The 2020s rewrote how applications are built. The browser still loads HTML, but most actual work happens through APIs — public, partner, and internal. Each API is a contract; each contract has a shape; each shape can be broken in ways that classic WAAP rules don't catch. Broken object-level authorization, mass assignment, excessive data exposure, broken authentication — the OWASP API Top 10 is a separate list because the attack patterns are separate.
The industry's answer has been a wave of pure-play API security platforms — almost all of them cloud SaaS. To work, they need your API traffic to be visible to them, which usually means routing through their edge or sending mirror copies. For regulated industries, sovereign deployments, or anyone whose API responses carry PII or payment data, that's an immediate compliance and operational problem.
TR7 keeps API security where the API actually lives — on your platform. Discovery, schema enforcement, OWASP API Top 10 coverage, content-aware rules and sensitive-data masking all run on-prem, attached to the same vService that delivers the API. The same console you use for WAAP and delivery covers API security too.
Each of these is valuable alone. Together, they define what API security looks like when it does not require sending your APIs to someone else's cloud.
Most modern API security platforms are SaaS — they need your traffic and your schemas to be visible to their cloud. TR7 runs on your hardware. The schemas you upload, the inventory we learn and the responses we inspect never leave your network.
Full coverage of the OWASP API Security Top 10 — broken object-level authorization, broken authentication, excessive data exposure, mass assignment, security misconfiguration and the rest. Every detection mapped to CWE (100+ codes), CAPEC (30+ patterns) and MITRE ATT&CK (30+ techniques) so it reaches your SOC in the same taxonomy it already uses.
API endpoints surface automatically through passive traffic observation. Operator reviews the inventory before it goes live. OpenAPI schemas can be uploaded directly or learned from traffic; enforcement is a positive security model that validates method, path, parameters and body against the contract — anything outside the contract is logged or blocked.
Rate-limit, challenge or block on any traffic attribute — header values, cookie contents, URL parameters, even values parsed out of JSON request bodies. Example: rate-limit a search endpoint differently when the request body sets 'tier: free' versus 'tier: enterprise'. All configured in the visual rule builder; no scripting language.
PII, payment data, credentials and other sensitive patterns are identified in API responses and masked per policy before they reach the client — leaving useful context (last four digits, partial email) where you choose, hiding the rest. Same configuration model as the rest of your rules.
Every capability below ships as part of the platform and attaches to your existing vServices.
Passive traffic observation surfaces every endpoint actually in use, including shadow and undocumented APIs. The operator reviews the inventory and confirms what should be tracked, so the catalog stays accurate without you having to maintain a manual list.
Upload an OpenAPI specification or let TR7 learn one from observed traffic. Enforcement validates request method, path, parameters and body shape against the contract; mismatches log or block per policy. Positive security model — anything outside the contract is rejected, including injection and mass-assignment attempts.
10/10 coverage across the OWASP API Top 10 — broken object-level authorization, broken user authentication, excessive data exposure, lack of resources & rate limiting, broken function-level authorization, mass assignment, security misconfiguration, injection, improper assets management and insufficient logging.
Every API detection maps to its CWE code, CAPEC attack pattern and MITRE ATT&CK technique. SIEM correlation, incident response and compliance reports use the same taxonomy your security team already runs on.
Different rate limits for /login, /search and /export of the same API. Method-level restrictions (GET allowed, POST blocked) per endpoint. All scoped to the vService delivering the API.
Rate-limit, challenge or block on any traffic attribute — header values, cookie contents, URL parameters, parsed JSON body values. Configured visually; no proprietary scripting language to learn.
Identify PII (names, emails, national IDs), payment data (card numbers, IBANs), credentials and health data in API responses. Mask per policy before delivery to the client — keep the useful prefix or suffix, hide the rest — or block the response outright when the data should never have been served.
JWT validation, mTLS, OAuth2 and OIDC enforcement at the API edge, delegated to TR7's access management layer. The same identity policies that protect web apps protect APIs.
The same behavioral engine used for WAAP and bot management scores API traffic — TLS fingerprints, IP reputation across 23 categories, request rhythm and request shape. Behavioral baseline adapts to your application's normal API usage.
HTTP flood, slowloris and application-targeted bot floods absorbed at the WAAP layer — applied with API-aware thresholds per endpoint. Scoped per vService.
Credential-stuffing patterns hit API login endpoints, not just web forms. The same ATO detection that protects web login surfaces protects /api/v1/login — distributed low-and-slow attempts, impossible travel, abnormal session-creation rates.
Every API request decision — allowed, blocked, rate-limited, masked — logs to the same console used for WAAP and delivery. Investigate any request end-to-end. Audit trails ready for PCI DSS, HIPAA and other compliance requirements.
API metrics, attack telemetry and inventory live in the same operator console as the vService, the WAAP policy and the DDoS view. No separate API security pane to learn.
The OWASP API Top 10 is a separate list from the web OWASP Top 10 because API attack patterns are different. TR7 covers all ten.
Attackers manipulate object IDs in URLs to access data belonging to other users. Schema enforcement plus per-endpoint authorization checks make BOLA attempts visible and blockable.
Weak or misconfigured authentication on API endpoints. JWT validation, mTLS and OAuth2 enforcement at the API edge prevent common bypass patterns.
APIs returning more data than the client needs. Sensitive-data detection and masking ensure PII, payment data and credentials are removed or masked before reaching the client.
APIs without rate limits are abused by bots, scrapers and credential-stuffing. Per-endpoint, per-method, per-tenant and content-aware rate limits stop abuse at the platform.
Privileged functions exposed to unauthorized users. Method restrictions per endpoint, combined with identity-aware policies, prevent unauthorized function access.
Attackers inject fields the API doesn't expect to update sensitive properties. OpenAPI schema enforcement rejects request bodies with unexpected fields outright.
Verbose error messages, missing headers, exposed admin endpoints. Discovery surfaces these endpoints; policy enforces production-safe defaults.
SQL injection, NoSQL injection, command injection in API parameters and bodies. WAAP signatures plus parameter validation against the schema block injection attempts.
Old API versions, deprecated endpoints and undocumented APIs accessible in production. Discovery surfaces them; inventory keeps the picture current.
Attacks invisible to the security team. Every API request decision is logged in the same console as delivery and security; SIEM exports use CWE / MITRE taxonomies.
Strict schema enforcement for partner APIs, sensitive-data masking on customer account responses, OAuth2 authentication enforced at the API edge, audit logs for regulatory review.
HIPAA-relevant API responses scanned for PHI; sensitive patient data masked per policy before reaching client apps. On-prem deployment keeps APIs and data inside the hospital perimeter.
Engineering teams ship new endpoints faster than security teams can track them. Passive discovery surfaces every endpoint in use; operator-confirmed inventory keeps the catalog accurate without manual maintenance.
Carding bots, scraper farms and credential stuffing all hit API endpoints. Per-endpoint rate limits, content-aware rules and behavioral bot scoring stop abuse without blocking real customers.
Data residency rules forbid third-party API inspection. On-prem API security keeps every byte inside the citizen-data perimeter; compliance audits trace each request through one console.
Hundreds of internal endpoints across teams, often undocumented. Discovery + schema enforcement turn an untracked surface into a managed catalog without forcing every service team to wire up a separate SaaS agent.
Capabilities referenced by this solution — the technical pieces that compose the controls described above.
Manage preflight and response CORS headers from a single rule, without touching application code.
WAAP inspection, mTLS identity and data masking keep working even as traffic flows to backends over TLS.
Turn JSON body fields and JWT content into first-class signals for every traffic decision.
One expression language — traffic, health, logging, GTM, security and access decisions in the same model.
3000+ rules, OWASP / API Top 10 / CWE taxonomy, 14 correlation axes, per-host-group + cross-group rollups.
Move beyond headers — make body content part of the traffic and security decision.
Lift the client certificate out of connection control and turn it into an identity object that drives traffic decisions.
Combine signature, score and context in a single engine — manage known attacks with confidence.
Mask sensitive data at platform level before it reaches the user or the logs.
Extract an API inventory from real traffic; bring requests outside the allowed schema under control.
One IP, one account, one API key — you decide which dimension to limit.
Do not treat GraphQL traffic as a plain POST body — catch introspection, nested DoS and query batching patterns inside your WAAP.
Request a live demo of TR7 API Security. We will run discovery on your API traffic, walk through the schema-enforcement flow and show sensitive-data masking on a real response.