Enterprise security · Offline-first · AI-driven

Secure your applications
and your APIs.
Two products. Zero cloud.

apPosture ai builds two independent, self-hosted security products — ASPM for full application security posture management, and a dedicated API Security platform. Each runs on its own, entirely inside your perimeter.

Launch ASPM → See all features
6
scanner engines
9000+
Nuclei templates
5
compliance frameworks
100%
offline / air-gapped

Two independent products.

ASPM and the API Security platform are separate, standalone products — deploy either on its own. They are not bundled and do not depend on each other.

ASPM

Application Security Posture Management

Live

Unified DAST + SAST + SCA + container + IaC + secrets scanning, an AI engine that triages and proves findings, and full enterprise governance — RBAC, SSO, SLA, compliance reporting and CI/CD gates.

Launch ASPM →

API Security Platform

apisec — API protection & WAF

Coming soon

A standalone API Security platform: continuous API discovery and inventory, OWASP API Top 10 auditing, and an AI-assisted WAF that blocks attacks inline at the edge. A separate product from ASPM — runs on its own.

Coming soon

Everything in the ASPM platform

Six scanner engines, a local-LLM AI core, unified posture management and full enterprise governance — self-hosted, offline.

🛡️ DAST — Dynamic Testing

  • • OWASP ZAP + Nuclei (9000+ templates)
  • • Spider, AJAX/SPA crawl, authenticated scans (form login)
  • • Active scan profiles (quick → deep), OAST/out-of-band
  • • Business-logic & IDOR / auth-bypass hunting
  • • Live exploit verification with proof-of-exploit

💻 SAST — Static Analysis

  • • Semgrep-format rule engine
  • • Taint analysis: Python AST, PHP, JS/TS
  • • Source → sink data-flow with snippet view
  • • CWE mapping & AI triage per finding

📦 SCA — Dependencies

  • • Manifest scanning, version-aware advisory DB
  • • Transitive dependency awareness
  • • Fix / safe-version recommendations

🐳 Containers · IaC · Secrets

  • • Container OS-package & layer CVE scanning
  • • IaC checks: Terraform, K8s, CloudFormation, Dockerfile
  • • Secrets: provider patterns + entropy (raw secrets never stored)

🤖 Local-LLM AI Engine

  • • Source-driven STRIDE threat modeling
  • • Hybrid SAST→DAST: aims the scanner at risky endpoints
  • • False-positive triage, business impact, fix suggestions
  • • "Ask AI" natural-language posture queries & copilot
  • • Runs on a local LLM (DeepSeek) — no cloud, no per-token bill

🧩 Unified Posture

  • • One fingerprint-deduped vulnerability store
  • • Cross-scanner correlation (SAST ↔ DAST)
  • • Per-app & per-target coverage, attack-path graph
  • • Asset discovery & ownership attestation

🔌 API Security

  • • OWASP API Top 10 mapping
  • • Endpoint inventory & OpenAPI spec audit

⚖️ Governance & Workflow

  • • CI/CD gates — snippets for 6 CI platforms
  • • Risk acceptances, SLA policies & attainment
  • • Policy engine, deduplication rules
  • • Ticketing integration (Jira-style connectors)

📄 Reports & Compliance

  • • Executive & technical reports, shareable links
  • • SOC 2 · NIST · HIPAA · GDPR · PCI evidence packages
  • • Per-framework & per-app evidence export

🏢 Enterprise & Identity

  • • RBAC with custom roles
  • • SSO / AD: Entra ID, OIDC, SAML, LDAP
  • • Audit log (CSV/HTML export), backups & restore
  • • Custom branding / white-label

📈 Operations & Alerting

  • • Health monitor + Prometheus /metrics
  • • Notification templates & channels, mute rules
  • • Scheduled scans & maintenance windows

🌐 Threat Intelligence

  • • Threat-intel feeds (opt-in, fail-closed egress)
  • • Integrations & SCM/OAuth connectors
  • • Default-OFF for any outbound feature

ASPM pricing

Pricing for the ASPM product. Self-hosted, billed annually — no data leaves your environment on any tier. The API Security platform is priced separately.

Professional

For security teams

$1,490 / mo

billed annually · up to 25 applications

  • All 6 scanner engines + unified posture
  • Full AI engine: threat models, hybrid SAST→DAST, exploit verification
  • CI/CD gates & API security
  • Compliance reports (SOC2/NIST/HIPAA/GDPR/PCI)
  • Multi-user, scheduled scans, SLA
  • Email support
Start free trial

Enterprise

For regulated & air-gapped orgs

Custom

unlimited applications & users

  • Everything in Professional
  • SSO/AD (Entra/OIDC/SAML/LDAP) & RBAC
  • Air-gapped deployment & white-label branding
  • Audit log, backups, threat intel
  • SLA, dedicated support & onboarding
Contact sales

Prices shown are indicative — final pricing depends on application count and deployment model. Contact us for a quote.

Built for security teams that can't send data out

Offline by design

Every feature works air-gapped. No scan traffic, source code or AI inference leaves your perimeter.

Local-LLM AI

Threat modeling, triage and NL queries run on a local LLM (DeepSeek) — no cloud-AI dependency.

Fail-closed egress

Threat intel, SSO and any outbound feature is default-OFF behind a two-layer egress gate.

Unified posture

All six engines feed one fingerprint-deduped Vulnerability store — no duplicate noise.

See your posture in minutes.

Spin up a scan against a target and watch the AI prioritise, prove and report.

Launch ASPM → Talk to sales