a point of failure.
Key Features
Comprehensive API Discovery
The platform automatically discovers and catalogs all APIs in your environment, including shadow APIs that development teams may have deployed without security team awareness.
Discovery works across cloud, on-premises, and hybrid environments by analyzing traffic patterns and identifying API endpoints, data types, and authentication mechanisms.
For organizations running GenAI applications, the platform specifically identifies LLM-connected APIs and monitors for AI-specific risks like prompt injection and data leakage through API calls.
Security Posture Management
API posture management continuously assesses your APIs against security best practices and compliance requirements.
The platform identifies misconfigurations such as missing authentication, excessive data exposure, improper error handling, and deprecated protocol usage.
Assessments map to the OWASP API Security Top 10, helping security teams prioritize remediation based on industry-recognized risk categories.
Dashboards provide visibility into posture trends over time and highlight APIs that require immediate attention.
Runtime Threat Detection
Machine learning models analyze API traffic in real time to detect attacks and anomalous behavior.
The system establishes baseline behavior for each API and alerts when requests deviate from normal patterns, identifying:
- Credential stuffing and account takeover attempts
- Broken object-level authorization (BOLA) attacks
- Data scraping and enumeration
- API abuse and rate limit evasion
- Business logic exploitation
Native blocking capabilities allow the platform to stop attacks without requiring a separate WAF, reducing response time from detection to mitigation.
Active Testing in CI/CD
Shift-left security testing integrates into development pipelines to identify API vulnerabilities before deployment.
The testing module generates attacks based on API specifications (OpenAPI, Swagger) and validates that APIs handle malicious input correctly.
Tests cover authentication bypass, injection attacks, broken access controls, and business logic flaws specific to each API’s functionality.
Integration
Deployment Options
Akamai API Security supports multiple deployment models to fit different architectures:
Traffic Mirroring: Deploy sensors that mirror API traffic for out-of-band analysis without affecting production performance.
API Gateway Integration: Native connectors for AWS API Gateway, Azure API Management, Google Cloud API Gateway, Kong, and Apigee route traffic metadata to the platform.
Edge Integration: For customers using Akamai’s CDN, API traffic analysis happens at the edge with findings flowing to the central console.
CI/CD Pipeline Integration
# GitHub Actions example
name: API Security Testing
on:
pull_request:
branches: [main]
jobs:
api-security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Start application
run: docker-compose up -d
- name: Run Akamai API Security scan
env:
AKAMAI_API_KEY: ${{ secrets.AKAMAI_API_KEY }}
AKAMAI_API_URL: ${{ secrets.AKAMAI_API_URL }}
run: |
# Upload OpenAPI spec for testing
curl -X POST "$AKAMAI_API_URL/api/v1/specs" \
-H "Authorization: Bearer $AKAMAI_API_KEY" \
-F "[email protected]"
# Trigger security test
curl -X POST "$AKAMAI_API_URL/api/v1/tests" \
-H "Authorization: Bearer $AKAMAI_API_KEY" \
-d '{"target": "http://localhost:8080", "spec_id": "latest"}'
# GitLab CI example
stages:
- build
- test
- security
api-security:
stage: security
image: curlimages/curl:latest
script:
- |
# Register API endpoints
curl -X POST "$AKAMAI_API_URL/api/v1/discover" \
-H "Authorization: Bearer $AKAMAI_API_KEY" \
-d "{\"environment\": \"staging\", \"base_url\": \"$STAGING_URL\"}"
# Run OWASP API Top 10 tests
curl -X POST "$AKAMAI_API_URL/api/v1/tests/owasp" \
-H "Authorization: Bearer $AKAMAI_API_KEY" \
-d "{\"target\": \"$STAGING_URL\"}"
only:
- merge_requests
SIEM and SOAR Integration
The platform exports security events to SIEM systems through native integrations:
{
"integrations": {
"splunk": {
"enabled": true,
"hec_endpoint": "https://splunk.example.com:8088",
"index": "api_security"
},
"sentinel": {
"enabled": true,
"workspace_id": "your-workspace-id"
}
}
}
Webhook support enables custom integrations with SOAR platforms for automated incident response.
When to Use Akamai API Security
Ideal for organizations that:
- Operate hundreds or thousands of APIs across multiple teams and environments
- Already use Akamai edge services and want integrated API protection
- Need to discover shadow APIs deployed without security team knowledge
- Require runtime protection with native blocking (not just detection)
- Process sensitive data through APIs and need compliance reporting
- Run GenAI applications with LLM-connected APIs
Consider alternatives if:
- You have a small number of APIs and need a simpler, lower-cost solution
- You prefer open-source tools with self-managed infrastructure
- You need deep integration with a specific API gateway not supported by Akamai
Akamai API Security combines enterprise-grade API protection with the global reach of Akamai’s edge network, making it particularly well-suited for large organizations with distributed API deployments and high-volume traffic patterns.