Most API security tools promise visibility—but what good is knowing about an API if you can’t do anything with that information?

In this TFiR interview, Stas Neyman, Director of Product Marketing at Akamai, breaks down what real API security requires: multiple signals, deep context, and actionable workflows. “There’s about five ways to discover APIs,” he said. “Source code, traffic, specs, infrastructure-as-code, and inline components like WAFs or API gateways. You really need all five.”

That’s because each layer tells a different part of the story. Source code might show you an endpoint exists, but not where it’s deployed. Traffic gives insight into usage and sensitivity. Infra-as-code reveals how it’s configured. Only by stitching these together can you build a complete API inventory—one that includes metadata like who owns the API, what auth controls it has, and whether it handles sensitive data.

That’s the core of Akamai’s approach: aggregate signals, build context, and then enable action. “Now that you know where they are, what type of data they process, what type of risk they present, who is the owner—you can build workflows. You can build automation,” Neyman explained.

And it doesn’t stop at visibility. Akamai’s platform includes integrated testing, so teams can validate APIs automatically and continuously, well before they reach production. That “shift left” strategy is critical to reducing overall risk.

What sets Akamai apart isn’t just detection—it’s orchestration. With end-to-end visibility, policy-based automation, and embedded testing, their model helps teams move from reactive to proactive API security.

For DevSecOps and platform security teams looking to mature their API strategy, this is a blueprint worth studying.