Akamai API Security

Akamai API Security 's main use case in my environment is to protect critical APIs that are exposed to the internet, especially for banking and financial applications. I primarily use it to secure APIs handling sensitive operations such as user authentication, account access, payment processing, and data retrieval. These APIs are high risk because they directly interact with sensitive customer data. From a protection standpoint, I use Akamai API Security  to detect and mitigate threats like bot abuse, credential stuffing, injection attacks, and unauthorized access attempts.

I also enforce controls such as rate limiting and access validation to prevent misuse of the API.

From a monitoring perspective, I continuously analyze API traffic patterns to identify anomalies such as unusual spikes in requests, abnormal behavior from specific IPs, or any deviations from the normal API usage. Additionally, I focus on identifying OWASP API security risks such as broken authentication or excessive data exposure and ensure the appropriate policies are in place to mitigate those risks. Overall, the goal is to ensure that all external-facing APIs are secure, resistant, and protected against both automated and targeted attacks.

One recent example I worked on was securing a login and authentication API for a banking application. This API was being heavily targeted by automated bot traffic, mainly for credential stuffing attempts. I observed a high volume of login requests coming from a limited set of IP ranges with abnormal request patterns. Using Akamai API Security, I analyzed the traffic behavior and identified that these were non-human requests with repetitive patterns.

Based on this, I implemented rate-limiting controls and stricter access policies to restrict excessive login attempts. Additionally, I tuned the security rules to detect anomalies such as unusual request frequency and abnormal headers. This helped me to effectively block malicious traffic while allowing legitimate users. After implementing these controls, I saw a significant reduction in unauthorized login attempts and improved overall stability of the API. This was a key use case where I used Akamai API Security for both detection and prevention of bot-driven attacks.

Apart from the primary use case of protecting authentication APIs, I have also seen significant value in using Akamai API Security for detecting and controlling abnormal API usage patterns. One key scenario was identifying excessive data access through a certain API where clients were making unusually high-frequency requests to retrieve the data. While this was not a direct attack, it had the potential to impact application performance and expose sensitive data patterns.

Using Akamai API Security, I was able to baseline the normal API behavior and quickly identify these anomalies. Based on that, I implemented rate limiting and access restrictions to control such usage. Another area where it made a difference was in reducing the false positives. By analyzing the API traffic behavior more intelligently, I was able to fine-tune policies so that legitimate users were not impacted while still maintaining strong security controls. Overall, Akamai API Security helped me to move from reactive security to a more proactive and behavior-based approach, thus improving both security and user experience.

One of the best features of Akamai API Security is its ability to automatically discover and map APIs, which gives complete visibility into all exposed endpoints, including shadow or undocumented APIs. This is very important from a security standpoint. Another key feature that stands out is the behavior analysis. Instead of relying only on static rules, it analyzes the normal API traffic patterns and helps in detecting anomalies such as unusual request volumes or abnormal user behavior.

I also find the integration with WAF  very effective as it allows me to enforce security policies such as rate limiting, access control, and protection against OWASP API threats in a unified way. Additionally, the detailed visibility and analytics it provides for API traffic, such as request patterns, client behavior, and threat insights, are very useful for both monitoring and troubleshooting. Among these, the most valuable feature for me is the behavioral-based detection combined with API discovery because it helps me to proactively identify unknown risks and secure APIs more effectively.

Behavioral-based detection and API discovery have been very useful in my day-to-day operations, especially for identifying unknown risks. From an API discovery perspective, it has helped me identify shadow or undocumented APIs that were exposed but not properly secured. In one case, I found an internal data API that was accessible externally, which was not part of the official API inventory. This was potentially a security risk, and I was able to take immediate action to secure it.

From a behavioral detection standpoint, it helped me understand what normal API traffic looks like, such as typical request rate, user behavior, and access patterns. Based on this baseline, I was able to quickly detect anomalies. For example, I observed a sudden increase in requests to specific API endpoints from a small set of IPs, which was not part of the normal behavior. Even though it was not triggering the traditional WAF  rules, behavioral analysis flagged it as suspicious. Based on this, I implemented rate-limiting and access controls, which helped prevent potential abuse and ensured that the API remains stable. Overall, these features helped me to move beyond static rule-based security and enabled a more proactive and intelligent approach to API protection.

Akamai API Security has had a very positive impact on my organization, especially in improving visibility and control over API traffic. One of the key outcomes I noticed was a significant reduction in malicious API traffic, particularly bot-driven attacks such as credential stuffing and automated abuse. This helped improve the overall security posture of my application.

One thing that really surprised me was how effective the behavioral-based detection is in identifying the anomalies that traditional rule-based systems might miss. It gives much better visibility into how APIs are actually being used in real-world scenarios. I also found that the API discovery feature was very useful, especially in identifying shadow or undocumented APIs, which are often overlooked but can introduce significant security risks. In terms of improvement, one area I feel could be enhanced is more granular customization in policy tuning and clearer visibility into how certain behavioral decisions are made. This would help in faster fine-tuning and reducing false positives more efficiently. Overall, the platform is very strong in providing visibility and proactive security, but adding more flexibility and transparency in controls could make it even more effective.

Akamai API Security is a strong platform, especially in terms of visibility and behavioral-based detection. One area where I feel it can be improved is in simplifying policy tuning and configuration. Sometimes, fine-tuning policies for specific API behavior can take time, so having more intuitive controls or guided recommendations would make it easier for operational teams. Another improvement could be providing more detailed insights into how the behavioral decisions are made. This would help in better understanding why certain traffic is flagged as anomalous and would make troubleshooting faster. Additionally, enhanced reporting and dashboard customization would be helpful, especially for generating customer-facing insights and governance reports. Overall, making the platform more user-friendly and improving visibility into decision-making would further enhance its effectiveness.

In addition to the current capabilities, I think there are a few areas where Akamai API Security can evolve further. One key improvement would be deeper integration with application context, such as understanding user roles, authentication flows, and business logic. This would help in detecting more advanced threats such as privilege abuse or business logic attacks. Another area would be more AI-driven recommendations for policy tuning. For example, suggesting optimal rate limits or automatically adjusting policies based on traffic patterns could reduce the manual effort and improve efficiency. I also feel that enhanced integration with SIEM  and other security platforms would be beneficial, allowing better correlation of API security events with overall security incidents. Additionally, more customizable and exportable reporting features would help governance and customer-facing reporting. Overall, the platform is very strong. Adding more intelligence, automation, and integration capabilities would make it even more powerful for enterprise environments.

I have been working with Akamai API Security for around two to three years.

In terms of scalability, Akamai API Security has improved very well in my environment. Since it operates on Akamai 's global edge network, it is designed to handle large volumes of traffic effectively. I have also seen it handle spikes in API traffic, especially during peak usage periods without any performance degradation. It scales automatically without requiring any manual intervention from my side. It has also adapted well to changing requirements such as onboarding new APIs or updating security policies without impacting availability.

Regarding customer support, I have interacted with Akamai  support a few times, mainly during the initial onboarding and for policy tuning. The support experience has been very positive. The team was responsive and technically knowledgeable. They helped me fine-tune the configuration and resolve issues effectively. Overall, both in terms of scalability and support, my experience with Akamai has been reliable and smooth.

My advice would be to first have a clear understanding of your API landscape, including all exposed endpoints and their criticality before implementing Akamai API Security. I would also recommend starting with proper API discovery and monitoring in learning mode, so you can baseline the normal traffic behavior before enforcing strict security policies. This helps reduce false positives. It is important to gradually implement controls such as rate limiting and access validation rather than applying aggressive policies from the beginning.

Additionally, teams should invest time in understanding the behavioral insights provided by the platform, as that is where the real value lies in detecting advanced threats. I would suggest working closely with Akamai support during the initial setup and tuning phase to get better results. Overall, with the right approach and tuning, it can be a very powerful solution for securing APIs.

Akamai API Security has been a strong and reliable solution for securing my APIs, especially in terms of visibility and behavioral-based threat detection. With proper tuning and understanding of API traffic, it provides more effective protection for enterprise environments. I believe it is a valuable solution for any organization looking to move from traditional security to more advanced API-focused protection. I would rate this solution an 8 out of 10.

Akamai API Security  is used for bot attacks, API attacks, and DOS attacks across multiple web layers, with a primary focus on DOS and bot attacks. Akamai API Security  is a good solution for DOS and bot attacks because it provides exact details and helps prevent DOS attacks while protecting applications.

The anomaly detection feature is valuable as it identifies unknown IPs and provides detailed insights. This is a good feature of Akamai API Security. The policy can be adjusted and provisioned, which is also a beneficial aspect of Akamai API Security.

Regarding APIs, Akamai API Security is helpful for taking the API and preventing multiple web attacks. Recently, an attack was detected from an iPhone, and since iPhones are now very powerful, the attacker conducted a DOS attack. Upon reviewing the traffic and extracting the report in Akamai API Security, it was discovered that the attack was executed through API, with one certain IP hitting multiple times, reaching 30 to 40 times in a single second from a single IP. This frequency is impossible for legitimate connections, so the traffic flow was analyzed.

Akamai API Security helps comply with DORA compliance in the Europe region, preventing any compliance issues. It helps demonstrate that the ISO understands the secured side is protected by Akamai API Security, ensuring that if any DOS attack is present, it will not occur or take the side down.

Currently, no improvements are apparent. In the last few years, there was improvement as bot attacks have been addressed, with more focus now placed on bot attacks. At that time, there was a drawback, but Akamai API Security is improving day by day. Currently, no drawbacks are evident, and the product is good. Akamai API Security is delivering the best products every year.

An area that could be improved is the alerting part. Akamai API Security should provide notifications when multiple alerts are received, such as one IP getting hit multiple times in a DOS attack. Currently, a third-party tool is used for alerts. It would be better to have built-in notifications where, as a customer, alerts could be received if an IP is hitting multiple times, indicating potential issues.

Akamai API Security has been used for more than five years.

Akamai API Security is stable, and no problems have been experienced.

Akamai API Security has scalability. No issues have been faced in terms of scalability, and it is good.

Akamai API Security technical support has been engaged, and they support technically well. However, there is one drawback regarding technical support. Akamai API Security makes back-end changes because a SaaS solution is being used. Sometimes they inform about changes, and sometimes they do not, which impacts clients as a P1 or P2 incident. This has happened multiple times, but when tickets are raised, they support instantly and resolve the issues. The experience with support would be rated as a nine.

I have worked with security tools for a total of seven years. Previously, I worked with GardiCore, and now I work with Akamai API Security. Regarding AlgoSec , I have used it in the past, but not in the current company. It was used a couple of years ago.

Akamai API Security is very easy to install. It is agentless, and one of the best aspects is that no agent has to be deployed on the server, making it very easy to deploy any Akamai API Security solution.

There are good savings because if the site goes down, financial losses will occur. Akamai API Security is preventing multiple issues, and the organization is doing well with Akamai API Security profits, which is good.

In percentage terms, from last year, more than 30 to 40% is being saved, and it is ongoing. Time-saving is significant at 30 to 40%, and it is growing year by year at a rate of about 10% to 15%, demonstrating growth.

Akamai API Security is not expensive.

Other vendors are known, such as F5, Fortinet, Imperva, and Barracuda. These vendors are not currently being worked with, but F5 is being looked at, and another solution is in the POC phase, with feedback available upon completion of the POC. Currently, I primarily work with two products for these purposes: Akamai API Security and Illumio .

Akamai API Security is for web pages or online use, while Illumio  is for cloud and on-premise use. Akamai API Security is agentless, while Illumio is agent-based. Both are working with different methods.

Jira  is used for tracking project deadlines and implementing projects, as well as for multiple POCs and project management. Confluence  is also used for tracking troubleshooting, offerings, and details on the Confluence  page.

The overall experience and satisfaction with Akamai API Security would be rated as a nine out of ten.

My main use case for Akamai API Security  would be providing security to the hostnames and to the API URLs and paths that have been hosted on the Akamai  platform. On a daily basis, there will be multiple traffic instances and false positive traffic that comes into our alerts such as unwanted bots and non-legitimate users hitting our retail market website, forcing it to crash or causing the server to be down with multiple 403 errors, which prevents users from accessing the website. For that, we set multiple alerts. If there is 5,000 hits per minute, then the alert will be generated and using that, we perform analysis and fine-tune our rules so that the illegitimate and unwanted traffic are blocked.

The best feature Akamai API Security  offers is that it gives full premium protection to hostnames and all the subdomains that are hosted on the platform. There is also a feature called Bot Manager Premier, which is auto fine-tuning by Akamai  platform itself. Considering all the security posture being followed worldwide, the same database will be used to implement the security posture in our current organization as well. Beyond that, there are other tools such as DDoS management and bot management, and also all kinds of security related to OWASP Top 10 security.

Bot Manager Premier feature is a premium feature or a subscription that we have to take with it. When this is enabled, it gives premium security on the configurations that we have set for it and provides advanced expert level suggestions and configurations on those settings where it is configured.

Akamai API Security has impacted my organization positively because when a user tries to access our servers from all over the world, the traffic first hits the DNS security or Akamai edge firewall before reaching our perimeter or infrastructure. Before an attack goes live, we detect it on the WAF  itself, which is the outer layer of security. We detect it and block it. We also set up security features such as crypto challenges or Captcha, which gives us ultimate protection against attacks.

Akamai API Security can be improved by giving many more options to users and administrators. If Akamai API Security could provide many more security options and make it more transparent to users about exactly what is happening, that would be beneficial. Beyond that, everything included in Akamai API Security seems sufficient for now. However, they could make it easier by providing simpler options so that customers who do not understand the technicalities of a web application firewall will be able to understand.

I have been using the solution for the last two years.

I chose a rating of seven instead of a higher or lower rating because there are other technologies and solutions in the market such as Cloudflare , Radware, and F5 that also come under the API security category. Considering those solutions, they have other features which might be more convenient for users and administrators than what Akamai offers. The same applies on both sides. There is no tool that combines all of the features from all kinds of solutions provided together. Akamai API Security also has some missing features that might be more convenient for users, features that are present in other WAF  technology solutions.

Using Akamai API Security, we have set certain alerts and are continually doing multiple fine-tuning activities. We are doing fine-tuning and improvements from time to time. Because of this, our false positive alerts have reduced significantly because we have cleaned up our configurations and made many changes. For this reason, it has become much better.

Organizations can go ahead with using Akamai API Security in their infrastructure. However, this solution is quite costly as it comes with the content delivery network, providing both content delivery and security. Considering this solution, it is quite expensive.

Akamai API Security is a great technology and many innovations are coming through for this solution. It is getting better day by day with tuning. This is the most practical WAF solution that is in the market. Administrators who use this will get a great understanding about how live threats and attacks are happening. This gives total transparency to people about what kind of cyber threats are occurring. I rate this solution a seven out of ten.