Although APIs are one of the largest attack surfaces in companies today, there aren’t many good security tools to protect them. The few tools currently on the market are “enterprise” only; they require you to talk to a salesperson to use, or even see, the product.
We saw a need for an open-source solution that could be self-hosted and where you didn’t have to talk to a sales rep to see the product. So we started building an open-source API security tool with an MIT license that you can self-host, fork, and generally do whatever you want with. Since not everyone wants to self-host, we also built a hosted offering that you can get started with for free.
Our website is at https://metlo.com, repo is at https://github.com/metlo-labs/metlo. There’s a demo video here: https://www.loom.com/share/2c38c731cf044288995e5ee2566528a7. Check out our sandbox at https://demo.metlo.com (no email required). You can get started with our hosted service (in Beta) for free at https://app.metlo.com/signup (there’s an always free tier, and paid tier is not enforced yet) , or you can self-host by following the instructions at https://docs.metlo.com/docs/deploy-to-aws.
Our functionality can be divided into three areas – discovery (OSS), testing (OSS), and protection (closed source):
(1) Discovery: Metlo scans your API traffic and discovers all your public endpoints. This is especially useful for finding legacy, undocumented, and shadow endpoints your security team may not be aware of—a particularly nasty way to end up with vulnerabilities. We scan each endpoint for sensitive data (address, phone numbers, ssn, account info, etc) and assign it a risk score so you can instantly understand your highest-risk endpoints.
(2) Testing: Metlo runs a suite of automated tests against your API traffic and endpoints so you can find vulnerabilities before an attacker does. We find issues like unauthenticated endpoints returning sensitive data, no HSTS headers, PII in URL params, and many more. You can also write your own tests.
(3) Protection: Metlo analyzes ongoing traffic patterns and surfaces anomalous behavior so you can catch and shut down potential attacks in real-time. (This is not part of our open-source offering though.) Our ML Algorithms build a model for baseline API behavior and any deviation from this baseline is surfaced as soon as possible. Our UI gives you full context around any attack to help quickly fix the vulnerability.
We’ve tried to make it easy to set up and use Metlo (though deployment can still be easier and we’re working on making it so). You can self-host on AWS, GCP, etc. (should take <5 min to do it) or use our hosted service at https://app.metlo.com.
We make money by charging for our hosted service, protection features, multiple users, SAML/SSO, RBAC, audit logs, and support. As for pricing, here we’re a bit embarrassed because so far we have the dreaded “contact us” for our enterprise plan with some early pricing for others. That’s bad because, as mentioned, our goal is that you should never have to talk to a sales rep. However, we should have a “compare plans and pricing” page figured out in the next few months.
We look forward to hearing your feedback and ideas, and your experiences with API security, and are happy to answer any questions!
by Andrey
Azimov