Content of Figures
- Figure 1 API Lifecycle
- Figure 2 The Scope of API Security
- Figure 3 The Overall Leadership rating for the API Management and Security market segment
- Figure 4 Product Leaders in the API Management and Security segment
- Figure 5 Innovation Leaders in the API Management and Security segment
- Figure 6 Market Leaders in the API Management and Security segment
- Figure 7 The Market / Product Matrix
- Figure 8 The Product / Innovation Matrix
- Figure 9 The Innovation/Market Matrix
1 Introduction / Executive Summary
From what used to be a purely technical concept created to make developers' lives easier, Application Programming Interfaces (APIs) have evolved into one of the foundations of modern digital business. Today, APIs can be found everywhere -- at homes and in mobile devices, in corporate networks and in the cloud, even in industrial environments, to say nothing about the Internet of Things.
As companies are struggling to maintain their business agility, to react to the ever-changing market demands and technology landscapes, the need to deliver a new application or service to customers as quickly as possible often trumps all other considerations. Rapidly growing demand for exposing and consuming APIs, which enables organizations to create new business models and connect with partners and customers, has tipped the industry towards adopting lightweight RESTful APIs, which are commonly used today.
The rapid adoption of REST APIs also coincided with the exponential growth of cloud computing and mobile device proliferation, where they were the perfect medium to enable integrations between these heterogeneous systems and facilitate data exchange on a massive scale. In a world where digital information is one of the "crown jewels" of many modern businesses (and even the primary source of revenue for some), APIs are now powering the logistics of delivering digital products to partners and customers. Almost every software product or cloud service now comes with a set of APIs for management, integration, monitoring, or a multitude of other purposes.
When the previous edition of our Leadership Compass was published in 2019, our research indicated the growing awareness of the critical role of security in API management solutions, representing a massive change since our first edition back in 2015. Fast forward 18 months and we can clearly see that the tempo of the API market evolution is only increasing.
Perhaps the most notable trend is the rapid expansion of the scope of both modern API management and API security solutions. Nowadays, API gateways for publishing REST API endpoints can certainly already be considered "legacy products". New API technologies, like GraphQL or gRPC, have grown from research projects into widely adopted solutions for specific use cases, where they provide much better flexibility or performance than REST APIs. Modern loosely coupled cloud-native application architectures demand API management solutions that can handle complicated traffic patterns and deal with ephemeral container-based infrastructures.
These trends not only reshape the basic capabilities of modern API management platforms (for example, enforcing API quotas with rate limiting simply does not work for GraphQL APIs, where requests to the same endpoint can vary in size and complexity), they redefine the scope of API security solutions as well. In a sense, we can already observe the same developments within API security that we've seen on a larger scale for cybersecurity as a whole: with too many different types of infrastructure that need protecting, the overall complexity of security solutions grows exponentially.
Some vendors are already promoting alternative approaches towards API security, which are more data-centric and proactive in nature than traditional infrastructure monitoring and security analytics. This might sound controversial, but one potential scenario for the future development of the API security market is that it will evolve into multiple specialized types of security capabilities which will be integrated with other existing areas of cybersecurity -- for example, into XDR security analytics platforms or integrated data protection or application security solutions.
Because of these ongoing developments, some of the ratings presented in this Leadership Compass might deviate somewhat from the previous edition. This by no means indicates that some of the solutions covered in our rating have suddenly become less functionally capable -- it is the market that has evolved, and some of the existing capabilities simply no longer align with the modern requirements. We will, of course, continue to follow the latest developments in the field of API security in our future publications as well.
In the meantime, our general recommendation for customers remains the same: both API management and API security should not be considered as standalone, isolated components of your IT infrastructures. On the contrary, choosing the right product should be a part of a comprehensive strategy that covers such aspects as application development and operations, data protection, and regulatory compliance.
Only by combining proactive application security measures for developers with continuous activity monitoring and deep API-specific threat analysis for operations teams and smart, risk-based, and actionable automation for security analysts one can ensure consistent management, governance, and security of corporate APIs and thus the continuity of business processes depending on them.
Both API management and API security market segments continue to evolve and grow, driven by a massive increase in API adoption, as well as by an o ...
1.2 Market Segment
We have long recognized the API Economy as one of the most important current IT trends. Rapidly growing demand for exposing and consuming APIs, which ...
It is therefore obvious that point solutions addressing specific links in this chain are not viable in the long term, and KuppingerCole's analysis is ...
Although the current state of API management and security market is radically different from the situation just a few years ago, and the overall devel ...Login Get full Access
1.3 Delivery Models
Since most of the solutions covered in our rating are designed to provide management and protection for APIs regardless of where they are deployed -- ...Login Get full Access
1.4 Required Capabilities
We are looking for solutions that cover at least several of the following key functional areas, either focusing on more traditional API management or ...Login Get full Access
Selecting a vendor of a product or service must not only be based on the information provided in a KuppingerCole Compass. The Compass provides a compa ...Login Get full Access
2.1 Overall Leadership
The Overall Leadership rating provides a consolidated view of all-around functionality, market presence, and financial security. However, these vendor ...Login Get full Access
2.2 Product Leadership
The first of the three specific Leadership ratings is about Product leadership. This view is mainly based on the analysis of product/service feature ...
Most large vendors mentioned earlier are present in the Leaders segment, including Apigee, Axway, Broadcom, Imperva, Perforce, Red Hat, and WSO2. Howe ...Login Get full Access
2.3 Innovation Leadership
Next, we examine Innovation in the marketplace. Innovation is, from our perspective, a key capability in all IT market segments. Customers require ...
Innovation Leaders (in alphabetical order):
Airlock by Ergon
2.4 Market Leadership
Finally, we analyze Market Leadership. This is an amalgamation of the number of customers and their geographic distribution, the size of deployment ...
Please note that this rating does not reflect the overall market presence of large vendors but is only limited to the market shares of their respectiv ...Login Get full Access
3 Correlated View
While the Leadership charts identify leading vendors in certain categories, many customers are looking not only for a product leader but for a vendor ...Login Get full Access
3.1 The Market/Product Matrix
The first of these correlated views contrasts Product Leadership and Market Leadership.
Vendors below the line have a weaker market position than expected according to their product maturity. Vendors above the line are sort of "overperfor ...Login Get full Access
3.2 The Product/Innovation Matrix
This view shows how Product Leadership and Innovation Leadership are correlated. It is not surprising that there is a pretty good correlation between ...
Here, we see a rather low correlation between the product and innovation ratings, with many vendors being far from the dotted line. This is a strong i ...Login Get full Access
3.3 The Innovation/Market Matrix
The third matrix shows how Innovation Leadership and Market Leadership are related. Some vendors might perform well in the market without being Innova ...
Vendors above the line are performing well in the market as well as showing Innovation Leadership; while vendors below the line show an ability to inn ...Login Get full Access
4 Products and Vendors at a Glance
This section provides an overview of the various products we have analyzed within this KuppingerCole Leadership Compass on API Management and Security ...Login Get full Access
Table 1: Comparative overview of the ratings for the product capabilities
In addition, we provide in Table 2 an overview which also contains four ad ...Login Get full Access
5 Product/Vendor evaluation
This section contains a quick rating for every product/service we've included in this KuppingerCole Leadership Compass document. For many of the produ ...Login Get full Access
42Crunch is a privately held API security startup company with offices in Dublin, Ireland, Montpellier, France, and Irvine, CA. Founded in 2016, the c ...Login Get full Access
5.2 Airlock by Ergon
Ergon is a Swiss-based company established in 1984 with customers primarily in the DACH region and is also growing across EMEA and the APAC regions. T ...Login Get full Access
Axway, founded in 2001, is a global software company headquartered in Phoenix, Arizona, USA. The company offers a broad portfolio of solutions for sec ...Login Get full Access
5.4 Broadcom Inc.
The Layer7 brand dates back to 2002, when Layer7 Technologies, one of the pioneering API management vendors was founded in Vancouver, Canada. Over the ...Login Get full Access
5.5 Cequence Security
Cequence Security is a cybersecurity company headquartered in Sunnyvale, California. Founded in 2015 by a group of security industry veterans previous ...Login Get full Access
Cloudentity is a privately held identity, authorization and governance company headquartered in Seattle, WA. Cloudentity was formed in 2016, focusing ...Login Get full Access
Curity is a provider of API-driven identity management solutions based in Stockholm, Sweden. Launched in 2015, the company is focusing on providing id ...Login Get full Access
5.8 Forum Systems
Forum Systems is a privately held independent engineering company based in Needham, MA. Founded in 2001, the company provides gateway-based solutions ...Login Get full Access
5.9 Google Apigee
Apigee is a product offered by Google Cloud, headquartered in Mountain View, CA. Apigee provides a full lifecycle API management solution including ad ...Login Get full Access
5.10 Imperva (was acquired by Thoma Bravo)
Imperva is an American cybersecurity solution company headquartered in Redwood Shores, California. Back in 2002, the company's first product was a web ...Login Get full Access
Nevatech is a privately-owned software company based in Atlanta, GA. Founded in 2011, the company provides SOA and API management infrastructure and t ...Login Get full Access
5.12 Perforce Akana
Perforce is one of the leading providers of software lifecycle management tools, headquartered in Minneapolis, Minnesota. Established in 1995, the com ...Login Get full Access
5.13 Ping Identity
Ping Identity is a publicly traded software company headquartered in Denver, CO. Founded in 2002, the company has grown into one of the leading provid ...Login Get full Access
5.14 Red Hat
Red Hat® is a multinational software company that develops enterprise open-source solutions, including cloud, infrastructure, application development ...Login Get full Access
5.15 Salt Security
Salt Security is a privately held API security startup company based in Palo Alto, CA. Founded in 2016 by alumni of the Israeli Defense Force, the com ...Login Get full Access
Sensedia is an API management company headquartered in Campinas, Brazil. Founded in 2007, the company provides a full-featured API management platform ...Login Get full Access
5.17 Spherical Defense
Spherical Defense is a British security startup company based in London. Founded in 2017, the company is developing an innovative application security ...Login Get full Access
Traceable is an application security startup based in San Francisco, California. Established in 2019 by veterans of the application performance monito ...Login Get full Access
WSO2 is a global application development company based in the US, UK, and Sri Lanka. Founded in 2005, the company offers a wide array of open-source s ...Login Get full Access
Citrix Systems is a multinational software company that provides solutions for digital workspace, application delivery and security, and cloud service ...Login Get full Access
6.2 Data Theorem
Data Theorem is a company specializing in application security solutions. Founded in 2013 and based in Palo Alto, CA, the company offers a range of au ...Login Get full Access
Kong Inc. is a privately held company headquartered in San Francisco, CA. Founded in 2017 and backed by investors like Jeff Bezos of Amazon and Eric S ...Login Get full Access
MuleSoft is another veteran player in the API management market. Founded in 2006 in San Francisco, CA, MuleSoft has been focusing on providing a unifi ...Login Get full Access
6.5 TIBCO Cloud Mashery
TIBCO Software is a leading provider of integration, analytics, and event processing solutions. Founded in 1997 as The Information Bus Company, TIBCO ...Login Get full Access
Tyk Technologies Ltd is a privately held company with sales offices located in London, Singapore, and Atlanta. Since 2015, it has been the primary for ...Login Get full Access
Wallarm is an application security startup company based in San Francisco, CA. Founded in 2014, Wallarm develops an AI-powered application security pl ...Login Get full Access
As a major cloud service provider whose cloud infrastructure is utilized by thousands of customers to develop and host their business services, applic ...Login Get full Access
6.9 IBM Cloud
As an integral part of IBM Cloud, the company offers its own API Connect platform for managing and securing APIs across multiple clouds. API Connect i ...Login Get full Access
6.10 Microsoft Azure
Microsoft's Azure cloud platform offers API management capabilities as well, with an API Gateway and Developer Portal being the key services that powe ...Login Get full Access
6.11 Oracle Cloud
To support developers during the API design phase, Oracle's offering incorporates the API Flow platform from Apiary, offering visual tools and guidanc ...Login Get full Access
7 Related Research
Leadership Compass: API Management and Security - 70311
Buyer's Compass: API Management and Security - 80215
Leadership Compass: Dynamic Authorization Management - 70966
Leadership Compass: Access Management and Federation - 70790
Leadership Compass: Identity API Platforms - 79012
Advisory Note: The Role of APIs for Business - 70946
Advisory Note: Connected Enterprise Step-by-step - 70999
Whitepaper: The Dark Side of the API Economy - 80019
Leadership Brief: Top Cyber Threats - 72574
Leadership Brief: Securing PSD2 APIs - 72596
Executive View: Cequence Security API Sentinel - 80538
Executive View: Apigee Edge API Management Platform - 80307
Executive View: PingAccess - 80323
Executive View: Ping Identity Data Governance - 70295
Executive View: Curity Identity Server - 80159
Executive View: Forum Sentry API Security Gateway - 70930
Executive View: Ergon Airlock Suite - 72509
Executive View: Axway API Management for Dynamic Authorization Management (DAM) - 71184
Executive View: Amazon API Gateway - 71451
Executive View: WSO2 Identity Server - 80060
Product Report: 3Scale API Management - 70626
Product Report: Layer 7 Technologies - 70627