Metlo home pagelight logo
Introduction
Welcome to Metlo

There’s been a 200% increase in API security breaches in just the last year with the APIs of companies like Uber, Meta, Experian and Just Dial leaking millions of records. Metlo is the first Open Source API security platform that you can self host, and get started for free right away!

With Metlo you can:

  • Create an Inventory of all your API Endpoints and Sensitive Data.
  • Detect common API vulnerabilities.
  • Proactively test your APIs before they go into production.
  • Detect API attacks in real time.

Metlo does this by scanning your API traffic using one of our connectors and then analyzing trace data.

Features

walkthrough

  • Endpoint Discovery - Metlo scans network traffic and creates an inventory of every single endpoint in your API.
  • Sensitive Data Scannning - Each endpoint is scanned for PII data and given a risk score.
  • Vulnerability Discovery - Get Alerts for issues like unauthenticated endpoints returning sensitive data, No HSTS headers, PII data in URL params, Open API Spec Diffs and more
  • API Security Testing - Build security tests directly in Metlo with a simple HTTP Request editor and javascript assertions.
  • CI/CD Integration - Integrate with your CI/CD to find issues in development and staging.
  • Attack Detection - Our ML Algorithms build a model for baseline API behavior. Any deviation from this baseline is surfaced to your security team as soon as possible.
  • Attack Context - Metlo’s UI gives you full context around any attack to help quickly fix the vulnerability.

API Testing

  • Metlo’s suite of automated tests and our security testing framework let you find vulnerabilities in development.
  • Our built in testing framework helps you get to 100% Security Coverage on your highest risk APIs
  • Integrates directly with your CI/CD 3808

We’re Hiring!

We would love for you to come help us make Metlo better. Come join us at Metlo!

Open-source vs. paid

This repo is entirely MIT licensed. Features like user management, user roles and attack protection require an enterprise license. Contact us for more information.

Development

Checkout our development guide for more info on how to develop Metlo locally.