Writer: Jordan Sprogis
Editor: Lillian Castro
Reviewer: Cristian Lopez
Key Takeaways
- Just a month after their merger, Traceable by Harness just announced a new solution designed for end-to-end protection in cloud-native environments.
- Sudhir Patamsetti, Sr. Director of Product Management, shared why legacy WAAP solutions are falling short and how Traceable Cloud WAAP integrates into the DevSecOps lifecycle.
Traceable by Harness unveiled its first joint product, Traceable Cloud WAAP, just weeks after its merger earlier this year.
Built for the cloud, Traceable Cloud WAAP (Web Application and API Protection) offers active monitoring and AI-powered defense against the top threats facing today’s web applications and APIs.
The keyword here is “today”: Traceable Cloud WAAP is a direct response to a security landscape that’s evolving fast, one that demands hands-on, full DevSecOps.
It’s also one of the reasons Harness acquired Traceable in the first place.
The average organization uses 131 third-party APIs, but only 16% of those surveyed said they feel their security measures are strong enough to manage API risks.
Is it because traditional defenses were built for “monolithic apps, static environments, and perimeter-based security”?
This is how Harness’s Sr. Director of Product Management, Sudhir Patamsetti, explained it.
Traditional defenses — firewalls, IDS/IPS systems, antivirus software — are things many of us have moved past, but that some legacy infrastructure still relies on.
Leaving behind security blind spots makes it perfect for sophisticated bots, which can now mimic human behaviors, such as learned mouse movements and clicks.
With the rise of the cloud comes security questions about the cloud. Bad actors are increasingly targeting the cloud directly, exploiting points like API vulnerabilities and software supply chains.
It’s what Traceable Cloud WAAP is built to address: serve as an all-in-one solution for web application protection, API security, bot mitigation, and DDoS defense.
It uses machine learning to create a baseline of normal activity, which is unlike traditional security tools that rely on virus signatures.
That means if something deemed unusual happens, the system analyzes the “context” of the action, which identifies potential threats that are based on behavior rather than pattern.
Rather than list the features of Traceable Cloud WAAP, we spoke with Sudhir about why legacy solutions fall short and how to gain better visibility into API and web app ecosystems.
The following interview has been edited for clarity and brevity. Here’s Sudhir.
For businesses still relying on legacy WAAP solutions, what’s your advice if they want to explore more modern, API-focused security options?
Sudhir: “Legacy WAAPs were built for a different era — monolithic apps, static environments, and perimeter-based security. But today’s applications are dynamic, distributed, and API-first.
If you’re still relying on static rules and edge-only defenses, chances are you’re missing shadow APIs, business logic abuse, and internal threats.
Our advice: Start by gaining visibility into your API ecosystem. You can’t secure what you can’t see.
From there, look for solutions that offer context-aware protection at runtime, integrate into your CI/CD pipelines, and evolve as your apps do.
Here is an example: A user logs in multiple times from different locations within minutes and accesses the user profile APIs.
Alone, each login or call may look normal. But when combined with login patterns, location changes, and unusual parameter values, the behavior suggests a BOLA attack.
A modern WAAP must be able to detect and stop this by creating context from these discrete signals.
Traceable’s Cloud WAAP is built for exactly this.
It’s easy to adopt, integrates flexibly into modern architectures, and delivers protection that actually understands how your applications behave — so you can secure your APIs, not just your perimeter.”
How does your Cloud WAAP use smart tech to handle bot mitigation and real-time traffic analysis to make quick decisions on threats as they happen?
Sudhir: “Traceable’s bot protection goes beyond basic signatures and rate limits by analyzing real user behavior across APIs and sessions.
It detects sophisticated bots by identifying anomalies in traffic patterns, API call sequences, and session behavior, catching automation that mimics real users.
Using behavioral analytics, API sequence intelligence, and session fingerprinting, Traceable distinguishes between humans and bots in real time.
Then it applies adaptive mitigation like rate-limiting, friction, or blocking.
Because we see every API request in context, Traceable stops bots that others miss without breaking good user flows.”
Why is Cloud WAAP so important to the DevSecOps life cycle — and do you see it as a future-proof solution?
Sudhir: “In a DevSecOps world, security can’t be an afterthought. It has to move at the same speed as development, and be just as automated, intelligent, and context-aware.
Cloud WAAP is critical because it delivers protection at runtime, where real users interact with your apps and APIs, and where real threats emerge.
It also shifts left by integrating into CI/CD workflows and allowing vulnerabilities to be caught before they go live.
As for being future-proof, Traceable Cloud WAAP is built for cloud-native architectures, API-driven apps, and AI-powered threat detection.
It’s designed to evolve with your stack, scale across environments, and adapt to new attack vectors, whether GenAI bots, zero-days, or complex multi-step exploits.”
Is there anything else you’d like to add about your Cloud WAAP or the future of DevSecOps in staying agile and secure in today’s market?
Sudhir: “This launch represents a major milestone, not just for Traceable by Harness, but for what modern application security can and should look like.
Security teams no longer have to choose between speed and safety. With Traceable Cloud WAAP, we’ve shown that you can have both.
Looking ahead, the future of DevSecOps will be defined by real-time context, automation, and AI-driven adaptability.
Teams need platforms that can secure apps the way they’re actually built and used, not just how they were designed on paper. We’re proud to be setting that new standard.”
A Cloud Security Imperative?
Ten years ago, hosting providers were selling server space. Today, they offer everything from site builders to AI-powered tools and app integrations.
That explains why hosting environments are now extremely API-focused. It’s part of why end-to-end security is a core responsibility for providers.
Today’s market is changing every day thanks to data privacy laws, cyberattacks, and consumer demands — and there’s no room for error.
After acquiring Traceable in March 2025, Harness and Traceable merged to form Traceable by Harness, an AI-powered Web Application and API Protection (WAAP) platform. It provides context-aware security based on behavior to help detect and address threats throughout the entire API ecosystem. Learn more at traceable.ai.
