├── .github └── FUNDING.yml ├── LICENSE └── README.md /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: [yogsec] 4 | patreon: # Replace with a single Patreon username 5 | open_collective: # Replace with a single Open Collective username 6 | ko_fi: # Replace with a single Ko-fi username 7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel 8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry 9 | liberapay: # Replace with a single Liberapay username 10 | issuehunt: # Replace with a single IssueHunt username 11 | lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry 12 | polar: # Replace with a single Polar username 13 | buy_me_a_coffee: # Replace with a single Buy Me a Coffee username 14 | thanks_dev: # Replace with a single thanks.dev username 15 | custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] 16 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2025 YogSec 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # API Pentesting Tools 2 | 3 | ![API Pentesting Tools](https://media2.giphy.com/media/v1.Y2lkPTc5MGI3NjExeHhzM3plejZjYmdxeXk5bmx1ZDY0aGM3dnUwMTBkNzA1dXd5cmM1MyZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/137EaR4vAOCn1S/giphy.gif) 4 | 5 | API Pentesting Tools is an open-source list designed to automate and streamline the process of penetration testing APIs. It helps security researchers and bug bounty hunters identify common vulnerabilities in RESTful and GraphQL APIs. 6 | 7 |
8 | WhatsApp Channel 9 | Telegram Channel 10 | LinkedIn 11 | WhatsApp Channel 12 | Lichess 13 | Email 14 | Telegram Channel 15 | 16 |
17 | 18 | --- 19 | ## Methods of API Pentesting 20 | API penetration testing involves several methodologies to assess security weaknesses: 21 | 22 | 1. **Reconnaissance** - Gathering information about the API endpoints, technologies, and authentication mechanisms. 23 | 2. **Authentication Testing** - Checking for weak or broken authentication mechanisms, including token mismanagement. 24 | 3. **Authorization Testing** - Verifying access controls to prevent privilege escalation and unauthorized access. 25 | 4. **Input Validation Testing** - Identifying injection vulnerabilities like SQL, NoSQL, and command injection. 26 | 5. **Rate Limiting & DoS Testing** - Evaluating API rate limits and potential Denial-of-Service (DoS) risks. 27 | 6. **Security Headers & CORS Testing** - Checking HTTP security headers and CORS configurations for misconfigurations. 28 | 7. **Session Management Testing** - Analyzing session tokens and cookies for hijacking vulnerabilities. 29 | 8. **Business Logic Testing** - Testing API workflows for logic flaws that could be abused. 30 | 9. **Fuzzing** - Sending unexpected inputs to uncover potential flaws in API handling. 31 | 10. **Logging & Monitoring Testing** - Ensuring security events are properly logged and monitored. 32 | 33 | --- 34 | 35 | ## Reconnaissance Tools for API Testing 36 | 37 | Reconnaissance is the first phase of API penetration testing, where testers gather information about the target API to identify potential attack surfaces. 38 | 39 | 1. **[Nmap](https://nmap.org/)** – Scans for open ports, services, and API endpoints. 40 | 2. **[Amass](https://github.com/OWASP/Amass)** – Performs subdomain enumeration to discover API hosts. 41 | 3. **[Subfinder](https://github.com/projectdiscovery/subfinder)** – Finds subdomains that might host APIs. 42 | 4. **[crt.sh](https://crt.sh/)** – Searches for API subdomains in SSL certificates. 43 | 5. **[MassDNS](https://github.com/blechschmidt/massdns)** – Resolves and finds hidden API domains. 44 | 6. **[Aquatone](https://github.com/michenriksen/aquatone)** – Visual reconnaissance of API endpoints. 45 | 7. **[httprobe](https://github.com/tomnomnom/httprobe)** – Checks which API endpoints are live. 46 | 8. **[Waybackurls](https://github.com/tomnomnom/waybackurls)** / **[Gau](https://github.com/lc/gau)** – Finds archived API endpoints. 47 | 9. **[ffuf](https://github.com/ffuf/ffuf)** – Fuzzes for hidden API paths. 48 | 10. **[Kiterunner](https://github.com/assetnote/kiterunner)** – Discovers undocumented API endpoints. 49 | 11. **[Swagger Editor](https://editor.swagger.io/)** – Parses API documentation for potential endpoints. 50 | 12. **[GraphQL Voyager](https://github.com/APIs-guru/graphql-voyager)** – Analyzes GraphQL API schemas. 51 | 13. **[Burp Suite](https://portswigger.net/burp)** – Passive API endpoint discovery through traffic analysis. 52 | 14. **[Google Dorking](https://www.exploit-db.com/google-hacking-database)** – Finds exposed API endpoints via search engines. 53 | 15. **[Shodan](https://www.shodan.io/)** – Searches for exposed APIs running on specific technologies. 54 | 55 | --- 56 | 57 | ## Authentication Testing Tools for API Testing 58 | 59 | Authentication testing focuses on verifying the security of API authentication mechanisms, such as API keys, JWTs, OAuth, and session tokens. 60 | 61 | 1. **[Burp Suite](https://portswigger.net/burp)** – Intercepts and manipulates authentication requests. 62 | 2. **[Postman](https://www.postman.com/)** – Manually tests API authentication flows. 63 | 3. **[JWT_TOOL](https://github.com/ticarpi/jwt_tool)** – Tests vulnerabilities in JWT authentication. 64 | 4. **[AuthAnalyzer (Burp Extension)](https://github.com/s0md3v/AuthAnalyzer)** – Analyzes authentication mechanisms. 65 | 5. **[OWASP ZAP](https://www.zaproxy.org/)** – Identifies authentication-related vulnerabilities. 66 | 6. **[SAML Raider](https://github.com/SAMLRaider/SAMLRaider)** – Tests SAML authentication security. 67 | 7. **[OAuth2 Proxy](https://github.com/oauth2-proxy/oauth2-proxy)** – Analyzes OAuth2 authentication flows. 68 | 8. **[Kerbrute](https://github.com/ropnop/kerbrute)** – Brute-forces Kerberos authentication. 69 | 9. **[TokenSpray](https://github.com/0xZDH/TokenSpray)** – Tests API token authentication by spraying leaked tokens. 70 | 10. **[CyberChef](https://gchq.github.io/CyberChef/)** – Decodes and analyzes authentication tokens. 71 | 11. **[HackBrowserData](https://github.com/moonD4rk/HackBrowserData)** – Extracts stored API credentials from browsers. 72 | 12. **[mitmproxy](https://mitmproxy.org/)** – Intercepts and modifies API authentication requests. 73 | 13. **[GraphQL Raider](https://github.com/doyensec/GraphQL-raider)** – Tests authentication in GraphQL APIs. 74 | 14. **[AQUATONE](https://github.com/michenriksen/aquatone)** – Discovers authentication endpoints in APIs. 75 | 15. **[ffuf](https://github.com/ffuf/ffuf)** – Brute-forces authentication tokens and session IDs. 76 | 77 | --- 78 | 79 | ## Authorization Testing Tools for API Testing 80 | 81 | Authorization testing ensures that users and API clients can only access resources they are permitted to. It helps identify vulnerabilities like IDOR, privilege escalation, and role-based access control (RBAC) flaws. 82 | 83 | 1. **[Burp Suite](https://portswigger.net/burp)** – Manipulates API requests to test authorization flaws. 84 | 2. **[Postman](https://www.postman.com/)** – Manually modifies headers, tokens, and roles for access control testing. 85 | 3. **[Autorize (Burp Extension)](https://github.com/Quitten/Autorize)** – Automatically checks authorization vulnerabilities. 86 | 4. **[JWT_TOOL](https://github.com/ticarpi/jwt_tool)** – Analyzes and manipulates JWT tokens to test privilege escalation. 87 | 5. **[OWASP ZAP](https://www.zaproxy.org/)** – Identifies API authorization weaknesses. 88 | 6. **[GraphQL Raider](https://github.com/doyensec/GraphQL-raider)** – Explores GraphQL authorization issues. 89 | 7. **[Arjun](https://github.com/s0md3v/Arjun)** – Detects hidden parameters that might bypass authorization. 90 | 8. **[AuthMatrix (Burp Extension)](https://github.com/SecurityInnovation/AuthMatrix)** – Tests role-based access control (RBAC) vulnerabilities. 91 | 9. **[ffuf](https://github.com/ffuf/ffuf)** – Fuzzes API endpoints for unauthorized access. 92 | 10. **[Hoppscotch](https://hoppscotch.io/)** – Tests API authorization with different user roles. 93 | 11. **[mitmproxy](https://mitmproxy.org/)** – Intercepts and modifies API requests to test access control. 94 | 12. **[Google Dorking](https://www.exploit-db.com/google-hacking-database)** – Finds exposed endpoints with weak authorization. 95 | 13. **[IAM Vulnerability Scanner](https://github.com/nccgroup/iam-vulnerability-scanner)** – Identifies IAM misconfigurations in APIs. 96 | 14. **[GraphQL Voyager](https://github.com/APIs-guru/graphql-voyager)** – Visualizes GraphQL permissions to detect flaws. 97 | 15. **[CyberChef](https://gchq.github.io/CyberChef/)** – Decodes and analyzes authorization tokens. 98 | 99 | --- 100 | 101 | ## Input Validation Testing Tools for API Testing 102 | 103 | Input validation testing ensures that APIs properly sanitize and handle user inputs to prevent attacks like SQL injection, command injection, and XSS. 104 | 105 | 1. **[Burp Suite](https://portswigger.net/burp)** – Fuzzes and manipulates API parameters for injection attacks. 106 | 2. **[Postman](https://www.postman.com/)** – Sends crafted inputs to test validation mechanisms. 107 | 3. **[OWASP ZAP](https://www.zaproxy.org/)** – Identifies input validation flaws in API endpoints. 108 | 4. **[SQLmap](https://sqlmap.org/)** – Detects and exploits SQL injection vulnerabilities. 109 | 5. **[Commix](https://github.com/commixproject/commix)** – Tests for command injection vulnerabilities. 110 | 6. **[XSStrike](https://github.com/s0md3v/XSStrike)** – Detects and exploits XSS vulnerabilities in API responses. 111 | 7. **[ffuf](https://github.com/ffuf/ffuf)** – Fuzzes API endpoints for input-based vulnerabilities. 112 | 8. **[Arjun](https://github.com/s0md3v/Arjun)** – Finds hidden API parameters that may lack validation. 113 | 9. **[WFuzz](https://github.com/xmendez/wfuzz)** – Automates fuzzing attacks against API input fields. 114 | 10. **[Nikto](https://cirt.net/Nikto2)** – Scans APIs for common misconfigurations and vulnerabilities. 115 | 11. **[NoSQLMap](https://github.com/codingo/NoSQLMap)** – Detects NoSQL injection vulnerabilities. 116 | 12. **[GraphQL Raider](https://github.com/doyensec/GraphQL-raider)** – Finds input validation flaws in GraphQL APIs. 117 | 13. **[CyberChef](https://gchq.github.io/CyberChef/)** – Encodes and decodes inputs to bypass filters. 118 | 14. **[mitmproxy](https://mitmproxy.org/)** – Intercepts and modifies API requests to test input validation. 119 | 15. **[KNOXSS](https://knoxss.me/)** – Automated XSS scanner for API responses. 120 | 121 | --- 122 | 123 | ## Rate Limiting & DoS Testing Tools for API Testing 124 | 125 | Rate limiting and Denial-of-Service (DoS) testing helps identify vulnerabilities that could allow attackers to overload an API with excessive requests. 126 | 127 | 1. **[Burp Suite](https://portswigger.net/burp)** – Tests API rate limits by automating rapid requests. 128 | 2. **[Postman](https://www.postman.com/)** – Manually sends repeated requests to observe rate-limiting behavior. 129 | 3. **[OWASP ZAP](https://www.zaproxy.org/)** – Automates request bursts to test API rate limitations. 130 | 4. **[Slowloris](https://github.com/gkbrk/slowloris)** – Simulates low-bandwidth DoS attacks against APIs. 131 | 5. **[hping3](https://github.com/antirez/hping)** – Generates high-traffic API requests for stress testing. 132 | 6. **[Taurus](https://gettaurus.org/)** – Load tests APIs to measure their rate-limiting responses. 133 | 7. **[Gatling](https://gatling.io/)** – Simulates API load testing to identify performance bottlenecks. 134 | 8. **[Apache JMeter](https://jmeter.apache.org/)** – Performs high-load API testing to detect rate-limiting issues. 135 | 9. **[ffuf](https://github.com/ffuf/ffuf)** – Sends high-frequency requests to test rate limits. 136 | 10. **[K6](https://k6.io/)** – Load testing tool for evaluating API performance under heavy requests. 137 | 11. **[Locust](https://locust.io/)** – Distributed load testing tool for stress testing APIs. 138 | 12. **[Artillery](https://www.artillery.io/)** – Scalable load testing tool for DoS and rate-limiting validation. 139 | 13. **[Tsunami Security Scanner](https://github.com/google/tsunami-security-scanner)** – Identifies API rate-limiting weaknesses. 140 | 14. **[Metasploit (auxiliary modules)](https://www.metasploit.com/)** – Simulates DoS attacks on API endpoints. 141 | 15. **[Boofuzz](https://github.com/jtpereyda/boofuzz)** – Fuzzes API endpoints to detect rate-limiting bypass vulnerabilities. 142 | 143 | --- 144 | 145 | ## Security Headers & CORS Testing Tools for API Testing 146 | 147 | Security headers and CORS (Cross-Origin Resource Sharing) testing helps identify misconfigurations that can lead to data exposure, unauthorized access, or security bypasses. 148 | 149 | 1. **[Burp Suite](https://portswigger.net/burp)** – Tests and manipulates security headers and CORS policies. 150 | 2. **[OWASP ZAP](https://www.zaproxy.org/)** – Identifies insecure CORS configurations and missing security headers. 151 | 3. **[Postman](https://www.postman.com/)** – Manually inspects API responses for CORS-related issues. 152 | 4. **[Curl](https://curl.se/)** – Fetches API responses to analyze CORS headers. 153 | 5. **[Nikto](https://cirt.net/Nikto2)** – Scans for missing security headers in API responses. 154 | 6. **[HTTP Toolkit](https://httptoolkit.tech/)** – Captures and inspects API traffic for CORS vulnerabilities. 155 | 7. **[CORS Scanner (OWASP)](https://github.com/awslabs/cors-scanner)** – Identifies CORS misconfigurations in APIs. 156 | 8. **[Mitmproxy](https://mitmproxy.org/)** – Intercepts API requests to analyze security headers and CORS policies. 157 | 9. **[SecurityHeaders.com](https://securityheaders.com/)** – Online tool for evaluating API security headers. 158 | 10. **[CSRF Tester](https://github.com/cure53/CSRF-Tester)** – Checks for CSRF vulnerabilities in APIs relying on security headers. 159 | 11. **[Header Security Tool (Mozilla Observatory)](https://observatory.mozilla.org/)** – Tests APIs for missing security headers. 160 | 12. **[Retire.js](https://github.com/RetireJS/retire.js)** – Detects outdated JavaScript libraries that could impact CORS security. 161 | 13. **[CSP Evaluator (Google)](https://csp-evaluator.withgoogle.com/)** – Tests Content Security Policy (CSP) configurations. 162 | 14. **[Nmap (http-headers script)](https://nmap.org/nsedoc/scripts/http-headers.html)** – Extracts and evaluates security headers from APIs. 163 | 15. **[TestCORS.com](https://testcors.com/)** – Online tool for checking CORS policy configurations. 164 | 165 | --- 166 | 167 | ## Session Management Testing Tools for API Testing 168 | 169 | Session management testing ensures that APIs handle user sessions securely, preventing session hijacking, fixation, or improper session termination. 170 | 171 | 1. **[Burp Suite](https://portswigger.net/burp)** – Tests session token generation, management, and expiration. 172 | 2. **[OWASP ZAP](https://www.zaproxy.org/)** – Identifies session management flaws in API responses. 173 | 3. **[Postman](https://www.postman.com/)** – Manages and inspects session tokens in API requests. 174 | 4. **[mitmproxy](https://mitmproxy.org/)** – Intercepts and modifies session tokens for vulnerability analysis. 175 | 5. **[JWT.io](https://jwt.io/)** – Decodes and analyzes JWT tokens for security flaws. 176 | 6. **[AuthAnalyzer (Burp Extension)](https://github.com/qllone/AuthAnalyzer)** – Identifies authentication and session management issues. 177 | 7. **[Session Hijacking Toolkit](https://github.com/antichown/SessionHijackingToolkit)** – Tests API session management weaknesses. 178 | 8. **[CSRF Tester](https://owasp.org/www-project-csrfguard/)** – Assesses API session security against CSRF attacks. 179 | 9. **[Nmap (http-sessions script)](https://nmap.org/nsedoc/scripts/http-sessions.html)** – Extracts and evaluates session cookies. 180 | 10. **[Ettercap](https://www.ettercap-project.org/)** – Tests API session security in network environments. 181 | 11. **[Wireshark](https://www.wireshark.org/)** – Captures and analyzes API session tokens in network traffic. 182 | 12. **[Cookie Cadger](http://www.cookiecadger.com/)** – Detects insecure API session cookies in transit. 183 | 13. **[ModHeader (Browser Extension)](https://modheader.com/)** – Modifies session tokens for API security testing. 184 | 14. **[Session Fixation Tester](https://github.com/codingo/SessionFixationTester)** – Tests APIs for session fixation vulnerabilities. 185 | 15. **[JWT Cracker](https://github.com/brendan-rius/c-jwt-cracker)** – Attempts brute-force attacks on JWT session tokens. 186 | 187 | --- 188 | 189 | ## Business Logic Testing Tools for API Testing 190 | 191 | Business logic testing focuses on identifying security flaws in an API’s core functionalities, ensuring that workflows, access controls, and user interactions are not exploitable. 192 | 193 | 1. **[Burp Suite (Manual Testing & Extensions)](https://portswigger.net/burp)** – Identifies logic flaws by modifying API requests. 194 | 2. **[OWASP ZAP](https://www.zaproxy.org/)** – Tests API workflows by intercepting and modifying requests. 195 | 3. **[Postman](https://www.postman.com/)** – Manually manipulates API calls to check for unexpected behavior. 196 | 4. **[Mitmproxy](https://mitmproxy.org/)** – Intercepts and modifies API traffic to analyze logic vulnerabilities. 197 | 5. **[GraphQL Voyager](https://github.com/APIs-guru/graphql-voyager)** – Analyzes GraphQL schema for logical security flaws. 198 | 6. **[Kiterunner](https://github.com/assetnote/kiterunner)** – Fuzzes API endpoints to uncover hidden logic vulnerabilities. 199 | 7. **[Fuzzapi](https://github.com/Fuzzapi)** – Automates API fuzzing to detect unusual business logic flaws. 200 | 8. **[Restler Fuzzer](https://github.com/microsoft/restler-fuzzer)** – Detects logic flaws in REST API sequences and workflows. 201 | 9. **[GraphQL Raider (Burp Extension)](https://github.com/doyensec/GraphQL-raider)** – Finds logical vulnerabilities in GraphQL APIs. 202 | 10. **[AuthMatrix (Burp Extension)](https://portswigger.net/bappstore/745fb476395d4973b7ac09b1df5c8dc8)** – Tests privilege escalation and business logic flaws. 203 | 11. **[SecApps Logic Analyzer](https://secapps.com/)** – Examines API responses for logical inconsistencies. 204 | 12. **[API Hammer](https://github.com/Azure/api-hammer)** – Simulates different API request scenarios to test workflow security. 205 | 13. **[BOLA Detector](https://github.com/BOLA-Detector)** – Identifies Broken Object Level Authorization (BOLA) issues. 206 | 14. **[GadgetProbe](https://github.com/BishopFox/GadgetProbe)** – Tests serialization vulnerabilities affecting API logic. 207 | 15. **Custom Python Scripts** – Tailor-made automation for detecting API logic flaws. 208 | --- 209 | 210 | ## Fuzzing Tools for API Testing 211 | 212 | Fuzzing in API testing helps identify security vulnerabilities by sending malformed, unexpected, or random data to API endpoints to observe how they respond. 213 | 214 | 1. **[Burp Suite Intruder](https://portswigger.net/burp/documentation/desktop/tools/intruder)** – Automates API fuzzing with customizable payloads. 215 | 2. **[ffuf](https://github.com/ffuf/ffuf)** – Fast web fuzzer used for API endpoint discovery and fuzzing. 216 | 3. **[wfuzz](https://github.com/xmendez/wfuzz)** – CLI-based fuzzer for testing API parameters and endpoints. 217 | 4. **[Kiterunner](https://github.com/assetnote/kiterunner)** – API-specific fuzzer that brute forces undocumented endpoints. 218 | 5. **[Restler Fuzzer](https://github.com/microsoft/restler-fuzzer)** – Microsoft’s API fuzzing tool for REST APIs. 219 | 6. **[Fuzzapi](https://github.com/laluka/fuzzapi)** – Fuzzing framework for testing API security vulnerabilities. 220 | 7. **[Gfuzz](https://github.com/google/gfuzz)** – Lightweight API fuzzer for detecting input validation flaws. 221 | 8. **[Radamsa](https://gitlab.com/akihe/radamsa)** – Generates test cases by mutating API requests. 222 | 9. **[JBroFuzz](https://www.owasp.org/index.php/OWASP_JBroFuzz)** – OWASP’s fuzzing tool for testing API stability and security. 223 | 10. **[Corpus-based Fuzzing (e.g., AFL, LibFuzzer)](https://llvm.org/docs/LibFuzzer.html)** – Custom fuzzing for API responses. 224 | 225 | --- 226 | 227 | ## Logging & Monitoring Testing Tools for API Testing 228 | 229 | Logging and monitoring are crucial for detecting security threats, ensuring compliance, and maintaining API security. These tools help analyze logs, detect anomalies, and monitor API activity. 230 | 231 | 232 | 1. **[Graylog](https://www.graylog.org/)** – Centralized log management and analysis tool for API security monitoring. 233 | 2. **[Splunk](https://www.splunk.com/)** – Provides real-time security analytics and API activity monitoring. 234 | 3. **[ELK Stack (Elasticsearch, Logstash, Kibana)](https://www.elastic.co/what-is/elk-stack)** – Open-source log analysis and monitoring platform. 235 | 4. **[OpenTelemetry](https://opentelemetry.io/)** – API observability and tracing tool for monitoring API requests. 236 | 5. **[Prometheus](https://prometheus.io/)** – Monitors API performance and detects unusual activity. 237 | 6. **[Grafana](https://grafana.com/)** – Visualizes API logs and monitoring data for security insights. 238 | 7. **[Sumo Logic](https://www.sumologic.com/)** – Cloud-based log management tool for API security analysis. 239 | 8. **[Datadog](https://www.datadoghq.com/)** – Monitors API traffic, logs, and security events. 240 | 9. **[Wazuh](https://wazuh.com/)** – Open-source security monitoring and log analysis tool. 241 | 10. **[New Relic](https://newrelic.com/)** – Tracks API performance and detects security anomalies. 242 | 243 | --------------------------------------------------------------------------------