App and API Protection

This product is not supported for your selected Datadog site. ().
A security signal panel in Datadog, which displays attack flows and flame graphs

App & API Protection (AAP) provides unified visibility and security for your applications and APIs, helping you detect, investigate, and prevent threats across modern workloads.

Whether you’re defending public-facing APIs, internal services, or user-facing applications, AAP equips your teams with realtime OOTB threat detection, posture assessment, and in-app protections.

Formerly known as Application Security Monitoring (ASM), AAP now goes beyond runtime threat detection to include API discovery, posture management, and protection capabilities.

Key capabilities

API discovery and posture management

  • Automatically detect all APIs exposed by your services.
  • Identify unprotected, undocumented, or overly permissive endpoints.
  • Get detailed, contextual findings tied to specific endpoints, misconfigurations, and observed behavior.
  • Evaluate API configurations against posture rules based on security best practices and compliance frameworks (e.g., OWASP API Top 10).

Runtime threat detection and protection

  • Detect real-time threats such as injection attacks, account takeover attempts, and application abuse.
  • Correlate multi-signal attack patterns into actionable insights.
  • Block malicious traffic with In-App WAF rules using attributes like IP, user agent, headers, and more.

Use cases

  • Protect customer data in production APIs
  • Detect and block credential stuffing and ATO attacks
  • Maintain API posture compliance across teams and environments
  • Investigate incidents with correlated trace, log, and security data

AAP implementation in Datadog

If you’re curious how App and API Protection is structured and how it uses tracing data to identify security problems, read How App and API Protection Works.

Configure your environment

Powered by provided out-of-the-box rules, AAP detects threats without manual configuration. If you already have Datadog APM configured on a physical or virtual host, setup only requires setting one environment variable to get started.

To start configuring your environment to detect and protect threats with AAP, follow the enabling documentation for each product. Once AAP is configured, you can begin investigating and remediating security signals in the Security Signals Explorer.

Investigate and remediate security signals

In the Security Signals Explorer, click on any security signal to see what happened and the suggested steps to mitigate the attack. In the same panel, view traces with their correlated attack flow and request information to gain further context.

Exploit Prevention vs. In-App WAF

This section provides a summary of Exploit Prevention and how it differs from In-App Web Application Firewall (WAF) rules.

Datadog AAP includes the Exploit Prevention and In-App WAF features to protect your applications against exploits. Exploit Prevention is an extension of In-App WAF. Exploit Prevention leverages In-App WAF as the first line of defense and then blocks attacks missed by the WAF.

Exploit Prevention leverages Runtime Application Self-Protection (RASP) technology to determine if an application request interacts with a vulnerable code path, and then protects it from specific vulnerability types:

  • SQL injection (SQLi)
  • Server-Side Request Forgery (SSRF)
  • Local File Inclusion (LFI)
  • Command Injection

For library compatibility, see Exploit Prevention.

In addition to detecting malicious patterns in the request, Exploit Prevention differs from In-App WAF by tracking the actions performed by the application (SQL query executed, files accessed, and so on). Exploit Prevention is able to determine if user input modified the SQL query or restricted a file detrimentally, and block it.

For example, in a SQL injection attack, the goal of the attacker is to take control of the SQL query and change its meaning. Exploit Prevention parses the SQL query before execution and checks for any user parameter in the query. If one is present, Exploit Prevention checks if the SQL parser interpreted the parameter as multiple SQL tokens (changing the meaning of the SQL query). In that case, Exploit Prevention flags the query as injected.

Disable AAP

For information on disabling AAP or its features, see the following:

Next steps

Additional helpful documentation, links, and articles:

How App and API Protection WorksDOCUMENTATION more more Datadog App and API ProtectionPRODUCT PAGE more more Gain visibility into risks, vulnerabilities, and attacks with APM Security ViewBLOG more more Monitor AWS WAF activity with DatadogBLOG more more How Datadog Security Inbox prioritizes security risksBLOG more more Understanding your WAF: How to address common gaps in web application securityBLOG more more Mitigate account takeovers with Datadog App and API ProtectionBLOG more more
PREVIEWING: sezen.leblay/aap-setup-page-java