Traceable AI is an API security platform that provides comprehensive API discovery, threat detection, and security testing using a distributed tracing and observability-driven approach. Co-founded by Jyoti Bansal, the founder of AppDynamics (acquired by Cisco for $3.7 billion in 2017), Traceable was built on the premise that API security requires deep understanding of application behavior at the transaction level, not just surface-level traffic inspection. In March 2025, Traceable merged with Harness, an AI-native DevSecOps platform also founded by Bansal, creating a unified software delivery and security offering.
Platform Capabilities
API Discovery and Cataloging
Traceable automatically discovers all APIs across an organization’s environment, including internal, external, third-party, and shadow APIs, by analyzing real application traffic. The platform generates a complete API catalog with detailed specifications, data flow mapping, and sensitivity classification. Shadow APIs and undocumented endpoints that exist outside of official API gateways are surfaced and brought under governance.
API Threat Detection and Protection
Using distributed tracing and behavioral analytics, Traceable detects API attacks in real time including injection attacks, broken authentication, broken object-level authorization (BOLA), business logic abuse, data exfiltration, credential stuffing, and bot attacks. The platform correlates activity across the full request-response lifecycle and across microservices boundaries, rather than inspecting individual API calls in isolation. This context-aware approach enables detection of multi-step attacks that span multiple API endpoints.
API Security Testing
Traceable integrates into CI/CD pipelines to perform security testing of APIs before deployment. The platform generates security tests based on discovered API behavior and known attack patterns, identifying vulnerabilities such as OWASP API Top 10 issues including BOLA, mass assignment, and excessive data exposure during development. Tests are automatically updated as APIs evolve, maintaining coverage without manual test maintenance.
API Risk Scoring
The platform continuously assesses risk across the API estate by correlating vulnerability data, traffic patterns, sensitive data exposure, authentication strength, and threat intelligence to prioritize which APIs require immediate attention. Risk scores reflect both the technical exploitability and business criticality of each API endpoint.
Sensitive Data Flow Analysis
Traceable traces the flow of sensitive data including PII, credentials, financial data, and health records across API calls and microservices. The platform identifies where sensitive data is exposed, stored, or transmitted without adequate protection. This capability supports compliance with GDPR, CCPA, PCI DSS, and HIPAA data handling requirements.
API Fraud Detection
The platform detects business logic abuse and fraud patterns at the API layer, including account takeover attempts, credential stuffing, loyalty point manipulation, and payment fraud. By understanding the intended business logic of each API, Traceable identifies abuse that traditional security tools focused on technical exploits rather than business logic would miss entirely.
Runtime Protection
Traceable provides runtime API protection that can block malicious API calls in real time based on behavioral analysis and policy enforcement. Protection can be deployed inline or via integration with API gateways and web application firewalls, providing flexible deployment options based on organizational risk tolerance.
API Compliance and Governance
The platform helps organizations enforce API governance policies across their API estate, covering authentication requirements, rate limiting, data exposure limits, and versioning standards. Compliance dashboards track adherence to internal API standards and external regulatory requirements.
Observability-Driven Approach
Traceable’s core technical differentiator is its use of distributed tracing, the same technology used in application performance monitoring, to build a deep understanding of API behavior. By tracing requests across microservices and correlating them with user sessions, the platform understands the full context of each API call. This enables more accurate threat detection and significantly lower false positive rates than traditional WAF or API gateway-based security. This approach draws directly from Bansal’s experience building AppDynamics and represents a fundamental architectural choice that separates Traceable from competitors.
Harness Merger
In March 2025, Traceable merged with Harness, the AI-native DevSecOps platform also founded by Jyoti Bansal. The combination integrates API security directly into the software delivery lifecycle, covering code-to-production security across CI/CD, feature flags, cloud cost management, and now API protection. The merger unifies Bansal’s vision for end-to-end software delivery and security under one platform, allowing development teams to discover, test, and protect APIs throughout the entire development lifecycle without context-switching between tools.
Funding
Traceable raised $110 million across multiple rounds. Key investors include Unusual Ventures, IVP (Institutional Venture Partners), and Tiger Global Management. Traceable also received backing from BIG Labs, the venture studio founded by Jyoti Bansal. Pre-merger valuation reflected the growing criticality of API security amid rapid API proliferation across enterprises.
Market Position
Prior to the Harness merger, Traceable competed in the API security market against Salt Security, Noname Security (acquired by Akamai in 2024), Wib, Wallarm, and API gateway-native security features from Kong, Apigee, and AWS API Gateway. Traceable’s distributed tracing approach provided deeper application-context awareness than competitors relying solely on traffic analysis or out-of-band mirroring. The merger with Harness repositions Traceable’s technology as part of a broader DevSecOps platform play, targeting the convergence of application development and application security.
Leadership
Jyoti Bansal co-founded Traceable and also founded and serves as CEO of Harness. He previously founded AppDynamics. Sanjay Nagaraj is co-founder and CTO. Sudeep Padiyar serves as VP of Engineering.
Deployment Model
Traceable supports multiple deployment options including SaaS, self-hosted, and hybrid models. The platform ingests API traffic through lightweight agents, eBPF-based collectors, traffic mirroring, or API gateway integrations. This provides flexibility to capture API telemetry without requiring application code changes or inline deployment, enabling rapid deployment across complex microservices architectures.
Industry Context
Traceable’s merger with Harness came amid a period of rapid consolidation in the API security market. Noname Security was acquired by Akamai in 2024, Salt Security continued to operate independently, and major platform vendors like Cloudflare, F5, and Imperva added API security capabilities to their existing portfolios. The convergence of API security into broader application security and DevSecOps platforms reflects the market’s recognition that API protection cannot be treated as a standalone concern separate from the software delivery lifecycle.