apPosture ai builds two independent, self-hosted security products β ASPM for full application security posture management, and a dedicated API Security platform. Each runs on its own, entirely inside your perimeter.
ASPM and the API Security platform are separate, standalone products β deploy either on its own. They are not bundled and do not depend on each other.
Application Security Posture Management
Unified DAST + SAST + SCA + container + IaC + secrets scanning, an AI engine that triages and proves findings, and full enterprise governance β RBAC, SSO, SLA, compliance reporting and CI/CD gates.
apisec β API protection & WAF
A standalone API Security platform: continuous API discovery and inventory, OWASP API Top 10 auditing, and an AI-assisted WAF that blocks attacks inline at the edge. A separate product from ASPM β runs on its own.
Explore API Security βMost teams stitch together a DAST tool, a SAST scanner, an SCA service and a secrets checker β each with its own console, its own noise, and no shared truth. apPosture ASPM runs all six engines and folds every result into one fingerprint-deduplicated posture, then a local-LLM AI engine proves what's exploitable, ranks it by real risk, and writes the fix.
APIs are now the biggest slice of the attack surface β and the hardest to see. apisec continuously discovers and inventories every endpoint (documented or not), audits each against the OWASP API Top 10, and enforces at the edge with an AI-assisted Web Application Firewall β stopping injection, BOLA/IDOR, credential stuffing and bot abuse inline.
From source to proven, prioritized risk β in one offline pipeline.
Add a target or connect a repo. Discovery inventories your assets, hosts and APIs β documented or shadow.
The AI reads your source, builds a STRIDE threat model, then aims DAST + SAST + SCA + container/IaC/secret engines at what matters.
Safe exploit verification confirms what's real; the AI filters false positives and ranks everything by true risk into one posture.
CI/CD gates, SLAs and ticketing drive remediation; one click exports SOC2/NIST/HIPAA/GDPR/PCI evidence.
Six scanner engines, a local-LLM AI core, unified posture management and full enterprise governance β self-hosted, offline.
/metricsPricing for the ASPM product. Self-hosted, billed annually β no data leaves your environment on any tier. The API Security platform is priced separately.
For security teams
billed annually Β· up to 25 applications
For regulated & air-gapped orgs
unlimited applications & users
Prices shown are indicative β final pricing depends on application count and deployment model. Contact us for a quote.
Every feature works air-gapped. No scan traffic, source code or AI inference leaves your perimeter.
Threat modeling, triage and NL queries run on a local LLM (DeepSeek) β no cloud-AI dependency.
Threat intel, SSO and any outbound feature is default-OFF behind a two-layer egress gate.
All six engines feed one fingerprint-deduped Vulnerability store β no duplicate noise.
apPosture ai builds two independent, self-hosted security products: ASPM (DAST, SAST, SCA, containers, IaC & secrets unified, with a local-LLM AI engine) and a dedicated API Security platform (apisec). Each runs entirely inside your perimeter.
No. Every feature works air-gapped β no scan traffic, no source code, and no AI inference ever leaves your perimeter. The AI runs on a local LLM (DeepSeek), so there's no cloud-AI dependency and no per-token bill. Any outbound feature (threat intel, SSO) is default-OFF behind a two-layer egress gate.
All six engines feed one fingerprint-deduplicated posture β no duplicate noise across consoles. The AI then proves what's exploitable, filters false positives, and ranks by real risk, so your backlog is the signal, not the raw output of five tools.
ASPM generates executive and technical reports plus evidence packages for SOC 2, NIST, HIPAA, GDPR and PCI β per framework and per application.
apisec is in development. ASPM is available today. apisec is a separate product β request early access and we'll keep you posted.
Self-hosted via Docker Compose, on your own infrastructure β including fully air-gapped environments. SSO/AD (Entra, OIDC, SAML, LDAP), RBAC, MFA, audit and backups are built in for enterprise rollout.
Spin up a scan against a target and watch the AI prioritise, prove and report.