API Security
API Security with Zuplo and Akamai
The API is the business. Payment flows, customer data, AI agents, partner integrations — all of it runs over APIs. Traditional WAFs were built for web applications, not APIs, and the attack surface is fundamentally different: threats are behavioral, endpoints multiply faster than anyone tracks, and a single misconfigured route can expose an entire database. Zuplo and Akamai address this from two complementary directions — enforcement at the gateway, and continuous visibility across the full API estate.
of organizations suffered an API security incident last year
Akamai API Security Impact Study, 2026
of enterprise APIs are shadow, zombie, or rogue — unknown to security teams
Akamai operational finding
average annual cost of API-related breaches per organization
Akamai API Security Impact Study, 2026
of enterprises use a WAF — but only 35% use dedicated API security tools
Akamai API Security Impact Study, 2026
Why a WAF isn't enough
80% of enterprises rely on a WAF for API security. Only 35% use dedicated API security tooling. The gap matters because API attacks don't look like web attacks.
What a WAF catches
- SQL injection and XSS
- Known CVE exploit signatures
- Volumetric DDoS at the network layer
- OWASP Top 10 web vulnerabilities
What a WAF misses
- BOLA — requests using legitimate credentials to access wrong objects
- Business logic abuse — valid requests causing unintended behavior
- Shadow and zombie APIs with no controls at all
- Data scraping that looks like normal usage at low volume
Akamai's finding: Modern API attacks are "low and slow." They use legitimate credentials and legal protocol structures to perform illegal acts. Signature-based tools cannot detect them.
The threat landscape
The OWASP API Security Top 10 defines the categories that cause the most real-world API breaches. Understanding each threat is the first step to building effective defenses.
Broken Object Level Authorization (BOLA)
The #1 API threat. Attackers manipulate object identifiers in requests to access data belonging to other users. Each request looks legitimate — no WAF signature matches. Detection requires understanding what's normal for a given user.
Shadow, zombie, and rogue APIs
APIs deployed outside formal processes (shadow), inactive endpoints left running after retirement (zombie), or third-party backdoors (rogue). All lack authentication, rate limits, and monitoring. Attackers find them through enumeration and path fuzzing.
Business logic abuse
Exploiting application design flaws to cause unintended behavior — price manipulation, account enumeration, transaction replay. Looks identical to legitimate traffic. Only detectable by establishing behavioral baselines and spotting deviations.
Unrestricted resource consumption
Aggressive querying to scrape datasets, exhaust compute, or degrade service for other consumers. APIs without rate limits are fully exposed. A single consumer with no quota can take down a backend.
Broken authentication
Weak API key schemes, long-lived tokens without rotation, missing expiry enforcement, or credentials committed to source code. Once a key is compromised, an attacker has full access until manual revocation.
Security misconfiguration
Excessive data exposure, permissive CORS, verbose error responses, open debug endpoints, and missing transport security. Often introduced during rapid development cycles and invisible without continuous audit.
Two layers of defense
Effective API security requires both enforcement — blocking attacks in real time — and visibility — knowing what's happening across your entire API estate. Zuplo and Akamai each handle one side.
Zuplo — Enforcement at the gateway
Authentication, authorization, rate limiting, and validation on every request
API key authentication
Fully managed API keys validated at the gateway before requests reach any backend. Format includes a checksum (invalid keys rejected in microseconds), a prefix registered with GitHub's secret scanning program (automatic alerts if a key is committed to any repo), and fast global revocation via the management API.
JWT / OpenID Connect
Native support for Auth0, Okta, Azure AD, Cognito, Firebase, Clerk, Supabase, and any OpenID-compliant identity provider. Token signature, expiration, audience, and issuer validated at the gateway — backends never see an unauthenticated request.
Rate limiting and quotas
Enforce limits per IP, per authenticated user, per API key, or via custom TypeScript logic for per-plan or per-consumer limits. Stack multiple windows (burst + daily quota). Returns 429 with retry-after header. Prevents resource exhaustion and credential stuffing before requests reach your backend.
Request validation
Validates every request body, query parameter, path parameter, and header against your OpenAPI spec before it reaches any backend. Rejects malformed payloads with structured 400 errors. Closes injection vectors that WAF signatures miss.
RBAC and authorization policies
Role-based access control, JWT scope validation, ACL policies, and consumer metadata-based authorization. Each API key maps to a Consumer with arbitrary metadata (plan tier, org ID, permissions) available at runtime for fine-grained access decisions.
Audit logs and observability
Per-request audit trail of authentication outcomes, rate limit decisions, and policy rejections. Structured logs stream to Akamai TrafficPeak (Hydrolix) for real-time dashboards and ad-hoc queries — including per-consumer usage breakdowns.
Akamai API Security — Visibility across the estate
Discovery, behavioral analytics, and OWASP Top 10 coverage across all APIs
Continuous API discovery
Automatically discovers and inventories all APIs enterprise-wide — including shadow, zombie, rogue, and AI-linked APIs. Ingests traffic from Akamai CDN, WAFs, API gateways, cloud platforms, and container orchestration. Approximately 40% of a typical enterprise's API estate is unknown before the first scan.
OWASP API Top 10 coverage
Purpose-built testing and detection against all 10 OWASP API Security Risks (2023 edition), including BOLA, broken authentication, unrestricted resource consumption, and security misconfiguration. 200+ automated tests runnable in CI/CD pipelines.
Behavioral analytics
Machine learning establishes baselines of normal API usage per actor and per business process. Detects anomalies that WAF signatures cannot — BOLA exploitation, business logic abuse, data scraping, impossible time travel, JSON property anomalies, and account takeover via legitimate credentials.
Sensitive data classification
Identifies which APIs return PII, financial data, intellectual property, or internal documentation. Surfaces data exposure risk without requiring manual audit. All traffic samples are obfuscated for privacy compliance.
East-west traffic monitoring
API Security monitors internal service-to-service traffic, not just north-south API calls. Lateral movement, internal BOLA, and shadow microservices are visible — critical for zero-trust and compliance programs.
Response and workflow automation
Integrates with SIEMs, WAFs, and ITSM tools to create automated remediation workflows. Detected threats can trigger Jira tickets, Splunk alerts, and WAF blocklist updates — reducing the time from detection to enforcement.
How Zuplo and Akamai work together
Akamai sees the full API estate. Zuplo enforces security at the gateway. Together they close the loop between detection and enforcement.
Akamai discovers shadow and zombie APIs
Continuous scanning across your Akamai CDN traffic, cloud platforms, and API gateways surfaces APIs that are live but unmanaged — no auth, no rate limits, no observability.
Unmanaged APIs are migrated behind Zuplo
Once discovered, the path to securing shadow APIs is to bring them behind the Zuplo gateway. Authentication, rate limiting, validation, and audit logs apply immediately.
Akamai monitors behavioral baselines across the estate
Machine learning establishes what normal looks like for each consumer and each business process — including APIs behind Zuplo. BOLA, business logic abuse, and data scraping are detectable against this baseline.
Detected threats inform Zuplo enforcement
When Akamai identifies a malicious consumer, your security team can revoke the API key via Zuplo's management portal or API. Revocation takes effect quickly — reducing the window between detection and the attacker being locked out.
Zuplo's audit trail feeds Akamai's compliance reporting
Per-request logs — authentication outcomes, rate limit decisions, policy rejections — stream to Akamai TrafficPeak (Hydrolix) and can be forwarded to Akamai API Security's SIEM integrations for unified reporting.
OWASP API Security Top 10 coverage
How Zuplo and Akamai together address each risk in the OWASP API Security Top 10 (2023 edition).
| Risk | Vulnerability | Zuplo | Akamai |
|---|---|---|---|
| API1 | Broken Object Level Authorization | RBAC + consumer metadata authorization | Detects unauthorized object access via behavioral analytics |
| API2 | Broken Authentication | API keys, JWT, mTLS, HMAC enforced at the gateway | Identifies APIs with weak or missing auth controls |
| API3 | Broken Object Property Level Authorization | Request validation + scope-based policies | Monitors for unauthorized property-level access patterns |
| API4 | Unrestricted Resource Consumption | Rate limiting + quota policies per consumer or plan | Real-time volumetric anomaly detection and DoS alerts |
| API5 | Broken Function Level Authorization | Route-level RBAC and JWT scope validation | Behavioral timeline tracking; alerts on admin function abuse |
| API6 | Unrestricted Access to Sensitive Business Flows | Custom TypeScript policies for business logic enforcement | ML baselines detect business logic abuse and replay attacks |
| API7 | Server Side Request Forgery | Custom TypeScript policies can enforce URL allowlisting on route parameters; schema validation alone does not prevent SSRF | Detects SSRF patterns in behavioral analysis |
| API8 | Security Misconfiguration | Policy-as-config enforces consistent controls across all routes | Continuous audit against configuration best practices |
| API9 | Improper Inventory Management | All Zuplo-managed APIs documented and governed | Discovers shadow, zombie, and rogue APIs across the full estate |
| API10 | Unsafe Consumption of APIs | Not directly addressed at the gateway layer — requires application-level validation of third-party responses | Continuously monitors third-party APIs for exploitation |
Ready to close the API security gap?
Talk to the Zuplo team about deploying gateway-level enforcement alongside Akamai API Security.