Secure Your API.

Metlo is an open-source API security platform

APIs have become an essential component of modern software development, enabling organizations to easily integrate their applications with other systems. However, the increased use of APIs has also led to an increase in security vulnerabilities, making it crucial for organizations to prioritize API security testing.

Metlo is an open-source API security platform that helps organizations automate API security testing in their DevOps workflow. This blog post will introduce readers to Metlo and explain how it can help with API security testing. It will also cover the features of Metlo and provide guidance on how to implement Metlo in your DevOps workflow.

With Metlo you can:

  • Create an Inventory of all your API Endpoints and Sensitive Data.
  • Detect common API vulnerabilities.
  • Proactively test your APIs before they go into production.
  • Detect API attacks in real-time.

Metlo does this by scanning your API traffic using one of our connectors and then analyzing trace data.

There are three ways to get started with Metlo. Metlo Cloud, Metlo Self Hosted, and our Open Source product. We recommend Metlo Cloud for almost all users as it scales to 100s of millions of requests per month and all upgrades and migrations are managed for you.

You can get started with Melto Cloud right away without a credit card. Just make an account on and follow the instructions in our docs here.

Although we highly recommend Metlo Cloud, if you’re a large company or need an air-gapped system you can self-host Metlo as well! Create an account on and follow the instructions on our docs here to set up Metlo in your own Cloud environment.

If you want to deploy our Open Source product we have instructions for AWS, GCP, Azure and Docker.

You can also join our Discord community if you need help or just want to chat!


AVvXsEhhF0gVobmW4dgLP8zDra8oQ5g3UBgwrE1i xiyjb 5bsI3Hg7s0H3nam5jLXAonyoJ k4Ym7lT9mvYbWRk 1V3npEH5R pFBkQSggnYd7VnWjCnrsJ9KXJpNBoSbKDjVJ2L9pyVWfjczHG7dBSM5MnwRuO LHdc2RPdV9yl2y5i FVuXKrqedMq2YRnA=w640 h372

  • Endpoint Discovery – Metlo scans network traffic and creates an inventory of every single endpoint in your API.
  • Sensitive Data Scanning – Each endpoint is scanned for PII data and given a risk score.
  • Vulnerability Discovery – Get Alerts for issues like unauthenticated endpoints returning sensitive data, No HSTS headers, PII data in URL params, Open API Spec Diffs and more
  • API Security Testing – Build security tests directly in Metlo. Autogenerate tests for OWASP Top 10 vulns like BOLA, Broken Authentication, SQL Injection and more.
  • CI/CD Integration – Integrate with your CI/CD to find issues in development and staging.
  • Attack Detection – Our ML Algorithms build a model for baseline API behavior. Any deviation from this baseline is surfaced to your security team as soon as possible.
  • Attack Context – Metlo’s UI gives you full context around any attack to help quickly fix the vulnerability.


AVvXsEjDhO fWUCNznw3vk1 QEDhtf1ftbxxS3uzLnk7VCBA1Gtr3ynH2gEEYcqFRi2eLgsTcy9PcHLjOc6o3ocDcx 12Ojkdf3wbw2AbFgQwIb4IbK6NPUfSdVuxx0T4xx3Bwv5081LPwJ26vuJ PsZjQ9 oqwK4nYYAptosUcHXPKq0lRF8dORW3CZcfPWg=w640 h362

For tests that we can’t autogenerate, our built-in testing framework helps you get to 100% Security Coverage on your highest-risk APIs. You can build tests in a Yaml format to make sure your API is working as intended.

For example the following test checks for broken authentication:


name: Test Auth
Severity: CRITICAL

– request:
method: POST
– name: Content-Type
value: application/JSON
– name: Authorization
value: …
data: |-
{ “ccn”: “…”, “cc_exp”: “…”, “cc_code”: “…” }
– key: resp.status
value: 200
– request:
method: POST
– name: Content-Type
value: application/json
data: |-
{ “ccn”: “…”, “cc_exp”: “…”, “cc_code”: “…” }
– key: resp.s tatus
value: [ 401, 403 ]


You can see more information on our docs.

Why Metlo?

Most businesses have adopted public-facing APIs to power their websites and apps. This has dramatically increased the attack surface for your business. There’s been a 200% increase in API security breaches in just the last year with the APIs of companies like Uber, Meta, Experian and Just Dial leaking millions of records. It’s obvious that tools are needed to help security teams make APIs more secure but there’s no great solution on the market.

Some solutions require you to go through sales calls to even try the product while others have you to send all your API traffic to their own cloud. Metlo is the first Open Source API security platform that you can self-host, and get started for free right away!

We’re Hiring!

We would love for you to come help us make Metlo better. Come join us at Metlo!

Open-source vs. paid

This repo is entirely MIT licensed. Features like user management, user roles and attack protection require an enterprise license. Contact us for more information.


Check out our development guide for more info on how to develop Metlo locally.


Leave a Reply

Your email address will not be published. Required fields are marked *

fb logo
recover dogecoin from a scam
recover ethereum from a scammer
hire a hacker to hack iphone
hire a hacker to hack snapchat
hire a hacker to hack a windows computer
error: Content is protected !!