See what your API endpoints show to the world

February 5, 2026 · 3 min read

Most API security advice focuses on how the API is built: fix broken authorization, validate inputs, enforce rate limits. This is necessary work, but it tells you nothing about who is actually consuming your API right now and what they are doing with it.

Your API has two kinds of consumers. Logged-in users interact with your endpoints through authenticated sessions. Non-logged-in visitors hit your public endpoints, your login page, your registration flow, your search, your product listings, without identifying themselves. Both leave behavioral traces. Both can abuse your system. And right now, you probably have limited visibility into either.

You do not need a SaaS platform or a vendor contract to change that. An open-source security framework on your own infrastructure can give you that visibility today.

Two audiences, one event pipeline

The practical starting point is simple: split your API consumers into two groups and track them differently.

For logged-in users, you already have a username. Every authenticated API request can be sent as an event to tirreno with that username attached. Over time, this builds a behavioral profile for each user: which endpoints they access, how often, from what IPs and devices, at what times, and with what error rates. A user who normally calls three endpoints during business hours and suddenly starts enumerating your entire data API at midnight from a datacenter IP is visible immediately.

For non-logged-in visitors, you do not have a username, but you have context. tirreno expects a username with each event, so for anonymous traffic you use the visitor's IP with .* replacing the last octet (e.g. 192.168.1.*) as the identifier. This groups visitors by their network origin and lets you monitor what your public endpoints are receiving: who is hitting your login page, how often, from what infrastructure. A pool of IPs cycling through login attempts with a 95% failure rate is visible in the activity page without any vendor integration.

Both streams flow into the same event pipeline, the same rule engine, and the same activity page. You see your authenticated and unauthenticated API traffic in one place, on your own systems.

What your endpoints are showing to the world

Once both streams are ready, tirreno shows you something most teams have never seen: a real-time picture of how your API is actually being consumed.

The activity page surfaces patterns that are invisible in raw server logs. Clusters of 404 errors reveal someone enumerating your API surface, probing for undocumented or deprecated endpoints. Concentrations of 500 errors against a specific endpoint mean someone is fuzzing it with unexpected inputs. A spike in failed authentication attempts distributed across residential VPN exit nodes is a credential stuffing campaign in progress.

Your public endpoints are often more exposed than you realize. A registration endpoint that accepts requests without authentication is open to automated account creation. A search endpoint that returns detailed results to unauthenticated callers can be scraped systematically. A password reset endpoint that confirms whether an email exists in your system leaks your user list to anyone who asks. These are not vulnerabilities in the traditional sense. The endpoints are working as designed. The question is whether you can see who is using them and how.

Your infrastructure, your traffic path

This entire setup runs on your infrastructure. There is no SaaS proxy sitting between your consumers and your API, and no vendor receiving your request payloads, authentication tokens, and session data. There is no contract to negotiate and no bill that scales with your request volume.

The consumer data stays in your database. The detection logic is open source. You can be running this today and seeing what your endpoints are actually handling, without asking anyone for permission or a quote.

API abuse is the beginning of the problem

The consumers abusing your API today will target your product in other ways tomorrow. The same infrastructure that stuffs credentials against your login endpoint creates fake accounts through your registration flow. The same bots that scrape your data probe for escalation paths. Starting with an open-source security framework means the event pipeline and rule engine are already in place when the threat evolves. One framework that grows with your product instead of stacking vendor contracts.

Getting started

Install. Deploy a tirreno instance on any server or container you control. The administration guide covers setup and configuration.

Setup both consumer types. For authenticated API requests, send events with the user's username. For unauthenticated traffic, use the visitor's IP with .* in the last octet as the identifier. Include timestamp, IP, user agent, HTTP status code, requested URI, and event type with each event. The developer guide has the API schema.

Apply the api_protection preset. Open the rules page, activate the preset, and browse the activity page. Look at what your public endpoints are actually receiving: who is hitting them, how often, and from what infrastructure.

Download at tirreno.com/download. The live demo shows the dashboard, consumer views, and rule engine in action.