An Automated Moving Target Defense for
API Threat Protection

animated GIF of Hopr AMTD and rotation with cloud machines
APIs are the front door to a lot of valuable enterprise data. Hopr’s cloud native AMTD ensures that only trusted workloads connect to API endpoints in any cloud.
In a recent survey of security and risk managers, only 15% of respondents found that existing API security tools were “very effective” in preventing API attacks.
Graphic badge for Cybersecurity world award in API security
API Security and Management

Cybersecurity World Awards program recognizes Hopr’s novel moving target defense solutions

Recognition by the Cybersecurity World Awards is a testament to our commitment to provide data-rich enterprises with resilient API threat protection and access control for endpoints in any cloud.

See Hopr Connect in operation

Click the image at left to watch a 3:07 (min:sec) demo of Hopr Connect protecting workload endpoints, end-to-end encrypting their messages, and refusing access from untrusted connections.
Learn How It Works

Rising API Attack Statistics Suggest the Need for a New Defense

Uncertain API endpoint trust

  • The identity of workloads connecting to API endpoints is not verified.
  • Untrusted connections, such as from shadow APIs, are not prevented.
  • Threat actors learn how to avoid API security defenses and exploit APIs.

Hopr's solution:

A decentralized workload identity system where workload identity trust is verified at each connection to another workload, and untrusted connections are rejected.

graphic icon depicting untrusted containerized workloads
abstract graphic icon depicting unsecured transport in a network

Unprotected message traffic

  • Gaps in transport layer security occur due to identity domain boundaries.
  • Unprotected data can be ‘sniffed’ by threat actors.
  • Threat actors obtain sensitive information about the network.
  • Leaked sensitive information allows threat actors to move through a network.

Hopr's solution:

Hopr's Synchronous Ephemeral Encryption (SEE™) protocol protects all messages between client and API endpoints without exposing the encryption key in a key exchange.

abstract graphic depicting a network of workloads under attack from threat actors

Learn Why API Attacks Continue to Succeed

We compare five types of API security solutions against eighteen API threats in a typical cloud network topology. Many solutions leave gaps in a network security architecture and exposed data and endpoints to serious threats. But one combination of solutions outperforms the others.
graphic icon of a gear, malicious attacks, and an API object

Untrusted traffic reaches APIs

  • Threat actors persistently exploit a large number of API endpoints.
  • Use of stolen keys is a favorite API attack vector because they are static.
  • 84% of attacks on financial API endpoints are authenticated.
  • Threat actors learn the business logic of APIs to launch exploits.

Hopr's solution:

Hopr’s Synchronous Ephemeral Encryption (SEE™) protocol recognizes untrusted connections when they fail decryption on arrival at the API endpoint. They are logged and immediately discarded.

See Hopr Connect in operation

Click the image at left to watch a 3:07 (min:sec) demo of Hopr Connect protecting workload endpoints, end-to-end encrypting their messages, and refusing access from untrusted connections.
Learn How It Works

Valuable Benefits

Graphic icon for lower cyber risk
Lower Cyber Risk
We protect both client and server endpoints and ensure that all traffic from untrusted endpoints is rejected.
Graphic icon for verified trust
True Zero Trust
Our API threat protection is truly zero trust. We verify trust in both client and API endpoints at every session.
Fast Time to Value
Protection of workloads is immediate after deployment. Time to value is typically 1 week.
Lower Costs
We reduce the need for costly centralized PKI-related services such as keys, certificates and secrets managers.
Simply Deployed
Deploying Hopr’s sidecar containers to exi-sting workloads saves time and is DevOps friendly.
No code changes
Our SaaS solutions do not require code changes to existing containerized apps, services, and APIs.

Advantages of Hopr’s API Threat Protection and Access Control

Hopr’s Synchronous Ephemeral Encryption protocol provides on-demand end-to-end encrypted communications without a key exchange.
Other solutions rely on mTLS which is not available everywhere and terminates at identity trust boundaries.
Hopr's “cert-free” decentralized workload Identities are managed and rotated by workloads. The chain-of-trust in the workload is verified by Hopr at each connection.
Other solutions use workload identities based on automated certs that are not vetted for trust. And each cert replacement is an new identity.
Deployment of Hopr's solution is simple and easily performed by DevOps with a familiar  YAML file configuration.
Other solutions require complicated and error-prone implementations of identity and secure transport protocols across environments.
Graphic icon of two connected containerized workloads

Try Our Tech

We offer a FREE plan so that you can use Hopr Connect to evaluate it for your use case with no time limit. Deploy Hopr Sidecars with your containerized apps and perform up to 5,000 communication sessions per month at no charge.

Onboarding is self-serve and sidecar config and deployment is a simple DevOps process.
Gartner, Emerging Tech: Security — The Future of Cyber Is Automated Moving Target Defense, Lawrence Pingree, Carl Manion, et al.., 28 February 2023. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.