Wallarm

Wallarm

Category: API Security
License: Commercial
Visit Website →

Wallarm is an integrated application and API security platform that combines web application firewall capabilities with specialized API protection.

The platform discovers APIs automatically, detects threats in real-time, and blocks attacks without requiring manual rule configuration or signature updates.

What is Wallarm?

Modern applications rely heavily on APIs, yet traditional WAFs struggle to protect them effectively.

Wallarm addresses this gap by treating API security as a first-class concern alongside web application protection.

The platform uses machine learning to understand normal API behavior and detect anomalies that indicate attacks.

Wallarm deploys as an inline node (similar to a WAF) or as an out-of-band monitor.

The inline mode actively blocks threats while the monitoring mode provides visibility without impacting traffic.

Both modes feed the same analytics dashboard for unified security visibility.

Key Features

Automatic API Discovery

Wallarm discovers APIs by analyzing traffic patterns.

The platform identifies endpoints, parameters, data types, and authentication methods without requiring API specifications.

Shadow APIs and undocumented endpoints become visible, helping teams understand their actual API attack surface.

AI-Powered Threat Detection

Machine learning models establish baselines of normal API behavior and flag deviations.

This approach catches zero-day attacks and business logic abuse that signature-based systems miss.

The AI adapts to your specific API patterns rather than relying on generic attack signatures.

API Abuse Prevention

Beyond traditional injection attacks, Wallarm detects API-specific threats:

  • Credential stuffing and account takeover
  • Scraping and data exfiltration
  • Rate limit bypass attempts
  • Business logic manipulation
  • Inventory enumeration

OWASP API Security Coverage

Protection against the OWASP API Security Top 10:

  • Broken Object Level Authorization (BOLA)
  • Broken Authentication
  • Excessive Data Exposure
  • Lack of Resources & Rate Limiting
  • Broken Function Level Authorization
  • Mass Assignment
  • Security Misconfiguration
  • Injection attacks
  • Improper Assets Management
  • Insufficient Logging & Monitoring

GraphQL Security

Specialized protection for GraphQL APIs including:

  • Query depth limiting
  • Query complexity analysis
  • Introspection blocking
  • Batching attack prevention
  • Field-level authorization enforcement

Bot Management

Distinguish between legitimate automation and malicious bots.

The system identifies bot signatures, behavioral patterns, and client fingerprints.

Policies can allow, challenge, or block different bot categories.

Installation

Wallarm deploys via several methods depending on your infrastructure.

Docker Deployment

docker run -d \
  --name wallarm-node \
  -e WALLARM_API_TOKEN="your-token" \
  -e NGINX_BACKEND="http://your-backend:8080" \
  -p 80:80 \
  wallarm/node:latest

Kubernetes (Helm)

helm repo add wallarm https://charts.wallarm.com
helm repo update

helm install wallarm-ingress wallarm/wallarm-ingress \
  --set controller.wallarm.enabled=true \
  --set controller.wallarm.token="your-token"

NGINX Module

# Add Wallarm repository
curl -fsSL https://repo.wallarm.com/wallarm.gpg | sudo gpg --dearmor -o /usr/share/keyrings/wallarm.gpg

# Install module
sudo apt-get install wallarm-node-nginx

# Register node
sudo /usr/share/wallarm-common/register-node --token <your-token>

Cloud Connectors

Native integrations available for:

  • AWS (ALB, API Gateway, CloudFront)
  • Azure (Application Gateway, Front Door)
  • Google Cloud (Cloud Armor, Load Balancer)
  • Cloudflare Workers

How to Use Wallarm

Basic Configuration

Configure protection policies in the Wallarm Console:

# wallarm.yaml
mode: block  # or monitoring
api_discovery: enabled
sensitivity: balanced

rules:
  - name: "Block SQLi"
    action: block
    attacks: [sqli]

  - name: "Rate limit login"
    endpoint: "/api/v1/login"
    rate_limit: 10/minute
    action: block

API Discovery Settings

api_discovery:
  enabled: true
  sensitive_data_detection: true
  baseline_period: 7d
  endpoints:
    include:
      - "/api/*"
    exclude:
      - "/health"
      - "/metrics"

Custom Detection Rules

custom_rules:
  - name: "Protect admin endpoints"
    match:
      path: "/admin/*"
    require:
      header: "X-Admin-Token"
    action: block

  - name: "Prevent enumeration"
    match:
      path: "/api/users/{id}"
    detect:
      sequential_ids: true
      threshold: 50/minute
    action: challenge

GraphQL Configuration

graphql:
  enabled: true
  introspection: block  # block in production
  max_depth: 10
  max_complexity: 1000
  batching:
    enabled: true
    max_queries: 5

Integration

GitHub Actions (API Testing)

name: API Security Scan
on: [push]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Start application
        run: docker-compose up -d

      - name: Run Wallarm Scanner
        uses: wallarm/api-scanner-action@v1
        with:
          api-token: ${{ secrets.WALLARM_TOKEN }}
          target-url: http://localhost:8080
          openapi-spec: ./openapi.yaml

      - name: Check results
        run: |
          if [ -f wallarm-results.json ]; then
            cat wallarm-results.json
          fi

Terraform Deployment

resource "wallarm_node" "api_gateway" {
  name = "production-gateway"

  settings {
    mode = "block"

    api_discovery {
      enabled = true
    }

    rate_limiting {
      enabled   = true
      threshold = 1000
      period    = "1m"
    }
  }
}

resource "wallarm_rule" "protect_payments" {
  node_id = wallarm_node.api_gateway.id

  match {
    path = "/api/payments/*"
  }

  action = "block"
  sensitivity = "high"
}

SIEM Integration

Forward security events to your SIEM:

integrations:
  siem:
    type: syslog
    host: siem.example.com
    port: 514
    protocol: tcp
    format: cef

  splunk:
    type: hec
    url: https://splunk.example.com:8088
    token: ${SPLUNK_TOKEN}
    index: security

CI/CD Pipeline Integration

# GitLab CI
api-security:
  stage: security
  image: wallarm/api-scanner:latest
  script:
    - wallarm-scanner --target $CI_ENVIRONMENT_URL --spec openapi.yaml
  artifacts:
    reports:
      dast: wallarm-report.json
  only:
    - main

When to Use Wallarm

Wallarm fits organizations that need to:

  • Protect APIs alongside traditional web applications
  • Discover and inventory shadow APIs automatically
  • Detect API-specific attacks like BOLA and business logic abuse
  • Secure GraphQL endpoints with query analysis
  • Integrate runtime protection into cloud-native infrastructure

The platform works well for API-first companies, microservices architectures, and organizations modernizing legacy applications.

The automatic API discovery helps teams get visibility quickly without requiring complete API documentation.

For basic WAF needs without significant API traffic, simpler solutions may suffice.

Wallarm delivers value when API security is a priority and you need detection capabilities beyond signature-based approaches.

Other API Security Tools

42Crunch
42Crunch

OpenAPI Spec Audit & Conformance

Akamai API Security (Noname)
Akamai API Security (Noname)

Edge-Based API Protection at Scale

APIsec
APIsec

AI-Powered API Pentesting Platform

Cequence Security
Cequence Security

Unified API Protection with Native Blocking

See all API Security tools