News

Harness and Traceable Launch Unified WAAP to Tackle Modern Application Threats

• By John K. Waters
• May 7, 2025

Application delivery platform Harness, in collaboration with recently acquired API security company Traceable, has unveiled Traceable Cloud WAAP, a next-generation Web Application and API Protection platform. The product, launched Tuesday, aims to provide full-stack, context-aware security for cloud-native environments and microservices architectures.

This marks the first joint innovation since Harness and Traceable merged, and reflects their shared ambition to unify DevOps and security into a single, AI-powered workflow. The combined company's new product integrates web application protection, API security, bot mitigation, and DDoS defense into a single offering, and is designed to adapt to the complexity of modern software.

"This solution is purpose-built to secure modern, cloud-native applications and APIs—wherever and however they run," said Sudhir Patamsetti, Senior Director of Product Management and Cybersecurity at Harness, in a blog post.

Moving Beyond the Edge
According to the company, the Traceable Cloud WAAP addresses critical blind spots in legacy WAAPs, which were designed for simpler, static edge environments. Traditional tools often struggle to detect API abuse, business logic attacks, or the lateral movement of threats inside distributed systems. As microservices, ephemeral APIs, and cloud workloads become the norm, Patamsetti said these older solutions "can't keep up."

"Reactive, perimeter-based security is no longer enough," he added. "Applications scale across multiple environments, change constantly, and communicate through APIs. Legacy WAAPs overlook internal traffic, miss shadow APIs, and require painful manual rule tuning."

In contrast, Traceable's offering leverages real-time behavioral analysis, user/session attribution, and attacker fingerprinting. Instead of relying on static signatures, it monitors anomalies based on what's normal for specific APIs and environments.

"It understands how traffic is expected to behave—and intervenes when something deviates from the norm," Patamsetti said.

Shift-Left + Runtime Defense
Designed for full lifecycle security, Traceable Cloud WAAP blends traditional runtime defenses with "shift-left" capabilities. Developers can integrate API testing directly into CI/CD pipelines, helping teams detect vulnerabilities earlier. This aligns with broader DevSecOps trends, where security is embedded throughout development rather than bolted on later.

Other features include sensitive data flow mapping, real-time OWASP Top 10 threat detection, and customizable API risk scoring. The platform also provides visibility into encrypted traffic and automatically discovers APIs through traffic mirroring and code inspection.

"We help teams move faster, stay aligned, and defend what matters most," Patamsetti said. "Speed and security shouldn't be at odds."

Flexible Deployment for Modern Stacks
Traceable Cloud WAAP supports a wide range of deployment models, including inline agents in NGINX and Kong, out-of-band traffic mirroring, and edge routing through DNS or CDN integration. Developers can deploy the system without making code changes using eBPF or run it directly in application code using lightweight agents.

This level of deployment flexibility allows enterprises to secure APIs running across hybrid environments—on-prem, in cloud-native Kubernetes clusters, or behind modern API gateways.

"This combination of deep visibility, intelligent runtime protection, and flexible deployment empowers security teams to close visibility gaps, detect threats earlier, and enforce protection wherever modern applications and APIs live," Patamsetti said.

Post-Merger Vision Comes into Focus
Traceable Cloud WAAP is the first major product to emerge from the Harness–Traceable merger, which was announced to consolidate software delivery and security under one DevSecOps platform. For Harness, the release signals a serious move into cybersecurity, a domain previously adjacent to its core CI/CD and observability offerings.

"Together, we are setting a new standard for how teams seamlessly develop, deliver and secure applications," Patamsetti said.

The launch also comes as APIs have become a growing attack vector, now representing over 70% of internet traffic by some estimates. The emergence of business logic abuse, advanced bot attacks, and internal API exposure has driven enterprise demand for more intelligent, adaptable defenses.

Traceable Cloud WAAP aims to meet that need—without forcing developers to slow down.