API Security Gateway

Their API was getting hammered. Credential stuffing, brute force attempts, enumeration attacks. Traditional rate limiting wasn't working because attackers were rotating IPs and spreading requests across time. APIs are the new perimeter, except there is no perimeter. Every endpoint is potentially exposed to the internet,and attackers are automating attacks at scale. I deployed Apigee as a security gateway in front of their API infrastructure. Not just for rate limiting, but for intelligent traffic analysis and threat detection. Implemented adaptive rate limiting that looked at behavior, not just request counts. A legitimate user might make 1000 requests a day in bursts—totally normal. An attacker making 1000 requests trying 1000 different passwords—completely different pattern even if the rate is similar. Added ML-based anomaly detection watching for signs of automation: request timing too consistent, user-agent patterns, missing human behaviors like typos or pauses. Automated clients have different fingerprints than human users. Built fraud detection for their payment API. Patterns like: account created, card added, immediate large purchase, account deleted. Or: multiple failed payment attempts from different cards on the same account. The system would flag these for review before processing. Integrated with their identity system to add risk scores to every API request. New device? Unusual location? Failed logins recently? Requests from that user got additional scrutiny automatically. Stopped a credential stuffing attack within 90 seconds of it starting. Attacker had 100,000 stolen credentials and was testing them programmatically. System detected the automated pattern, blocked the attack, and forced password resets for any accounts where the attacker guessed correctly. API abuse dropped 94%. Legitimate traffic got faster because we weren't wasting resources on attack traffic. Customer support tickets about account compromises went to basically zero.