Your API security is already covered. What's changed is what's behind those APIs. AI agents are making decisions, accessing data, and calling external services right now, and most security teams can't see any of it. Not because they're not paying attention, but because no tool was built to show them.

Today that changes. We're launching the Wallarm AI Control Platform: two products that close the loop from estate-wide discovery through runtime enforcement through continuous compliance evidence. No new vendor to onboard. It extends the platform you already run.

What's shipping today

Infrastructure Discovery

Connect your AWS accounts once and get a continuously updated inventory of everything in your estate. EC2, VPC topology, EKS clusters, Lambda functions, API Gateway, IAM, and Bedrock models and agents, across every account and every region, in one searchable table.

• Cross-account discovery via IAM role assumption, no write permissions required
• Live relationship graph with blast-radius traversal and attack-path analysis
• AWS Security Hub findings sync, placed on the graph node they affect with full asset context
• Field-level drift detection between every scan, with CloudTrail creator attribution on every asset
• Customer-authored detection and triage rules in Common Expression Language
• Scheduled and on-demand scans; policy audit log for every triage decision

AI Hypervisor

A Kubernetes DaemonSet that instruments every AI workload at runtime via a mutating admission webhook, with zero application code changes. Label a namespace, and coverage begins within minutes. Works across Python, Go, Node.js, Java, Ruby, and generic containers.

• Parses every major model provider: Anthropic, OpenAI, AWS Bedrock, Azure OpenAI, Google Gemini, and more
• Attributes every LLM call back to the originating user or session, across internal service hops
• Real-time sensitive data detection: credit cards, SSNs, passport numbers, API keys, JWT tokens
• Session kill switch by user subject or W3C trace ID, enforced at the kernel, no restart required
• Agent behavior certificates that pin and enforce what each agent is permitted to do
• Continuous compliance report: AI inventory, coverage heatmap, session logs, PII egress records
• SIEM, SOAR, and ticketing integrations for findings and policy violations

EU AI Act enforcement starts in August 2026. If that's on your radar, AI Hypervisor generates the compliance evidence you'll need continuously, not on demand when an audit appears. Getting it running now means you won't be assembling spreadsheets in July.

Learn more in our documentation for AI Hypervisor and Infrastructure Discovery, or request a demo. 

MCP servers provide structured access to privileged systems for AI agents and external integrations. That’s great for enabling things like automated project management, embedded billing, and AI-driven developer workflows. But it also creates a new attack surface that existing security tools were not designed to secure. 

That's why we built MCP Protection, a feature that extends the discovery, visibility, and control you already rely on for APIs to your externally exposed MCP servers.

With MCP Protection, you can:

• Discover exposed MCP servers, tools, and resources
• Correlate MCP and user sessions for full activity visibility
• Enforce granular access and schema-based controls for tool usage

MCP Protection is included in Wallarm Advanced API Security.

Check out this overview of AI and MCP capabilities in the doc hub for more info.

API Discovery now detects how every endpoint in your inventory is authenticated, and how consistently that authentication shows up in real traffic. Bearer tokens, API keys, AWS Signature v4, Basic, cookie-based auth, and the rest. It's all classified, tracked, and filterable.

If you've ever wondered whether that one internal endpoint really requires a token or just usually does, this is for you.

What's new

Per-endpoint authentication status. Every endpoint gets classified as Consistent, Partial, or Missing, based on a rolling 7-day window of production traffic. No guessing, no spec-reading. Just what's actually happening on the wire.

A filter for unauthenticated endpoints. Open the inventory, flip the filter, and you've got a list of exposed APIs in seconds. This is the one most teams will want bookmarked.

Per-parameter coverage on the endpoint detail page. You can see exactly which header, cookie, or parameter is carrying the credential, and what fraction of requests include it. Useful when "Partial" shows up and you need to know why.

Why it matters

Missing auth is one of those problems that's obvious in hindsight and invisible until something goes wrong. Specs say one thing, traffic says another, and the gap is where breaches live. This grounds the answer in what your APIs are doing right now, not what a YAML file claims they do.

Availability

Upgrade your filtering nodes to NGINX Node 6.10.0 or Native Node 0.23.0 (or newer) to start receiving authentication data.

Full guide: docs.wallarm.com/api-discovery/authentication

Sometimes you need visibility into your APIs without touching production traffic.

Wallarm’s TCP traffic analysis engine now supports AWS VPC Traffic Mirroring, so you can mirror traffic from your AWS environment to a Wallarm Node and see what’s happening across your APIs, without adding latency or changing your request path.

What you get

Mirror traffic directly from your AWS Elastic Network Interfaces (ENIs) and unlock:

• API Discovery — Know what APIs you actually have
• API Session analysis — Understand how they’re being used
• Attack detection — See threats targeting your APIs

All out-of-band. No impact to live traffic.

What’s new

• Support for Geneve-encapsulated traffic (used by AWS Traffic Mirroring)
• Support for VXLAN encapsulation
• Native compatibility with AWS traffic mirroring workflows

Why it matters

Some environments require absolutely zero added latency. Others just prefer to observe instead of actively block.

This gives you a clean way to get API visibility and threat detection in AWS without changing how your traffic flows.

Get started

Check out the documentation to start mirroring your AWS traffic to Wallarm.

The new Wallarm NGINX Ingress Controller 7.0 is now available. This release is based on the open-source NGINX Ingress Controller and is fully integrated Wallarm security services. It replaces all previous versions based on the Community NGINX Ingress Controller, which is end of life in March 2026.

Who should upgrade: Teams currently running the Community-based Wallarm Ingress Controller are strongly encouraged to migrate. The upstream Community NGINX project has been retired. If you are running previous versions of the Wallarm NGINX Ingress Controller, there will be no further security updates, bug fixes, or updates of any kind. 

A migration guide from Wallarm is available.

Full deployment guide: https://docs.wallarm.com/7.x/admin-en/installation-kubernetes-en/

Your attack surface doesn’t stop at domains. Now your visibility doesn’t either.

We’ve rolled out a set of API Attack Surface Management (AASM) updates that expand what you can scan, speed up how you validate fixes, and make it easier to share what actually matters.

What’s new?

• Scan IPs and network ranges
  Go beyond domains and hosts. You can now scan single IPs, subnets, and CIDR ranges to uncover more internet-facing assets and hidden exposure.
• Security Report Card (PDF)
  Get a clean, executive-ready snapshot of your security posture—plus your 10 most critical findings—in a concise, shareable format.
• Rescan a single host
  No need to rerun everything. Quickly rescan one asset to validate fixes and confirm remediation.

Why it matters
Attack surfaces are messy. Assets live outside neat domain boundaries, fixes need verification, and stakeholders want clear answers.

These updates help you:

• Find more assets you didn’t know you had
• Validate fixes faster without slowing down your workflow
• Communicate risk clearly to both technical and non-technical audiences

Where to find it

• IP and network scans → AASM Configuration
• Security Report Card → Share Report widget
• Host rescan → Available per asset

Read more in our documentation.

You shouldn’t have to guess who changed what in your Wallarm configuration. Now you don’t.

We’ve introduced a fully redesigned Activity Log that gives you a clear, attributable record of every action across your Wallarm platform so you can move faster, stay compliant, and actually trust what you’re seeing.

What’s new?

• Full event coverage: Track configuration changes, access updates, and system activity in one place
• Clear attribution: See exactly who performed each action and when. No more detective work
• Operational clarity: Quickly understand what changed and follow up with the right person
• Compliance-ready logging: Built to support audit requirements across regulated industries
• Enterprise-friendly: Designed for teams with multiple users and shared responsibility

Where to find it Settings → Activity Log

Documentation

Better inputs. Better outputs. Better control.

We've improved Wallarm's Schema-Based Testing with updates that make it easier to plug into your existing workflows and test APIs the way you actually run them.

What’s New

RAML Support
Upload RAML files as input. We’ll automatically convert them to OpenAPI specifications so you can get testing without rework.

JUnit Output for CI/CD
Export test results in JUnit format for clean CI/CD integration. Your pipelines stay happy. Your developers stay informed.

Full Request & Response Log Export
Need visibility? Export complete logs for all requests and responses to support troubleshooting, validation, and reporting.

mTLS Support
Mutual TLS authentication is now supported, so you can test APIs that require stronger identity verification.

Because the fastest way to reduce API risk is to test it before someone else does. You can learn more about these capabilities in the documentation. 

Security teams don’t need more noise. They need fewer distractions.

False Positive Rules are now Generally Available, giving you the ability to automatically mark security issues as false positives (or prevent them from being created) based on conditions you define.

You can:

• Create rules from Security Issues → Configuration
• Generate a rule directly from an existing issue using Ignore similar issues
• Suppress findings for specific parameters, endpoints, hosts, or vulnerability types

Rules are evaluated before issues are created and apply across API Attack Surface Management, Threat Replay Testing, Passive Detection, and Schema-Based Testing. If an issue is auto-marked as false, the change is logged in Status History.

Simple idea. Less clutter. More focus on real threats.

API sessions are one of the most powerful ways to understand what’s really happening across your APIs. They give you the context you need to investigate suspicious behavior, connect related requests, and block bad actors without disrupting legitimate users.

The catch? Session configuration isn’t always obvious, especially if you didn’t build the API yourself.

That’s where Wallarm steps in.

We already know your APIs inside and out thanks to API Discovery, including the parameters and headers they actually use in production. Now we combine that data with a little LLM-powered intelligence to recommend the right session context parameters for each API.

What’s new?

When you configure API sessions, Wallarm now suggests parameters based on real API discovery data. You can review the recommendations, select what makes sense, and start getting meaningful session insights in minutes, not days.

Why it matters

Less guesswork. Faster setup. Better session context from day one.

Use Wallarm’s recommendations to get more value from API sessions across your environment and focus on stopping attacks, not tuning configs.

Ready when you are, and our documentation is here to help.