DEV.co
Open-Source Observability · metlo-labs

metlo

Metlo is an open-source API security platform that discovers API endpoints, detects attacks in real time, and blocks malicious traffic. It includes features for sensitive data scanning, attack context analysis, and automated security testing for OWASP Top 10 vulnerabilities.

Source: GitHub — github.com/metlo-labs/metlo
1.8k
GitHub stars
105
Forks
TypeScript
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorymetlo-labs/metlo
Ownermetlo-labs
Primary languageTypeScript
LicenseMIT — OSI-approved
Stars1.8k
Forks105
Open issues25
Latest releasev0.1.1 (2023-04-14)
Last updated2025-07-25
Sourcehttps://github.com/metlo-labs/metlo

What metlo is

TypeScript-based platform that passively monitors API traffic for endpoint discovery and threat detection, with built-in YAML-based security testing framework and CI/CD integration capabilities. Offers both self-hosted deployment (AWS, GCP, Azure, Docker) and cloud-based attack blocking via detection engine.

Quickstart

Get the metlo source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/metlo-labs/metlo.gitcd metlo# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

API Inventory and Risk Scoring

Automatically discover all API endpoints in your infrastructure and scan them for PII/sensitive data exposure with risk-based prioritization.

Real-Time Attack Detection and Response

Deploy agents to passively listen to API traffic, detect malicious patterns, and block bad actors before they exploit vulnerabilities.

Pre-Production Security Testing

Integrate with CI/CD pipelines to auto-generate and run security tests for BOLA, broken authentication, SQL injection, and other OWASP Top 10 risks before production deployment.

Implementation considerations

  • Deployment claimed at <15 minutes; verify network tap/agent placement for your traffic topology to ensure endpoint discovery capture.
  • Sensitive data scanning rules and attack detection models are not detailed in README; review documentation to confirm detection accuracy for your API schema.
  • CI/CD integration available but details on supported platforms (GitHub Actions, Jenkins, etc.) not provided—requires documentation review.
  • Attack blocking feature depends on cloud connectivity; assess latency and bandwidth overhead of agent-to-cloud communication.
  • YAML test framework requires manual test authoring for custom business logic; auto-generated tests cover OWASP Top 10 only.

When to avoid it — and what to weigh

  • Zero-Trust or Offline-First Environments — Attack blocking requires agents to communicate with cloud detection engine; not suitable for fully air-gapped or offline-only infrastructure.
  • Minimal Deployment Resources — Self-hosted setup requires infrastructure for multiple components (agents, dashboard, backend); lighter-weight edge solutions may be preferable.
  • Proprietary API Protocols Only — Designed for HTTP/REST APIs; may have limited utility for gRPC, GraphQL, or proprietary binary protocols without custom extensions.
  • Requires Immediate Enterprise Features — User management, role-based access, and advanced attack protection are gated behind enterprise license; open-source tier is limited for multi-team environments.

License & commercial use

MIT License (permissive OSI-approved license). Code redistribution, modification, and private use are permitted with preservation of copyright and license notice.

MIT permits commercial use of the open-source code. However, README explicitly states that user management, role-based access, and attack protection features require an enterprise license. Commercial deployment must either avoid those features or obtain enterprise licensing directly from Metlo. Requires review of enterprise terms before production use.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Do not rely on this vendor's claims of security posture. Key considerations: (1) Attack blocking requires agents to send traffic metadata to cloud; review data privacy terms. (2) Detection models based on "patterns of malicious requests"—efficacy depends on model training and is not independently validated in README. (3) Self-hosted deployment means you own vulnerability patching and security hardening. (4) MIT license carries no security audit or warranty. (5) Sensitive data scanning rules and PII detection logic not described—test on sample workloads. Conduct threat modeling for your API portfolio before production deployment.

Alternatives to consider

Kong API Gateway + Plugins

Mature, open-source API gateway with security plugins (rate limiting, auth, WAF integration); larger ecosystem but requires separate security testing tooling.

AWS API Gateway + WAF

Native AWS service with built-in DDoS protection, authentication, and AWS WAF integration; tightly coupled to AWS but minimal operational overhead.

Commercial SaaS for API security scanning and vulnerability management; higher cost but includes vendor-managed threat intelligence and compliance reporting.

Software development agency

Build on metlo with DEV.co software developers

Review the full documentation, test endpoint discovery on a non-production API, and evaluate enterprise licensing needs before committing to production deployment.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

metlo FAQ

Can I use the open-source version for a production API without enterprise features?
Yes, the MIT-licensed code supports endpoint discovery, attack detection, and basic testing. User management, role-based access, and advanced attack blocking require enterprise licensing.
Does Metlo require me to send all API traffic to the cloud?
Agents are self-hosted and passively listen locally; attack blocking uses cloud detection models pulled to agents. You retain control of traffic, but metadata is shared for cloud-based model updates.
What happens if my APIs use non-REST protocols (gRPC, GraphQL)?
README does not address protocol support beyond HTTP/REST APIs. Requires documentation review or direct vendor contact.
How are auto-generated security tests different from manual tests?
Auto-generated tests cover OWASP Top 10 patterns (BOLA, broken auth, SQL injection). Manual YAML tests are for custom business logic and proprietary workflows.

Custom software development services

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If metlo is part of your open-source observability roadmap, our team can implement, customize, migrate, and maintain it.

Assess Metlo for Your API Security Posture

Review the full documentation, test endpoint discovery on a non-production API, and evaluate enterprise licensing needs before committing to production deployment.