Why do I Need API Security if I Have a WAF and API Gateway?

February 15, 2024 | by John Dasher

API security WAF and API Gateway Blog Header

The web and mobile applications that your employees and customers use are glued together by application programming interfaces (APIs). The collaboration app on your phone “talks” to your collaboration system via APIs, allowing you to see who is online and message them. Your productivity, marketing automation, CRM, and project tracking apps are all API-based. As organizations expand their use of microservices and create new cloud-native applications, API usage continues to explode. In fact, every one of the over 142 billion app downloads are API-based. Gartner warns that by 2024, API abuses and related data breaches will nearly double.

APIs – Loved by Developers and Attackers Alike

In an analysis of 10s of billions (yes, with a ‘B’!) of API-based application requests, researchers at Cequence Security have found that APIs are the #1 target for malicious use, further validated by some recent stats. Consider:

  • 70% of app requests are via automated requests to APIs
  • 53% of orgs are impacted by three or more API attacks per month
  • We saw a 50% increase in bot attacks in the 2nd half of 2023 (retail only)

Designed for machine-to-machine interaction, APIs are the tool of choice for developers because each API includes all necessary commands, payload, and data to produce engaging user interactions. And therein lies the risk, the widespread use and the all-inclusive nature of APIs introduces a range of security challenges:

  • Unknown attack surface: Most organizations are unaware of how many shadow, hidden, deprecated, and third-party APIs they have, leaving many unprotected.
  • New exploit opportunities: Developer errors, lack of best practices, or improper training can lead to vulnerabilities easily exploited by bad actors.
  • Breaches and disruption from automated attacks: APIs enable high speed communication often to back-end systems making them prime targets for automated attacks and business logic abuse, even when perfectly coded.

Where WAFs and API Gateways Fall Short

With API security ranked as a top priority in 2023 for enterprises and security leaders worldwide, many organizations will look first at their existing web application firewalls and/or API gateways to protect their APIs. Despite their very real utility and legitimate use cases, here’s why their original design principles and feature sets make them a poor choice for providing proper API Security:

  • Web application firewalls (WAF): Originally designed to address PCI section 6.6 requirements, WAFs use signatures to detect known vulnerabilities as described in the OWASP Web Application Top 10 Threats list. WAFs will struggle to find and block attacks that appear legitimate, and they are unable to address the visibility, inventory tracking, risk assessment, and threat prevention requirements necessary to protect APIs.
  • API gateways: Designed to help organizations aggregate and manage APIs providing access control and basic security functions such as rate limiting and IP block lists. API gateways are reactive in nature, requiring developers to register the APIs to be managed. Often deployed within the infrastructure, at a department level, or in a cloud environment, API gateways are inadequate tools for gaining complete visibility, inventory tracking, risk assessment, common security policy enforcement, and the threat prevention necessary to protect APIs.
  • WAFs and API gateways don’t get any of the context that API activity provides. They can’t understand business logic or how it might be abused, nor can they identify sensitive data being inappropriately shared or what security risk it represents.

While WAFs and API gateways provide some level of protection, they were not designed to address the complete spectrum of API security requirements which includes discovering all your APIs, detecting the inherent risks, and defending against the associated threats.

Stronger API Security Posture with the Cequence Unified API Protection Solution

Made up of API Spyder, API Sentinel, and API Spartan, the Cequence Unified API Protection (UAP) solution complements the security capabilities found in WAFs and API gateways with the most complete set of API security features available. It’s the only solution that unifies API discovery, compliance, and protection with the following capabilities:

  • Continuous API Discovery and Visibility: The UAP integrates with a broad range of infrastructure components, including API gateways, proxies, load balancers, and ingress controllers to deliver an end-to-end view into public-facing and internal APIs including shadow, third-party, and managed. Cequence is the only solution that allows you to choose between either an inline or an API-based integration model enabling you to either pull or push API metrics for ongoing risk assessment and threat analysis.
  • API Risk Assessment: Pre-defined and custom risk assessment rules help development and security teams uncover sensitive data usage errors and authentication misconfigurations that can lead to governance violations and system compromise. A specification comparison uncovers APIs that fail to conform to published OpenAPI specifications. In addition, the UAP can automatically generate OpenAPI specifications for any existing APIs. Flexible alerting capabilities allow you to initiate update requests to the development team via Slack, PagerDuty, email, and other tools.
  • API Threat Detection: The UAP uses an agentless approach to detect and track automated attacks and business logic abuse on APIs, even as attackers re-tool to evade prevention efforts. Powered by CQAI, our patented ML-based analytics engine that detects the most sophisticated API attacks using a threat repository comprised of billions of threat behaviors, malicious IP addresses, and third-party intelligence. Our CQ Prime threat research team continually curates the CQAI repository into hundreds of pre-defined rules that deliver out-of-the box detection efficacy rates in the 98% accuracy range, with full protection enabled within 48 hours.
  • Natively Mitigate Threats in Real Time: The Cequence Unified API Protection solution is the only solution on the market that natively mitigates attacks in real time, eliminating the delay and limited response options caused by reliance on third-party tools to take action. Response options include blocking, rate limiting, geo-fencing, forwarding, and deception, a technique that allows you to mislead and deceive the bad actor into believing that their attacks have been successful.


Organizations are rapidly adopting an API-first development methodology because of the power, flexibility, and efficiency APIs deliver. The apps we use every day are all based on APIs, connecting back to compute resources located elsewhere — the cloud, the data center, or both. Unfortunately, threat actors love APIs for the same reasons that developers do. APIs are susceptible to a range of automated attacks and vulnerability exploits that can lead to data loss and system compromise. To protect existing and future APIs, organizations need to implement a forward-looking API security solution that complements the basic capabilities found in WAFs and API gateways. Organizations need to implement an API security solution that unifies runtime API visibility, security risk monitoring, and patented behavioral fingerprinting technology to consistently detect and protect against ever-evolving online attacks.

Cequence Unified API Protection Web Application Firewalls API Gateways
API Discovery & Inventory      
Managed API discovery Yes Limited Yes
Unmanaged (shadow) API discovery Yes No No
API usage analysis Yes No Yes
Assign/track API by owner Yes No Limited
API Risk Assessment & Categorization      
Data governance Yes None None
Weak/missing authentication Yes None None
API specification conformance Yes None None
Custom risk criteria Yes None None
Threat Detection      
Threat database of billion+ records Yes No No
Vulnerabilities Yes Yes Yes
Automated attacks Yes Limited Limited
Business logic abuse Yes Limited None
Native, real-time response Yes Yes Yes
Block on IP address Yes Yes Yes
Block on Behavioral Fingerprint Yes No No
Response Options      
Geo-fencing Yes Yes Yes
Block Yes Yes Yes
Rate limit Yes Yes Yes
Deception Yes No No
Forward to 3rd party Yes No No
API Development and Management      
API Design & Development for Developers No No Yes
API Management and Governance No No Yes
Developer Portal No No Yes
Monetization No No Yes
Web Application Protection Features      
DDoS Protection No Yes No
OWASP Web Top 10 Protection using customizable rules and threat signatures No Yes No
Content-delivery Networks (CDNs) No Yes No

Cequence Unified API Protection solution capabilities compared with WAFs and API gateways.

Get a free API security assessment and discover the APIs not being covered by your existing WAF or API gateway.

John Dasher


John Dasher

VP Product Marketing

Additional Resources