KuppingerCole Report
Leadership Compass
By Alexei Balaganski

API Management and Security

This Leadership Compass provides an overview of the market for API management and security solutions along with recommendations and guidance for finding the products which address your requirements most efficiently. We examine the complexity and breadth of the challenges to discover, monitor, and secure all APIs within your enterprise and identify the vendors, their products, services, and innovative approaches towards implementing consistent governance and security along the whole API lifecycle.

1 Introduction / Executive Summary

From what used to be a purely technical concept created to make developers' lives easier, Application Programming Interfaces (APIs) have evolved into one of the foundations of modern digital business. Today, APIs can be found everywhere -- at homes and in mobile devices, in corporate networks and in the cloud, even in industrial environments, to say nothing about the Internet of Things.

As companies are struggling to maintain their business agility, to react to the ever-changing market demands and technology landscapes, the need to deliver a new application or service to customers as quickly as possible often trumps all other considerations. Rapidly growing demand for exposing and consuming APIs, which enables organizations to create new business models and connect with partners and customers, has tipped the industry towards adopting lightweight RESTful APIs, which are commonly used today.

The rapid adoption of REST APIs also coincided with the exponential growth of cloud computing and mobile device proliferation, where they were the perfect medium to enable integrations between these heterogeneous systems and facilitate data exchange on a massive scale. In a world where digital information is one of the "crown jewels" of many modern businesses (and even the primary source of revenue for some), APIs are now powering the logistics of delivering digital products to partners and customers. Almost every software product or cloud service now comes with a set of APIs for management, integration, monitoring, or a multitude of other purposes.

When the previous edition of our Leadership Compass was published in 2019, our research indicated the growing awareness of the critical role of security in API management solutions, representing a massive change since our first edition back in 2015. Fast forward 18 months and we can clearly see that the tempo of the API market evolution is only increasing.

Perhaps the most notable trend is the rapid expansion of the scope of both modern API management and API security solutions. Nowadays, API gateways for publishing REST API endpoints can certainly already be considered "legacy products". New API technologies, like GraphQL or gRPC, have grown from research projects into widely adopted solutions for specific use cases, where they provide much better flexibility or performance than REST APIs. Modern loosely coupled cloud-native application architectures demand API management solutions that can handle complicated traffic patterns and deal with ephemeral container-based infrastructures.

These trends not only reshape the basic capabilities of modern API management platforms (for example, enforcing API quotas with rate limiting simply does not work for GraphQL APIs, where requests to the same endpoint can vary in size and complexity), they redefine the scope of API security solutions as well. In a sense, we can already observe the same developments within API security that we've seen on a larger scale for cybersecurity as a whole: with too many different types of infrastructure that need protecting, the overall complexity of security solutions grows exponentially.

Some vendors are already promoting alternative approaches towards API security, which are more data-centric and proactive in nature than traditional infrastructure monitoring and security analytics. This might sound controversial, but one potential scenario for the future development of the API security market is that it will evolve into multiple specialized types of security capabilities which will be integrated with other existing areas of cybersecurity -- for example, into XDR security analytics platforms or integrated data protection or application security solutions.

Because of these ongoing developments, some of the ratings presented in this Leadership Compass might deviate somewhat from the previous edition. This by no means indicates that some of the solutions covered in our rating have suddenly become less functionally capable -- it is the market that has evolved, and some of the existing capabilities simply no longer align with the modern requirements. We will, of course, continue to follow the latest developments in the field of API security in our future publications as well.

In the meantime, our general recommendation for customers remains the same: both API management and API security should not be considered as standalone, isolated components of your IT infrastructures. On the contrary, choosing the right product should be a part of a comprehensive strategy that covers such aspects as application development and operations, data protection, and regulatory compliance.

Only by combining proactive application security measures for developers with continuous activity monitoring and deep API-specific threat analysis for operations teams and smart, risk-based, and actionable automation for security analysts one can ensure consistent management, governance, and security of corporate APIs and thus the continuity of business processes depending on them.

1.1 Highlights

  • Both API management and API security market segments continue to evolve and grow, driven by a massive increase in API adoption, as well as by an o ...

Login Get full Access

1.2 Market Segment

We have long recognized the API Economy as one of the most important current IT trends. Rapidly growing demand for exposing and consuming APIs, which ...

It is therefore obvious that point solutions addressing specific links in this chain are not viable in the long term, and KuppingerCole's analysis is ...

Although the current state of API management and security market is radically different from the situation just a few years ago, and the overall devel ...

Login Get full Access

1.3 Delivery Models

Since most of the solutions covered in our rating are designed to provide management and protection for APIs regardless of where they are deployed -- ...

Login Get full Access

1.4 Required Capabilities

We are looking for solutions that cover at least several of the following key functional areas, either focusing on more traditional API management or ...

Login Get full Access

2 Leadership

Selecting a vendor of a product or service must not only be based on the information provided in a KuppingerCole Compass. The Compass provides a compa ...

Login Get full Access

2.1 Overall Leadership

The Overall Leadership rating provides a consolidated view of all-around functionality, market presence, and financial security. However, these vendor ...

Login Get full Access

2.2 Product Leadership

The first of the three specific Leadership ratings is about Product leadership. This view is mainly based on the analysis of product/service feature ...

Most large vendors mentioned earlier are present in the Leaders segment, including Apigee, Axway, Broadcom, Imperva, Perforce, Red Hat, and WSO2. Howe ...

Login Get full Access

2.3 Innovation Leadership

Next, we examine Innovation in the marketplace. Innovation is, from our perspective, a key capability in all IT market segments. Customers require ...

Innovation Leaders (in alphabetical order):

  • 42crunch

  • Airlock by Ergon

  • Axway

  • Broadcom

  • Cequence Security

  • Cloudentity ...

Login Get full Access

2.4 Market Leadership

Finally, we analyze Market Leadership. This is an amalgamation of the number of customers and their geographic distribution, the size of deployment ...

Please note that this rating does not reflect the overall market presence of large vendors but is only limited to the market shares of their respectiv ...

Login Get full Access

3 Correlated View

While the Leadership charts identify leading vendors in certain categories, many customers are looking not only for a product leader but for a vendor ...

Login Get full Access

3.1 The Market/Product Matrix

The first of these correlated views contrasts Product Leadership and Market Leadership.

Vendors below the line have a weaker market position than expected according to their product maturity. Vendors above the line are sort of "overperfor ...

Login Get full Access

3.2 The Product/Innovation Matrix

This view shows how Product Leadership and Innovation Leadership are correlated. It is not surprising that there is a pretty good correlation between ...

Here, we see a rather low correlation between the product and innovation ratings, with many vendors being far from the dotted line. This is a strong i ...

Login Get full Access

3.3 The Innovation/Market Matrix

The third matrix shows how Innovation Leadership and Market Leadership are related. Some vendors might perform well in the market without being Innova ...

Vendors above the line are performing well in the market as well as showing Innovation Leadership; while vendors below the line show an ability to inn ...

Login Get full Access

4 Products and Vendors at a Glance

This section provides an overview of the various products we have analyzed within this KuppingerCole Leadership Compass on API Management and Security ...

Login Get full Access

Table 1: Comparative overview of the ratings for the product capabilities

In addition, we provide in Table 2 an overview which also contains four ad ...

Login Get full Access

Table 2: Comparative overview of the ratings for vendors

Login Get full Access

5 Product/Vendor evaluation

This section contains a quick rating for every product/service we've included in this KuppingerCole Leadership Compass document. For many of the produ ...

Login Get full Access

5.1 42Crunch

42Crunch is a privately held API security startup company with offices in Dublin, Ireland, Montpellier, France, and Irvine, CA. Founded in 2016, the c ...

Login Get full Access

5.2 Airlock by Ergon

Ergon is a Swiss-based company established in 1984 with customers primarily in the DACH region and is also growing across EMEA and the APAC regions. T ...

Login Get full Access

5.3 Axway

Axway, founded in 2001, is a global software company headquartered in Phoenix, Arizona, USA. The company offers a broad portfolio of solutions for sec ...

Login Get full Access

5.4 Broadcom Inc.

The Layer7 brand dates back to 2002, when Layer7 Technologies, one of the pioneering API management vendors was founded in Vancouver, Canada. Over the ...

Login Get full Access

5.5 Cequence Security

Cequence Security is a cybersecurity company headquartered in Sunnyvale, California. Founded in 2015 by a group of security industry veterans previous ...

Login Get full Access

5.6 Cloudentity

Cloudentity is a privately held identity, authorization and governance company headquartered in Seattle, WA. Cloudentity was formed in 2016, focusing ...

Login Get full Access

5.7 Curity

Curity is a provider of API-driven identity management solutions based in Stockholm, Sweden. Launched in 2015, the company is focusing on providing id ...

Login Get full Access

5.8 Forum Systems

Forum Systems is a privately held independent engineering company based in Needham, MA. Founded in 2001, the company provides gateway-based solutions ...

Login Get full Access

5.9 Google Apigee

Apigee is a product offered by Google Cloud, headquartered in Mountain View, CA. Apigee provides a full lifecycle API management solution including ad ...

Login Get full Access

5.10 Imperva (was acquired by Thoma Bravo)

Imperva is an American cybersecurity solution company headquartered in Redwood Shores, California. Back in 2002, the company's first product was a web ...

Login Get full Access

5.11 Nevatech

Nevatech is a privately-owned software company based in Atlanta, GA. Founded in 2011, the company provides SOA and API management infrastructure and t ...

Login Get full Access

5.12 Perforce Akana

Perforce is one of the leading providers of software lifecycle management tools, headquartered in Minneapolis, Minnesota. Established in 1995, the com ...

Login Get full Access

5.13 Ping Identity

Ping Identity is a publicly traded software company headquartered in Denver, CO. Founded in 2002, the company has grown into one of the leading provid ...

Login Get full Access

5.14 Red Hat

Red Hat® is a multinational software company that develops enterprise open-source solutions, including cloud, infrastructure, application development ...

Login Get full Access

5.15 Salt Security

Salt Security is a privately held API security startup company based in Palo Alto, CA. Founded in 2016 by alumni of the Israeli Defense Force, the com ...

Login Get full Access

5.16 Sensedia

Sensedia is an API management company headquartered in Campinas, Brazil. Founded in 2007, the company provides a full-featured API management platform ...

Login Get full Access

5.17 Spherical Defense

Spherical Defense is a British security startup company based in London. Founded in 2017, the company is developing an innovative application security ...

Login Get full Access

5.18 Traceable

Traceable is an application security startup based in San Francisco, California. Established in 2019 by veterans of the application performance monito ...

Login Get full Access

5.19 WSO2

WSO2 is a global application development company based in the US, UK, and Sri Lanka. Founded in 2005, the company offers a wide array of open-source s ...

Login Get full Access

6 Vendors to Watch

Login Get full Access

6.1 Citrix

Citrix Systems is a multinational software company that provides solutions for digital workspace, application delivery and security, and cloud service ...

Login Get full Access

6.2 Data Theorem

Data Theorem is a company specializing in application security solutions. Founded in 2013 and based in Palo Alto, CA, the company offers a range of au ...

Login Get full Access

6.3 Kong

Kong Inc. is a privately held company headquartered in San Francisco, CA. Founded in 2017 and backed by investors like Jeff Bezos of Amazon and Eric S ...

Login Get full Access

6.4 MuleSoft

MuleSoft is another veteran player in the API management market. Founded in 2006 in San Francisco, CA, MuleSoft has been focusing on providing a unifi ...

Login Get full Access

6.5 TIBCO Cloud Mashery

TIBCO Software is a leading provider of integration, analytics, and event processing solutions. Founded in 1997 as The Information Bus Company, TIBCO ...

Login Get full Access

6.6 Tyk

Tyk Technologies Ltd is a privately held company with sales offices located in London, Singapore, and Atlanta. Since 2015, it has been the primary for ...

Login Get full Access

6.7 Wallarm

Wallarm is an application security startup company based in San Francisco, CA. Founded in 2014, Wallarm develops an AI-powered application security pl ...

Login Get full Access

6.8 AWS

As a major cloud service provider whose cloud infrastructure is utilized by thousands of customers to develop and host their business services, applic ...

Login Get full Access

6.9 IBM Cloud

As an integral part of IBM Cloud, the company offers its own API Connect platform for managing and securing APIs across multiple clouds. API Connect i ...

Login Get full Access

6.10 Microsoft Azure

Microsoft's Azure cloud platform offers API management capabilities as well, with an API Gateway and Developer Portal being the key services that powe ...

Login Get full Access

6.11 Oracle Cloud

To support developers during the API design phase, Oracle's offering incorporates the API Flow platform from Apiary, offering visual tools and guidanc ...

Login Get full Access



©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarksÔ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst company, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.