API Security: Akamai Bridges Developers and Security Teams from Code to Production

API security is one of the major pressure points for corporate security teams. The proliferation of interfaces is increasingly driven by AI applications as well as traditional digital services, and the number of endpoints to inventory and protect is growing at a pace that classic tools struggle to keep up with. The most obvious limit is fragmentation: each platform produces its own alerts, teams work on individual reports, and it becomes difficult to both measure overall risk and track progress over time.

In this context, Akamai announced two new features that change how teams measure and govern their API posture. The first is the Security Posture Center, a dashboard that translates alerts into a structured set of controls organized by policy. The second is code-to-runtime mapping (introduced as part of the API-from-code features), which links the APIs detected in traffic to code repositories and the latest developers who modified the endpoints. Both address gaps that have remained uncovered in the Akamai API Security suite.

From Alert Management to Policy-Based Posture

The Security Posture Center shifts the focus of work from a reactive logic to a structured one. Instead of reacting to alerts, analysts assess their APIs' conformity to a series of best practices grouped by area, namely authentication, data protection, and endpoint integrity. Each control is mapped to a policy, and policy aggregation creates an overall view that allows measurement of deviation from a reference level and tracking of progress over time. The result is a security state that serves both operational work and discussions with auditors and governance managers.

The code-to-runtime mapping addresses another recurring critical point, namely code ownership. When an API exhibits anomalous behavior or a vulnerability emerges, the team's first issue is usually to trace back to the responsible party for the endpoint, the repository where the code resides, and the developer who made the last change. Akamai automates this step by linking observed runtime activity to source code and commit history, thus providing the developer with the necessary context to reproduce and fix the issue. The stated goal is to reduce the Mean Time to Remediation (MTTR), a metric that remains sensitive to organizational inefficiencies in industry surveys.

For Oz Golan, vice president of API Security at Akamai, the point is to redefine what it means to be secure. The Security Posture Center translates this definition into "policy-based controls," while the direct mapping to code "fills a critical industry gap" between what tools see in runtime and the responsibility of those who wrote the endpoint.

A More Comprehensive Lifecycle, from Detection to Response

The two new features fit into an offering that Akamai has built around the complete lifecycle of APIs, articulated in four phases: discovery, testing, detection, and response. Discovery also covers shadow APIs, neglected or orphaned ones (zombie), and interfaces generated by integration with AI models and agents, including those supported by the Model Context Protocol (MCP), a standard emerging in the agent world. The testing phase includes over 150 dynamic controls that can be invoked in CI/CD pipelines to intervene before code reaches production. Detection relies on continuous analysis of north-south and east-west traffic, while response involves automatic blocking, integration with WAF (web application firewall) and SIEM, and opening tickets in internal management systems.

The offering is available as a platform independent of the underlying network, capable of operating with third-party CDNs, WAFs, and gateways in hybrid and multi-cloud environments, and integrates with other Akamai application security components like the App & API Protector. For those who do not want to manage everything in-house, a managed service is available, partnering the Akamai team with the client's Security Operations Center (SOC).

Among the reference implementations, the company mentions a German bank that protects 6 billion API calls a month, as well as cases in the healthcare sector like Novant Health. The focus on scale and governance, rather than defending individual incidents, aligns with the direction the API security market is taking, where the demand from CISOs is shifting from point responses to continuous monitoring of the exposed surface.

With these two elements, Akamai aims to address the fragmentation that currently burdens security teams: a measurable posture based on policies and a direct link between observed traffic and code responsibility. These are crucial steps, particularly in organizations where the number of APIs has grown faster than the ability to document them and assign ownership.