Use for freeGet a demo
Close
Privacy settings
We use cookies and similar technologies that are necessary to run the website. Additional cookies are only used with your consent. You can consent to our use of cookies by clicking on Agree. For more information on which data is collected and how it is shared with our partners please read our privacy and cookie policy: Cookie policy, Privacy policy
We use cookies to access, analyse and store information such as the characteristics of your device as well as certain personal data (IP addresses, navigation usage, geolocation data or unique identifiers). The processing of your data serves various purposes: Analytics cookies allow us to analyse our performance to offer you a better online experience and evaluate the efficiency of our campaigns. Personalisation cookies give you access to a customised experience of our website with usage-based offers and support. Finally, Advertising cookies are placed by third-party companies processing your data to create audiences lists to deliver targeted ads on social media and the internet. You may freely give, refuse or withdraw your consent at any time using the link provided at the bottom of each page.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

API Attack Surface Management

API Attack Surface Management (AASM) is an agentless detection solution tailored to the API ecosystem, designed to discover external hosts with their APIs, identify missing WAF/WAAP solutions, discover vulnerabilities, and mitigate API Leaks.

Core (Free)

Free plan, which includes Host & API Discovery, WAF Testing, API Vulnerability Detection, and API Leaks Mitigation.

start using for free now

Features:

External hosts and API Discovery

API Vulnerability Detection

WAF detection and testing

API Leaks Discovery

API Gateway Identification

Weekly scanning schedule

Enterprise (Paid)

Paid plan, which includes Customer Support, Bug hunting services, DevSecOps Integrations, unlimited usage, and Daily scanning schedule.

let's chat

Features:

Everything in Core +

Dedicated Customer Success Manager

False positive reduction

Bug hunting services included

DevSecOps Integrations

Daily scanning schedule and Ad hoc scans

Product Features

Core
Enterprise

Discover all external hosts and their APIs
(including hosting e.g. CDN, IaaS, or PaaS providers)

Gain insights into the specific API protocols that your organization is using
(JSON-API, GraphQL, XML-RPC, JSON-RPC, OData, gRPC, WebSocket, SOAP, WebDav, HTML WEB and more)

Private API Schema Discovery
(E.g. Swagger/OpenAPI specifications unintentionally publicly available)

WAF Discovery
(Discovers if Web Apps and APIs are protected by WAFs/WAAPs)

WAF Score
(Assigns WAF Score based on its configuration and types of threats it can detect)

Leaked API Keys Detection

Leaked API Credentials Discovery
(User names, emails and passwords)

Leaked API Sensitive Technical Data Discovery
(API Tokens, Config files, backups, logs, source code)

Identify geolocation and data centers

API Gateway Detection
(Detect up to 15 API gateways, including Apigee, Mulesoft, Kong, WSO2, and more)

Vulnerability Detection
(Discover vulnerabilities related to the discovered apps and APIs)

Test your APIs
(Thousands most popular web and API-related CVEs)

Identify SSL/TLS misconfigurations, management interface exposure, and much more

Prevent database management interface exposure

Identify the most widespread cases of Path traversal, SQLi, SSRF, XSS, etc.

Detect GraphQL misconfigurations

Identify usage of vulnerable outdated software

Get advanced visibility with Vulnerability Intelligence data enrichment

Scan Capacity & Schedule

Core
Enterprise

Scan Schedule

Weekly

Daily

Scan Capacity

up to 50 Root domains and 5,000 hosts

Unlimited

Collaboration Features

Core
Enterprise

API Integration

Compliance Features

Core
Enterprise

SSO

Support and SLA

Core
Enterprise

MS teams/Slack support

Email support response time

4 hours

Dedicated Customer Success Manager

Additional services

Core
Enterprise

Bug hunting services included
(Bug hunting involves using penetration techniques to discover issues that scanners cannot find, or for specific compliance-related testing.) 

False positive reduction

FAQ

Is the Core Plan always free?
Which API gateways AASN can detect?
Which vulnerability types are detected by AASM?
Does AASM discover every external domain host and API?

Hated by Attackers.‎
Trusted by Security.

The preferred choice for Security and DevOps teams seeking unparalleled Visibility, Comprehensive API Protection, and Automated Incident Response in product security programs.

#1

In customer reviews

160K+

APIs protected

20,000+

APIs requests protected, daily

With Wallarm, we've been able to scale API protection to the scale we need and manage with our infrastructure-as-code approach.

Gustavo Ogawa, Head of Security at Rappi

Ready to uncover your APIs and Leaks?

Use for free
Request Demo
Get started in under a minute.
No installation required