Metlo (YC S21) – Open-source software for securing your APIs

Shri and Akshay here - we are building Metlo (https://github.com/metlo-labs/metlo), an open-source API security tool. Metlo works by discovering all your API endpoints, running security tests, and detecting potential attacks. It runs before your APIs go into production, and also in real time, alerting your security team when anomalous usage patterns are detected. Metlo secures your APIs against the OWASP Top 10 (broken auth, injection, excessive data exposure etc.) and more.

Although APIs are one of the largest attack surfaces in companies today, there aren’t many good security tools to protect them. The few tools currently on the market are “enterprise” only; they require you to talk to a salesperson to use, or even see, the product.

We saw a need for an open-source solution that could be self-hosted and where you didn’t have to talk to a sales rep to see the product. So we started building an open-source API security tool with an MIT license that you can self-host, fork, and generally do whatever you want with. Since not everyone wants to self-host, we also built a hosted offering that you can get started with for free.

Our website is at https://metlo.com, repo is at https://github.com/metlo-labs/metlo. There’s a demo video here: https://www.loom.com/share/2c38c731cf044288995e5ee2566528a7. Check out our sandbox at https://demo.metlo.com (no email required). You can get started with our hosted service (in Beta) for free at https://app.metlo.com/signup (there’s an always free tier, and paid tier is not enforced yet) , or you can self-host by following the instructions at https://docs.metlo.com/docs/deploy-to-aws.

Our functionality can be divided into three areas – discovery (OSS), testing (OSS), and protection (closed source):

(1) Discovery: Metlo scans your API traffic and discovers all your public endpoints. This is especially useful for finding legacy, undocumented, and shadow endpoints your security team may not be aware of—a particularly nasty way to end up with vulnerabilities. We scan each endpoint for sensitive data (address, phone numbers, ssn, account info, etc) and assign it a risk score so you can instantly understand your highest-risk endpoints.

(2) Testing: Metlo runs a suite of automated tests against your API traffic and endpoints so you can find vulnerabilities before an attacker does. We find issues like unauthenticated endpoints returning sensitive data, no HSTS headers, PII in URL params, and many more. You can also write your own tests.

(3) Protection: Metlo analyzes ongoing traffic patterns and surfaces anomalous behavior so you can catch and shut down potential attacks in real-time. (This is not part of our open-source offering though.) Our ML Algorithms build a model for baseline API behavior and any deviation from this baseline is surfaced as soon as possible. Our UI gives you full context around any attack to help quickly fix the vulnerability.

We’ve tried to make it easy to set up and use Metlo (though deployment can still be easier and we’re working on making it so). You can self-host on AWS, GCP, etc. (should take <5 min to do it) or use our hosted service at https://app.metlo.com.

We make money by charging for our hosted service, protection features, multiple users, SAML/SSO, RBAC, audit logs, and support. As for pricing, here we’re a bit embarrassed because so far we have the dreaded “contact us” for our enterprise plan with some early pricing for others. That’s bad because, as mentioned, our goal is that you should never have to talk to a sales rep. However, we should have a “compare plans and pricing” page figured out in the next few months.

We look forward to hearing your feedback and ideas, and your experiences with API security, and are happy to answer any questions!



Get Top 5 Posts of the Week



best of all time best of today best of yesterday best of this week best of this month best of last month best of this year best of 2023 best of 2022 yc s24 yc w24 yc s23 yc w23 yc s22 yc w22 yc s21 yc w21 yc s20 yc w20 yc s19 yc w19 yc s18 yc w18 yc all-time 3d algorithms animation android [ai] artificial-intelligence api augmented-reality big data bitcoin blockchain book bootstrap bot css c chart chess chrome extension cli command line compiler crypto covid-19 cryptography data deep learning elexir ether excel framework game git go html ios iphone java js javascript jobs kubernetes learn linux lisp mac machine-learning most successful neural net nft node optimisation parser performance privacy python raspberry pi react retro review my ruby rust saas scraper security sql tensor flow terminal travel virtual reality visualisation vue windows web3 young talents


andrey azimov by Andrey Azimov