Radware unveils cloud service for unified API security

Radware has launched an API Security Service that combines API discovery, posture management, and runtime protection in a single cloud-based offering.

The service monitors live production traffic rather than relying only on static analysis. It targets risks in the OWASP Top 10 API Security Risks list and includes protection against application-layer distributed denial-of-service attacks on API endpoints.

APIs have become a primary interface for modern applications and digital services, but they also expand organisations' attack surfaces by exposing business functions, identity flows, and integrations to external networks.

Security teams often struggle with incomplete API inventories and limited visibility into production use. This can leave shadow APIs outside governance controls and third-party connections without consistent monitoring. It can also make it harder to spot business logic attacks that abuse legitimate functions rather than exploiting a technical vulnerability.

Radware says the service continuously analyses real traffic to assess API risk based on observed behaviour. It is also positioned as a way to reduce alert noise and speed incident response.

"APIs are dynamic, business-critical, and increasingly targeted-but most security approaches are still static," said Haim Zelikovsky, vice president of cloud security business at Radware.

Unified approach

The platform brings together capabilities that organisations often buy and manage separately, including API discovery, posture management, analytics, and active defence.

For discovery, it continuously identifies APIs in use across environments, including undocumented APIs and those exposed through third-party integrations. Customers can view inventories, schemas, usage patterns, and workflows through the service.

For posture management, it analyses live traffic to identify operational risks and prioritises remediation based on threats seen in production. Radware says the prioritisation also considers attacker intent.

The business logic component maps API workflows and monitors for misuse patterns. Radware says it can detect and block business logic attacks at runtime.

For runtime protection, the service covers common API attack categories, including automated abuse and bot-driven traffic. Radware says it also protects against embedded and client-side threats. The DDoS component covers HTTPS floods and other application-layer traffic patterns that can overwhelm API endpoints.

Operational fit

The service is aimed at CISOs, security operations teams, and DevSecOps groups that need consolidated visibility and controls across API estates. It includes a single portal for development and security teams to manage findings and response actions.

Radware positions the portal as a way to simplify collaboration between development, security, and DevSecOps teams, and says the service supports regulatory requirements through unified reporting and management workflows.

The service also includes AI-driven detection intended to reduce false positives. Radware says it uses adaptive, behaviour-based techniques designed to avoid disrupting legitimate API traffic during high-volume events.

Reducing operational friction is a growing theme in the API security market as organisations deploy more services and expose more endpoints across hybrid and multi-cloud environments. Security teams often face trade-offs between visibility, response speed, and the overhead of maintaining separate tools for discovery, testing, monitoring, and enforcement.

Radware is offering the API Security Service as a standalone product and as part of its wider application security and management portfolio.

"Radware's API Security Service redefines API protection by continuously analyzing real traffic to identify real risk, automatically block real attacks, and help organizations reduce noise, shorten MTTR, and meet regulatory requirements with confidence," said Zelikovsky.