NextRoll Gains 8x Visibility into APIs and Solves API Sprawl

It’s time for another customer story from Traceable! Today’s blog highlights NextRoll’s journey to API Security, and specifically their struggle with API Sprawl and gaining visibility into all APIs. Let’s get started!

NextRoll, a company processing and interpreting market data and delivering strategic insights, felt the impact of their unknown API catalog and attack surface. In this blog, we summarize NextRoll’s journey with Traceable, providing insights about how we were able to address their need for API cataloging and protection, while also securing their sensitive data flowing through their APIs.

For NextRoll, the lack of visibility into their known, unknown, and shadow APIs was caused by API Sprawl, and was creating further security concerns. 

API sprawl refers to an abundance of APIs of many types, in many locations.  Such extensive API presence can make API cataloging and protection particularly difficult without the correct solutions.  Traditional and legacy security methods such as WAF and RASP do not solve for API sprawl. 

Highlights from the Case Study

  • 8x increased visibility into APIs
  • MTTR reduced from 1 day to < 1 hour
  • 12x cost savings by reduced triage time
  • Traceable platform eliminates the need for 3 separate security tools


Download the Entire NextRoll Case Study Here


Needing to solve for API sprawl, Nextroll needed a platform API security solution that included
API Discovery and Risk Posture Management, along with the ability to prevent sensitive data exfiltration. A company that processes private data, NextRoll sought to not only remain compliant, but to also remediate a concern faced by the Product Security team: lack of visibility into their APIs.


“With Traceable, now I understand where the data is going.  We knew we had data that was at risk, and with Traceable we are able to find and secure all data flowing through APIs using a single platform.” 


With a huge microservice architecture, the frequent changes to APIs created serious concerns related to understanding risk posture. 

Without an accurate API inventory, the prevention of data exfiltration and related API attacks becomes nearly impossible.  “We have a very big microservices architecture – a lot of microservices, and a lot of moving parts. 

We’re processing petabytes of data a day on internet traffic related to people’s preferences.  And some of those microservices or even pipelines do not have a data store.  They just go through an API that collects data, processes it, and outputs it to another API,” said Nicolas Valcárcel, head of Product Security at NextRoll.

Outdated security solutions such as WAFs left the Product Security team blind, and consisted of very manual logging and scraping processes that were time consuming and yielded zero insights into the security of their APIs. According to Valcárcel, “The way we did this before is the typical way the industry has done it for years, and it is generally inaccurate. 

Looking into databases does not provide a picture of where the data is going or what is being processed. Monitoring systems design’s manually we cannot see it all and we can make mistakes, so the information we deliver can be misleading.  Updates after the fact are not taken into account, so data is quickly inaccurate.  This manual data cataloging is never enough, it’s never accurate.”

Other API Security Vendors Didn’t Make the Cut

Replacement WAF solutions and API-security point solutions didn’t solve their need for API data privacy.


According to Valcárcel, “We had conversations with Salt Security and Noname Security at that point, but again, they were trying to replace our Signal Sciences Web Application Firewall (and ultimately couldn’t) rather than providing details about my APIs and data flow, these API solutions and did not offer a data protection or data privacy component.”

With Traceable, NextRoll was validated in their concern that the data passing through their APIs required close monitoring. Said Valcárcel, “Traceable confirmed our suspicions.  We knew there were data privacy concerns that we had not uncovered using traditional methods, but without Traceable cataloging our APIs, I was not able to prove it.  It was more like a hunch.” Valcárcel confirmed that Traceable was not only able to confirm his suspicions, but also able to provide a full picture of their API attack surface.


“With Traceable, now I understand where the data is going.  We knew we had data that was at risk, and with Traceable we are able to find and secure all data flowing through APIs using a single platform.”



About Traceable

Traceable is the industry’s leading API security platform that identifies APIs, evaluates API risk posture, stops API attacks, and provides deep analytics for threat hunting and forensic research. With visual depictions of API paths at the core of its technology, its platform applies the power of distributed tracing and machine learning models for API security across the entire development lifecycle. Visual depictions provide insight into user and API behaviors to understand anomalies and block API attacks, enabling organizations to be more secure and resilient. Learn more at traceable.ai.