Effortless API Security

Open Source API security tool you cansetup in < 15 minutes that inventories your endpoints, detects bad actors andblocks malicious trafficin real time.

Try Metlo for Free

Protection

Detect API Attacks

Metlo passively listens to your API traffic and tags every malicous request. Our models are built on patterns of malicous requests to detect bad actors and API attacks.

Nearly No False Positives

Our models don't block based on individual requests. We detect malicious activity across many requests to minimize false positives.

25+ Built-in Detections

Metlo comes with many built-in attack detections like SQLI, XSS, SSRF, RCE, Login Brute Force, ATO and more. You can also build your own custom detections.

User & Session Level Detection

In addition to IP, we detect and block attacks at the Session and User Level as well.

API Security Data Lake

All of your request and attack metadata is stored in a data lake to run custom models on and get insight on your attack surface.

Learn More

Detected Malicious Actor

User

advaybhath@yahoo.in

SQLI

XSS

Details
Watch
Block

Detected Malicious Actor

User

nguyengregory@yahoo.com

High Sensitive Data Volume

SQLI

Details
Watch
Block

Blocked Malicious Actor

User

ouchiminori111@gmail.com

High Sensitive Data Volume

SQLI

XSS

Details
Watch
Unblock

Detected Malicious Actor

IP

45.178.98.69

XSS

Details
Watch
Block

Detected Malicious Actor

IP

199.195.211.74

Account Takeover

Details
Watch
Block
Metlo

Protection

Block Attack Requests

Metlo's cloud detection engine identifies bad actors and builds a model of how your API works. Each agent pulls this metadata from the cloud to block malicious requests in real time.

Learn More

Discovery

Create an Inventory of your Endpoints

Based on your API traffic, Metlo creates a complete inventory of all your API Hosts, Endpoints and Sensitive Data.

Inventory

Endpoints

Categorize and list all the endpoints and datafields in your API

Sensitive Data

Automatically identify map all the sensitive data your API processes

Authentication

Identify which endpoints are unauthenticated to find potential data leaks

Data Redaction

All of Metlo's discovery is done in our agent and only the metadata is sent to our cloud

Webhooks

Get an alert everytime a new endpoint or datafield is identified

Open API Specs

Autogenerate Open API Specs to complete your docs or use in other tools

Quick Setup

Deploy Metlo in Less Than 15 Minutes

Metlo seamlessly integrates with your app regardless of your stack. We can integrate with any language (Node, Python, Golang, Java), Nginx, Kubernetes or mirror traffic in your Cloud.

Node

Python

Go

Java

Nginx

AWS

GCP

Docker

Kubernetes

Express

Koa

Fastify

1import { initExpress as metlo } from "metlo";
2...
3const app = express();
4...
5app.use(
6  metlo(
7    {
8      key: <YOUR_METLO_API_KEY>,
9      host: "http://<YOUR_METLO_HOST>:8081",
10    }
11  )
12);

View Docs

Protection at Scale

Built for Performance and Reliability

100B+

API Calls Processed

100K+

Endpoints Protected

<0.2ms

Latency Increase

Metlo has been tested for performance at scale. Our agents have processed 100s of billions of API requests protecting 100s of thousands of endpoints. Each agent uses a maximum of 1% CPU, 50MB of memory and adds at most 200 microseconds of latency.

Learn More

Secure your API this Evening

Try Metlo for Free