Why do I Need API Security if I Have a WAF and API Gateway?

March 30, 2022 | by Matt Keil

The web and mobile applications that your employees use are glued together by application programming interfaces (API). The collaboration app on your phone “talks” to your collaboration system via APIs, allowing you to see who is online and message them. Your productivity, marketing automation, CRM and project tracking apps are all API-based. As organizations continue to expand their use of microservices and create new cloud-native applications, API usage will continue to explode. In fact, every one of the over 142 billion app downloads are API-based. As a proof point, Gartner states that by 2023 over 50% of B2B transactions will be performed through real-time APIs versus traditional approaches.

APIs – Loved by Developers and Attackers Alike

In an analysis of more than 14 billion API-based application requests, researchers at Cequence Security found that APIs are the #1 target for malicious use, validated by the fact that 80% of ALL blocked attacks were API-based.

Designed for machine-to-machine interaction, APIs are the tool of choice for developers because each API includes all necessary commands, payload, and data to produce engaging user interactions. And therein lies the risk, the widespread use and the all-inclusive nature of APIs introduces a range of security challenges:

  • Unknown attack surface: Most organizations are unaware of how many shadow, hidden, deprecated, and 3rd-party APIs they have, leaving many unprotected.
  • New exploit opportunities: Developer errors, lack of best practices, or improper training can lead to vulnerabilities easily exploited by bad actors.
  • Breaches and disruption from automated attacks: APIs enable high speed communication often to back-end systems making them prime targets for automated attacks and business logic abuse, even when perfectly coded.

Where WAFs and API Gateways Fall Short

With API security ranked as a top priority in 2022 for enterprises and security leaders worldwide, many organizations will look first at their existing web application firewalls and/or API gateways to protect their APIs. Here is why they were designed and what they lack in order to provide complete API Security:

  • Web application firewalls: Originally designed to address PCI section 6.6 requirements, web application firewalls (WAFs) use signatures to detect known vulnerabilities as described in the OWASP Web Application Top 10 Threats list. WAFs will struggle to find and block attacks that appear legitimate, and they are unable to address the visibility, inventory tracking, risk assessment and threat prevention requirements necessary to protect APIs.
  • API Gateways: Designed to help organizations aggregate and manage APIs providing access control and basic security functions such as rate limiting and IP block lists. API gateways are reactive in nature, requiring developers to register the APIs to be managed. Often deployed within the infrastructure, at a department level, or in a cloud environment, API gateways are inadequate tools for gaining complete visibility, inventory tracking, risk assessment, common security policy enforcement and threat prevention requirements necessary to protect APIs.

While WAFs and API gateways provide some level of protection, they are inadequate at addressing the complete spectrum of API security requirements which includes discovering all your APIs, detecting the inherent risks, and defending against the associated threats.

Stronger API Security Posture with the Cequence Unified API Protection Solution

Made up of API Sentinel and API Spartan, the Cequence Unified API Protection Solution complements the security capabilities found in WAFs and API gateways with the most complete set of API security features available. It’s the only solution that unifies inline API threat prevention, holistic API discovery, inventory tracking, risk assessment and remediation with the following capabilities:

  • Continuous API Discovery and Visibility​: The UAP integrates with a broad range of infrastructure components, including API gateways, proxies, load balancers, and ingress controllers to deliver an end-to-end view into public-facing and internal APIs including shadow, 3rd-party, and managed. API Sentinel is the only solution that allows you to choose between either an inline or an API-based integration model enabling you to either pull or push API metrics for ongoing risk assessment and threat analysis.
  • API Risk Assessment​: Predefined and custom risk assessment rules help development and security teams uncover sensitive data usage errors and authentication misconfigurations that can lead to governance violations and system compromise. A specification comparison uncovers APIs that are non-conforming to published OpenAPI specifications. In addition, the UAP can automatically generate OpenAPI specifications for any existing APIs. Flexible alerting capabilities allow you to initiate update requests to the development team via Slack, PagerDuty, email, and other tools.
  • API Threat Detection:​ The UAP uses an agentless approach to detect and track automated attacks and business logic abuse on APIs, even as they retool to evade prevention efforts. Powered by CQAI, our patented ML-based analytics engine that detects the most sophisticated API attacks using a threat repository comprised of billions of threat behaviors, malicious IP addresses, and 3rd-party intelligence. Our CQ Prime threat research team continually curates the CQAI repository into hundreds of pre-defined rules that deliver out-of-the box detection efficacy rates in the 98% accuracy range, with full protection enabled within 48 hours.
  • Natively Mitigate Threats in Real-time: ​The Cequence Unified API Protection solution is the only solution on the market that natively mitigates attacks in real-time, eliminating the delay and limited response options caused by reliance on 3rd-party tools to take action. Response options include blocking, rate limiting, geo-fencing, forwarding, and deception, a technique that allows you to mislead and deceive the bad actor into believing that their attacks have been successful.


Organizations are rapidly adopting an API-first development methodology because of the power, flexibility, and efficiency APIs deliver. The apps we use every day are all based on APIs, connecting back to compute resources located elsewhere — the cloud, the data center, or both. Unfortunately, threat actors love APIs for the same reasons that developers do. APIs are susceptible to a range of automated attacks and vulnerability exploits that can lead to data loss and system compromise. To protect existing and future APIs, organizations need to implement a forward-looking API security solution that complements the basic capabilities found in WAFs and API gateways. Organizations need to implement an API security solution that unifies runtime API visibility, security risk monitoring, and patented behavioral fingerprinting technology to consistently detect and protect against ever-evolving online attacks.

Cequence Unified API Protection solution Web Application




API Discovery & Inventory      
·       Managed API discovery Yes Limited Yes
·       Unmanaged (shadow) API discovery Yes No No
·       API usage analysis Yes No Yes
·       Assign/track API by owner Yes No Limited
API Risk Assessment & Categorization      
·       Data governance Yes None None
·       Weak/missing authentication Yes None None
·       API specification conformance Yes None None
·       Custom risk criteria Yes None None
Threat Detection      
·       Threat database of billion+ records Yes No No
·       Vulnerabilities Yes Yes Yes
·       Automated attacks Yes Limited Limited
·       Business logic abuse Yes Limited None
·       Native, real-time response Yes Yes Yes
·       Block on IP address Yes Yes Yes
·       Block on Behavioral Fingerprint Yes No No
Response Options      
·       Geo-fencing Yes Yes Yes
·       Block Yes Yes Yes
·       Rate limit Yes Yes Yes
·       Deception Yes No No
·       Forward to 3rd party Yes No No

Table 1 Summarizes Cequence Unified API Protection solution capabilities compared with WAF and API gateways.

Get a free API security assessment and discover a list of APIs not being covered by your existing WAF or API gateway.

Matt Keil


Matt Keil

Director of Product Marketing

Additional Resources