
ContractShield.dev
Reblaze
Akto
Escape.tech
Salt
ZeroThreat.ai
Pynt.io
Metlo API Security
Code42
Symantec Data Loss Prevention
Microsoft BitLocker
Paubox
OpenSSH
GravityZone
Virtru
Arcserve UDP
ContractShield is open-source runtime API security middleware that validates every API request against your OpenAPI contract. It catches business logic attacks โ authentication bypasses, BOLA/IDOR, parameter tampering, prototype pollution โ that traditional WAFs and API gateways miss because they only inspect payloads, not business rules. Think of it this way: API gateways are bouncers checking IDs at the door. ContractShield enforces the business rules inside the venue.
How it works:
Drop ContractShield into your API as middleware. It reads your OpenAPI specification and enforces it at runtime โ every request is validated against your contract before it reaches your application logic. Undocumented endpoints get blocked. Missing authentication gets rejected. Schema violations get caught. No agents, no sidecars, no infrastructure changes. Key capabilities:
Multi-platform support:
Covering ~80% of the API development market.
Open-core model:
Core features are Apache 2.0 licensed. Advanced capabilities like sink-aware RASP, Learning Mode, and BOLA auto-detection are available under commercial license.
Security certifications:
OWASP ASVS Level 1 compliant, OpenSSF Scorecard, OpenSSF Best Practices Passing, SLSA Build Level 1 provenance, CodeQL scanning.
ContractShield also offers Penetration Testing as a Service (PTaaS) for organizations that need expert-led API security assessments alongside automated protection.
ContractShield.dev
Code42No ContractShield.dev videos yet. You could help us improve this page by suggesting one.
ContractShield.dev's answer
ContractShield is the only open-source middleware that enforces your OpenAPI contract at runtime โ not just for documentation, but as a security policy.Most API security tools either scan for vulnerabilities (shift-left testing) or inspect payloads for known attack patterns (WAFs). ContractShield does neither. It sits inside your application and validates every request against what your API should do, not what attacks look like.
The result: it catches business logic attacks โ authentication bypasses, BOLA/IDOR, parameter tampering, prototype pollution โ that produce perfectly valid HTTP requests every WAF in the world allows through.
ContractShield.dev's answer
vs. WAFs (Cloudflare, AWS WAF, Reblaze): WAFs can't see business logic. A GET /api/v1/users/456 from an attacker looks identical to a legitimate request. ContractShield understands the contract and blocks it.
vs. API security platforms (Salt, Noname, Traceable): These are enterprise-grade, agent-based, and expensive. ContractShield is lightweight middleware you install in 5 minutes with zero infrastructure changes.
vs. API testing tools (Akto, Escape.tech, Pynt): These find vulnerabilities before production. ContractShield blocks attacks in production โ they're complementary, not competing.
Open source core (Apache 2.0): No vendor lock-in, fully auditable code, free for production use. Security certifications include OWASP ASVS Level 1, OpenSSF Scorecard, and SLSA Build Level 1 provenance.
Multi-platform from day one: Node.js, Python, and Java โ covering ~80% of the API development market.
ContractShield.dev's answer
Backend developers and API engineers building REST APIs who want runtime protection without adding infrastructure complexity
DevSecOps teams looking to enforce API contracts as security policy in CI/CD and production
CTOs and engineering leads at startups and mid-market companies who need API security beyond their WAF but can't justify six-figure enterprise platform contracts
Regulated industries (fintech, healthtech, identity verification) where API business logic protection is a compliance requirement
Teams already using OpenAPI specifications โ ContractShield turns their existing documentation into an active security layer
ContractShield.dev's answer
ContractShield was born from years of penetration testing. Running API security assessments for clients, we kept finding the same pattern: organizations had invested in WAFs, API gateways, and network security โ yet their APIs were wide open to business logic attacks.
Authentication bypasses. BOLA/IDOR. Parameter tampering. Prototype pollution. Every single one produced clean, valid HTTP requests that sailed through every layer of infrastructure security. The vulnerability wasn't in the payload โ it was in the logic.
We realized the gap: infrastructure tools protect the transport layer, but nobody was protecting the contract layer โ the actual business rules that define what an API should and shouldn't do.
So we built ContractShield as middleware that reads your OpenAPI specification and enforces it at runtime. Your API contract becomes your security policy. If it's not in the spec, it's blocked. If auth is required, it's enforced. If the schema says no, it means no.
We open-sourced the core under Apache 2.0 because API security shouldn't be a luxury reserved for enterprises with six-figure budgets. We continue to offer Penetration Testing as a Service (PTaaS) alongside the product โ because automated protection and expert assessment together provide the strongest security posture.
ContractShield.dev's answer
ContractShield.dev's answer
ContractShield PTaaS (our own penetration testing platform runs on ContractShield). Privacy is our moto, contact us for more information.
Based on our record, Code42 seems to be more popular. It has been mentiond 1 time since March 2021. We are tracking product recommendations and mentions on various public social media platforms and blogs. They can help you identify which product is more popular and what people think of it.
It's not a big surprise, given that Code42 (the parent company) pretends they have nothing to do with Crashplan. They've done a massive pivot to some kind of security company, with ZERO references to the OG product of Crashplan on code42.com, which (I'm guessing) is the bulk of their revenue. If you do a site search on google, you'll find some old links, but they just push you over to crashplan.com. Source: about 4 years ago
Reblaze - Reblaze is a cloud-native web application and API protection solution
Symantec Data Loss Prevention - Fully protect your data with the comprehensive detection technologies and unified policies of Symantec's industry leading Data Loss Prevention (DLP).
Akto - Akto is an Instant, Open Source API Security product. Discover all your APIs and find vulnerabilities by running 100+built-in tests. Write custom tests and automate in Akto.
Microsoft BitLocker - BitLocker is a full disk encryption feature included with Windows Vista and later.
Escape.tech - Escape helps teams secure modern applications - APIs, Single Page Apps, and Microservices by finding business logic flaws at scale with proprietary algorithm and empowering developers to fix them efficiently.
Paubox - Paubox provides HIPAA compliant email encryption without the hassle of extra steps.