April 19, 2023
2 min read

Imperva and Kong Join Forces to Integrate Leading API Management and Cybersecurity Solutions


Today we're pleased to announce a new strategic partnership and resale agreement with Imperva. Imperva customers will now be able to directly license Kong Enterprise, the fastest, most feature-rich, and secure API management solution. In addition, Kong customers will be able to use the Imperva API Security plugin within Kong Enterprise. This allows developers to comprehensively secure their APIs and protect their business applications and data against unauthorized access.

The Imperva API Security plugin is available via the Kong Plugin Hub. Customers can now seamlessly add advanced API security capabilities into their API development lifecycle. The Imperva offering allows security teams to gain visibility into every API call through the Kong Enterprise gateway, as well as the ability to assess risk exposure and take preventative measures against potential attacks.

The integrated joint solution provides enhanced security, including:

  • Encryption of data in motion in APIs, as well as authentication and authorization to all APIs under management by the Kong Enterprise gateway.
  • World-class API security for development teams through the Imperva plugin:
    • Identifying and classifying data: Monitor every API in production and each API call to the gateway. Automatically discover an API's full schema while identifying and classifying the data flowing through it.
    • Continuously discovering APIs and schema changes: API inventories are automatically updated whenever a change is made in production — without slowing down the developer.

Imperva API Security Plugin

The Imperva API Security plugin operates with a very low CPU and memory footprint, helping avoid any negative impact on the inline performance of the gateway or your applications.

The Imperva API Security plugin captures API calls with request/response payloads and sends them to the Imperva API Security service for inspection. API calls are copied and streamed through Kong Gateway. The API Security receiver service endpoint is provided through the plugin's configuration, so the API data is kept under the control of the application owner.

How it works

The plugin sends a copy of API call requests/responses to the Imperva API receiver. The receiver service destination address and port are specified as config parameters. Additional parameters are used to control how the API captures are sent.

For full instructions on enabling the Imperva API Security plugin on your Kong Enterprise installation, please refer to the documentation in the Kong Plugin Hub.


The combination of Kong and Imperva brings together two industry leaders in API Management & Cybersecurity to help power reliable and secure API connections essential for enterprise customers building in the cloud-native era. For more information: