Overview
Traceable is an application and API security platform that combines cloud-native WAAP (Web Application and API Protection), automated API discovery and risk assessment, and proactive API security testing (AST) in one product. Founded as a standalone API security company in 2020, it merged with Harness in 2025 and now serves as the security layer of Harness's DevSecOps platform.
Unlike traditional WAFs that were built for web traffic and retrofitted for APIs, Traceable was designed for APIs from the start. It discovers every API in an environment by observing production traffic, covering REST, GraphQL, gRPC, SOAP, and WebSocket endpoints, and flags the shadow, zombie, and orphaned endpoints that perimeter tools tend to miss.
Deployment is flexible: an agentless SaaS edge (DNS-based), inline agents for NGINX, Apigee, and other API gateways, or out-of-band traffic mirroring. It can also run alongside an existing WAF such as AWS WAF or Cloudflare, pushing blocking rules from its own API analysis rather than replacing the edge. Because one platform handles discovery, test generation from real traffic, and runtime blocking with behavioral ML models, detection tracks changes to your APIs instead of relying on static signatures.
Ratings Breakdown
Key Features
API Discovery & Posture Management
Automatically discover every API from live production traffic including REST, GraphQL, gRPC, SOAP, and WebSocket. Identifies shadow, zombie, and orphaned APIs with continuous risk assessment.
Runtime WAAP Protection
Cloud-native WAF and API protection against OWASP Top 10, OWASP API Top 10, SQL injection, XSS, and application-layer attacks with behavioral ML detection.
API Security Testing (AST)
Zero-config security tests generated from real and replayed traffic. Integrated with CI/CD pipelines for automated pre-production vulnerability discovery. No inactive endpoint noise.
Bot Protection
Advanced bot detection using behavioral analysis, volumetric detection, browser/device anomaly detection, and custom policies. Distinguishes legitimate bots from malicious automation.
DDoS Protection
Mitigates large-scale traffic floods and application-layer DDoS attacks with rate limiting and anomaly-based detection.
Sensitive Data Discovery
Automatically identify API endpoints handling sensitive data (PII, financial, regulated) without appropriate authentication or zero-trust policies.
AI-Powered Insights
AI chatbot for natural-language queries about APIs, threats, and exposures. AI explains detected issues, assesses severity, and recommends remediation in developer-friendly language.
WAF Integration
Integrates with existing WAFs (AWS WAF, Cloudflare) to add API context and advanced threat detection without replacing your current security stack.
Pros & Cons
Pros
-
API-first architecture
Built for API security from the ground up, not retrofitted from a web-focused WAF. Natively understands REST, GraphQL, gRPC, and other API protocols.
-
Unified platform
Combines discovery, testing, and runtime protection in one platform. Closed-loop workflows from discovery to testing to blocking reduce tool sprawl.
-
Multiple deployment options
Agentless edge, inline agents, out-of-band mirroring, or language agents. Works without modifying existing infrastructure.
-
AI-powered detection
Behavioral ML models reduce false positives compared to signature-based WAFs. AI-driven explanations help teams understand and respond to threats faster.
-
Harness integration
Post-merger with Harness, integrates security across the entire SDLC from code to production with native CI/CD pipeline integration.
-
WAF-agnostic
Can work alongside existing WAFs instead of replacing them. Adds API context and behavioral detection to Cloudflare, AWS WAF, or any other WAF.
Cons
-
No public pricing
Enterprise-only with custom pricing. No self-serve plans or free tier available for smaller teams.
-
Overkill for simple web apps
API-first focus means traditional web applications may not fully utilize the platform's capabilities. Overkill for simple static sites.
-
Complex deployment at scale
Multi-agent architecture (Platform Agent + Tracing Agents) requires planning for large distributed deployments.
-
Newer than established WAFs
Founded in 2020, less battle-tested than legacy WAF vendors with decades of deployment history.
-
Harness dependency uncertainty
Recent merger with Harness means product direction and standalone identity may shift over time.
Pricing
Pricing model: Enterprise subscription (custom pricing)
Enterprise
Full platform with all capabilities
- API discovery and posture management
- Application and API Protection (WAAP)
- API security testing (AST)
- Bot protection
- DDoS protection
- AI-driven threat analysis
- CI/CD integration
- Premium support
Our Verdict
Traceable represents a new generation of API security platforms that goes beyond what traditional WAFs can offer. By combining API discovery, proactive security testing, and runtime protection in a single platform, it addresses the full lifecycle of API security rather than just blocking attacks at the perimeter.
The platform shines in API-heavy environments where traditional WAFs struggle with false positives and limited API protocol support. The AI-powered detection and explanations are genuinely useful for reducing alert fatigue. The multiple deployment options (especially the agentless edge and out-of-band mirroring) make it flexible enough for different infrastructure setups.
The main barriers are the lack of public pricing and the enterprise-only focus. Smaller teams or those with simple web applications will find better value in traditional WAFs. The recent Harness merger adds uncertainty about long-term product direction, though the integration story is compelling for organizations already using Harness for CI/CD.
Our verdict: Best-in-class for API-first organizations that need integrated discovery, testing, and runtime protection. A strong choice for enterprises with complex API ecosystems and DevSecOps maturity. Overkill and overpriced for simple use cases.
CVE Coverage
Traceable Application & API Security Platform can detect and block attacks matching 105K+ known CVEs based on its supported rule sets.
Coverage by Attack Type
Latest Blockable CVEs
| CVE | Severity |
|---|---|
| CVE-2026-49294 | UNKNOWN |
| CVE-2026-20262 | MEDIUM |
| CVE-2026-9863 | UNKNOWN |
| CVE-2026-9862 | UNKNOWN |
| CVE-2025-15659 | UNKNOWN |
| CVE-2025-15658 | UNKNOWN |
| CVE-2026-52704 | UNKNOWN |
| CVE-2019-25746 | HIGH |
| CVE-2018-25436 | CRITICAL |
| CVE-2016-20084 | HIGH |
Frequently Asked Questions
How is Traceable different from a traditional WAF?
Traditional WAFs were designed for web traffic (HTML pages, forms, cookies) and retrofitted for APIs. Traceable was built API-first from day one, with native understanding of REST, GraphQL, gRPC, SOAP, and WebSocket protocols. It also combines runtime protection with API discovery and proactive security testing, giving you a complete API security platform rather than just a blocking engine.
Traditional WAFs detect attacks using signatures and rules (like the OWASP Core Rule Set). Traceable uses behavioral ML models that learn what normal API traffic looks like and detect anomalies. This means fewer false positives for API-specific attacks like broken authentication, excessive data exposure, or business logic abuse.
Does Traceable replace my existing WAF?
Not necessarily. Traceable can replace your WAF if you use its Edge deployment (agentless DNS-based protection) or inline agents. But it can also work alongside your existing WAF by adding API context and advanced threat detection. Traceable integrates directly with AWS WAF and Cloudflare to push blocking rules based on its API analysis, letting you keep your existing edge WAF while adding API-specific protection.
What deployment options does Traceable offer?
Traceable offers three main deployment models:
- Edge (Agentless): Route traffic through Traceable via DNS change or CDN configuration. No agents to install, fully managed SaaS.
- Inline Agent: Deploy agents with NGINX, Apigee, Kong, or other API gateways for real-time inspection and blocking. Also available as language agents (Java, Go, Python, Node.js) that instrument your application code.
- Out-of-Band: Traffic mirroring via eBPF, AWS mirroring, or log-based analysis. No performance impact but detection-only (no inline blocking).
On-prem deployment is also available for organizations with data residency requirements.
Does Traceable support OWASP Core Rule Set or signature-based detection?
Traceable primarily uses behavioral ML and anomaly detection rather than signature-based CRS rules. This means it can detect novel attacks and zero-day exploits that signature-based WAFs might miss. However, it also includes coverage for OWASP Top 10 and OWASP API Top 10 vulnerabilities through its combined detection engine.
For organizations that need signature-based rules alongside ML detection, Traceable can integrate with existing WAFs like AWS WAF or Cloudflare that use CRS-based detection. This gives you both approaches without choosing one over the other.
How does Traceable compare to Wallarm?
Wallarm and Traceable are probably the closest competitors in the API security platform space. Both were founded around the same time (Wallarm 2016, Traceable 2020), both are API-first, and both combine WAF/WAAP with API discovery and security testing.
Key differences: Traceable merged with Harness in 2025, giving it deeper CI/CD pipeline integration and a broader DevSecOps story. Wallarm has been independent longer and offers a free tier (500K requests/month) which Traceable does not. Traceable's AI-powered analysis and explanations are more advanced, while Wallarm has stronger agent-based options and a longer production track record.
For pricing and feature comparison, see our full Traceable vs Wallarm comparison.
What is Traceable by Harness?
Traceable was originally founded as an independent API security company in 2020 by Jyoti Bansal (who also founded Harness and AppDynamics) and Sanjay Nagaraj. In February 2025, Traceable announced a merger with Harness, the AI-native software delivery platform. The combined company positions Traceable as the security arm of Harness's DevSecOps platform, integrating API security across the entire software development lifecycle from design to runtime.
The product is still available as a standalone API security platform, but now benefits from tighter integration with Harness's CI/CD and delivery tools.
Does Traceable offer API security testing?
Yes. Traceable includes API Security Testing (AST) that generates zero-config security tests from real and replayed production traffic. This means scans only cover actively used APIs, avoiding noise from inactive endpoints. Tests are aligned with real-world API behavior rather than generic attack patterns.
AST integrates with CI/CD pipelines (Azure DevOps, GitHub Actions, GitLab CI) so testing happens automatically during development. Results include full call flow context and are prioritized by runtime behavior, exposure, and sensitive data flow.
Ready to try Traceable Application & API Security Platform?
Visit the website to learn more or request a demo.