Integrative research means our extensive company research informs every thesis and perspective. The result is deep industry knowledge, expertise, and trend insights that yield valuable results for our partners and clients.

About the Authors:
Howard Smith
Managing Director
Howard Smith has nearly three decades of experience at First Analysis, working with entrepreneurs as an investor and as an advisor on growth transactions to help build leading technology businesses. He leads the firm's work in the Internet of Things, cybersecurity and internet infrastructure sectors. He also built the firm's historical franchises in call centers and computer telephony. His thought-leading research in these areas has been cited for excellence by the Wall Street Journal and other publications. He supports First Analysis' investments in EdgeIQ, Fortress Information Security, ObservIQ, Tracer and VisiQuate. Prior to joining First Analysis in 1994, he was a senior tax consultant with Arthur Andersen & Co. He earned an MBA with honors from the University of Chicago and a bachelor's degree in accounting with highest honors from the University of Illinois at Urbana-Champaign. He is a certified public accountant.
Liam Moran
Liam Moran is an associate with First Analysis. Prior to joining First Analysis in 2020, he was in the executive development program with Macy's, where he was responsible for managing the financial modeling surrounding Macy's $3 billion asset-based loan, capital project valuations, and corporate forecasting. Liam graduated from Kenyon College with a bachelor’s degree in economics and a concentration in integrated program in humane studies. He was a four-year member of the Kenyon varsity swimming team.
First Analysis Cybersecurity Team
Howard Smith
Managing Director
Matthew Nicklin
Managing Director
Liam Moran
First Analysis Quarterly Insights
Proliferating APIs expand attack surface for adversaries
October 26, 2023
  • Application programming interfaces (APIs) are a critical building block of modern software whose use has surged in recent years, making the importance of APIs for web traffic today hard to overstate. As a result, APIs have become key targets for attackers.
  • Traditionally, entities have primarily used web application firewalls (WAFs) and API gateways to secure APIs from attackers. But while WAFs and gateways play crucial roles in security architectures, they have limits.
  • These limits have highlighted the need for new approaches to safeguard against advanced emerging threats and have led to a new generation of API security platforms. Generally, these solutions belong to one of three specialized areas: API security posture, API runtime security and API security testing and secure development. We provide an overview of each of these three areas.
  • The API security market contains numerous competitors. We briefly profile 10 companies offering these newer API security approaches, usually as part of a broader security or enterprise software platform. We also provide more detailed profiles of six pure-play companies providing API security in the new areas.


Includes discussion of AKAM, AMZN, FFIV, FSLY, FTNT, MSFT, NET, RDWR and nine private companies

APIs are a critical building block of modern software

APIs' prevalence and centrality make them key targets for attackers

Web application firewalls and gateways are the traditional API security solution

Elevating API security in the modern landscape

API security posture platforms

API runtime security platforms

API security testing and secure development platforms

API security providers

Keeping the connectors safe

Cybersecurity index near one-year high

Cybersecurity M&A: Notable transactions include Splunk, Imperva and Contxt

Cybersecurity private placements: Notable transactions include OneTrust and Stamus Networks

APIs are a critical building block of modern software

An application programming interface is a set of defined rules that enable software applications to communicate with each other. APIs process data transfers between systems: Software users request data in one application, which sends the request to an API. The API, in turn, retrieves requested data from another source and returns it to the user. There are many types of APIs, and they are used in many ways across many different data structures.

Web service APIs are common APIs most people use (indirectly) every day. Web service APIs accept hypertext transfer protocol (HTTP) requests, which dictate how information on the web travels. Web service APIs expose the uniform resource identifiers (URIs) that provide access to specific resources in databases. These requests could contain data formatted in XML (extensible markup language, used to store and transfer data in a relatively user-friendly format) or JSON (JavaScript object notation, another easily understandable format often used to send data from a server to a web page). A server might respond with HTML (hypertext markup language, which structures how web content should behave), XML, or JSON data, which web browsers and other applications can process. Other data formats used with web service APIs include SOAP (simple object access protocol, a type of XML protocol used for exchanging structured data), and REST (representational state transfer, an architectural style that defines a set of constraints for creating web services). REST can be used for its own API, also known as a RESTful API.

Other types of APIs include open APIs, which are public APIs accessible to everyone; partner APIs, which can only be accessed by designated developers; internal APIs, also known as private APIs, which are only exposed by internal systems of an organization; and composite APIs, which combine different data and service APIs that perform sequences of tasks.

To access the full report, please provide your contact information in the form below. A First Analysis representative will follow up with you shortly. Thanks for your interest in First Analysis research.
First Name required!
Last Name required!
Email required!
Industry required!
Unfortunately, your request to access the complete report has failed.

Please check the contact information you have entered.

If the form submission failure persists, please contact Person at (xxx) xxx-xxxx to handle your request. Thank you.
©2024 by First Analysis Corporation.
One South Wacker Drive
Suite 3900
Chicago, IL 60606