Akto is an AI agent security platform that protects MCP (Model Context Protocol) servers and AI agents for Fortune 500 security teams.
What is Akto?
Akto gives development and security teams complete visibility into their API landscape along with automated security testing capabilities.
The platform discovers APIs by analyzing mirrored traffic, builds an inventory of endpoints, and runs security tests against them to identify vulnerabilities.
Named as a Representative Vendor in the 2024 Gartner Market Guide for API Protection, Akto has gained adoption for its zero-performance-impact approach.
Rather than sitting inline with production traffic, it analyzes mirrored copies of requests and responses, eliminating concerns about added latency or service disruption.
The platform is fully open source with an Apache 2.0 license.
Both self-hosted and cloud deployments are available at no cost, making enterprise-grade API security accessible to organizations of any size.
Key Features
Automatic API Discovery
Akto discovers APIs automatically by analyzing traffic from your infrastructure.
Connect it to your AWS, GCP, or Azure environment through traffic mirroring, and it builds a comprehensive inventory of all API endpoints, including:
- Request and response schemas
- Authentication mechanisms used
- Data types flowing through each endpoint
- API versioning and changes over time
Shadow APIs that exist outside official documentation appear in the inventory, helping security teams identify unauthorized or forgotten endpoints that could present risk.
Security Test Library
The platform includes over 1,000 pre-built security tests covering common API vulnerabilities.
Tests are organized by category:
- OWASP API Top 10: BOLA, broken authentication, excessive data exposure, mass assignment, and more
- Authentication tests: Token manipulation, session handling, credential stuffing detection
- Business logic tests: IDOR, privilege escalation, rate limit bypass
- Injection tests: SQL injection, NoSQL injection, command injection via API parameters
Tests run against your actual APIs using the traffic patterns Akto has learned, making them more realistic than generic scanners that lack context about how your APIs behave.
Sensitive Data Detection
Akto identifies when APIs expose sensitive data that should be protected.
It recognizes patterns for:
- Personal identifiable information (PII)
- Financial data (credit card numbers, bank accounts)
- Authentication credentials
- Healthcare information
- Custom sensitive data patterns you define
When sensitive data appears in API responses, Akto flags the endpoint for review and tracks whether proper protections like authentication and encryption are in place.
Custom Test Creation
Beyond the built-in test library, you can create custom tests using YAML syntax.
This allows security teams to encode organization-specific requirements and business logic validations:
id: custom-authorization-check
info:
name: Verify admin endpoints require admin role
severity: high
requests:
- raw: |
GET {{base_url}}/api/admin/users HTTP/1.1
Host: {{host}}
Authorization: Bearer {{user_token}}
matchers:
- type: status
status:
- 403
- 401
Installation
Docker (Recommended)
The fastest way to run Akto locally:
# Clone the repository
git clone https://github.com/akto-api-security/akto.git
cd akto
# Start Akto using Docker Compose
docker-compose up -d
# Access the dashboard at http://localhost:9090
Kubernetes with Helm
For production deployments on Kubernetes:
# Add the Akto Helm repository
helm repo add akto https://akto-api-security.github.io/helm-charts
helm repo update
# Install Akto
helm install akto akto/akto \
--namespace akto \
--create-namespace \
--set dashboard.service.type=LoadBalancer
AWS Traffic Mirroring Setup
To discover APIs from AWS infrastructure:
# Enable VPC traffic mirroring to send copies of API traffic to Akto
aws ec2 create-traffic-mirror-target \
--network-load-balancer-arn arn:aws:elasticloadbalancing:region:account:loadbalancer/net/akto-mirror/xxx
# Create a traffic mirror filter for HTTP/HTTPS
aws ec2 create-traffic-mirror-filter \
--description "Mirror HTTP API traffic"
# Create the mirror session
aws ec2 create-traffic-mirror-session \
--network-interface-id eni-xxx \
--traffic-mirror-target-id tmt-xxx \
--traffic-mirror-filter-id tmf-xxx \
--session-number 1
Integration
CI/CD Pipeline Integration
Run API security tests as part of your deployment pipeline:
# GitHub Actions example
name: API Security Tests
on:
push:
branches: [main]
pull_request:
jobs:
akto-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Start application
run: docker-compose up -d app
- name: Run Akto API tests
uses: akto-api-security/akto-action@v1
with:
akto_api_key: ${{ secrets.AKTO_API_KEY }}
akto_dashboard_url: ${{ secrets.AKTO_URL }}
test_ids: "OWASP_TOP_10,BOLA,AUTH_BYPASS"
api_collection_id: ${{ vars.COLLECTION_ID }}
fail_on_high: true
- name: Upload results
uses: actions/upload-artifact@v4
with:
name: akto-results
path: akto-results.json
# GitLab CI example
stages:
- build
- test
- security
akto-api-security:
stage: security
image: docker:latest
services:
- docker:dind
script:
- |
# Trigger Akto test run via API
curl -X POST "$AKTO_URL/api/startTest" \
-H "X-API-KEY: $AKTO_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"apiCollectionId": "'$COLLECTION_ID'",
"testIds": ["OWASP_TOP_10"],
"startTimestamp": "'$(date +%s)'"
}'
# Poll for results
sleep 60
curl "$AKTO_URL/api/fetchTestResults?testRunId=latest" \
-H "X-API-KEY: $AKTO_API_KEY" > results.json
# Fail if high severity issues found
HIGH_COUNT=$(jq '.highSeverityCount' results.json)
if [ "$HIGH_COUNT" -gt 0 ]; then
echo "Found $HIGH_COUNT high severity issues"
exit 1
fi
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
Postman Collection Import
Import existing Postman collections to quickly populate your API inventory:
# Export your Postman collection as JSON
# Then upload via Akto API
curl -X POST "$AKTO_URL/api/importPostmanCollection" \
-H "X-API-KEY: $AKTO_API_KEY" \
-H "Content-Type: application/json" \
-d @postman_collection.json
Burp Suite Integration
Export discovered endpoints from Burp Suite for testing in Akto:
- In Burp, go to Target > Site map
- Select endpoints and right-click > Copy URLs
- Import into Akto via the dashboard or API
When to Use Akto
Ideal for teams that:
- Want enterprise API security capabilities
- Prefer self-hosted solutions for data privacy and compliance
- Need to discover shadow APIs across cloud infrastructure
- Run API-first architectures with hundreds of endpoints
- Want to integrate security testing into CI/CD without vendor lock-in
- Need custom test creation for organization-specific requirements
Consider alternatives if:
- You need managed runtime protection with blocking capabilities (Akto focuses on testing and discovery)
- Your infrastructure cannot support traffic mirroring
- You require 24/7 vendor support with guaranteed SLAs
Akto demonstrates that effective API security does not require expensive commercial tools.
Its open-source approach, combined with thoughtful design around traffic mirroring and comprehensive test coverage, makes it a practical choice for organizations serious about API security.
Note: Pivoted from API security to AI agent security in 2025. Now focuses on securing MCP servers and AI agents.