Listing Thumbnail

    S4 MockAPI - Security API Simulator

     Info
    Deployed on AWS
    AWS Free Tier
    Mock server that answers like real security products' APIs. Build and test SIEM/SOAR integrations without product licenses: Trend Micro Vision One, Palo Alto Networks PAN-OS, Microsoft Sentinel, and CrowdStrike Falcon compatible profiles, plus a generic mock for any OpenAPI 3.x document. Ships with an ATT&CK-shaped scenario library and a Terraform module.

    Overview

    S4 MockAPI reproduces the shape of security-product APIs - status codes, headers, authentication flows, pagination, rate-limit and error bodies - reconstructed from public API documentation only. All data is synthetic.

    • Vision One compatible profile (public API v3.0): workbench alerts with ETag/If-Match flows, endpoint inventory, endpoint-activity search, OAT detections, isolate/restore response actions with realistic task lifecycle (207 Multi-Status).
    • PAN-OS compatible profile (11.x-era XML API): keygen authentication, op commands, stateful candidate-config CRUD, commit job lifecycle, async log retrieval with canonical traffic/threat/system fields.
    • Microsoft Sentinel compatible profile: Azure AD OAuth2 client_credentials token, Log Analytics /v1/workspaces/{id}/query with a KQL subset (where / take / limit / project / count) over 7 seeded tables (SecurityAlert, SecurityIncident, SigninLogs, Heartbeat, AuditLogs, AzureActivity, SecurityEvent), Sentinel Incidents CRUD with ETag/If-Match and comments, entities/{id}/expand returning a 3-node graph, runPlaybook long-running-operation polling.
    • CrowdStrike Falcon compatible profile: POST /oauth2/token (client_credentials, opaque bearer with expires_in) and /oauth2/revoke, Detects (queries / summaries / stateful PATCH), Devices (queries / summaries / contain-and-lift with stateful containment_status), Real Time Response session/execute/status lifecycle, Falcon Query Language subset for filter=.
    • Generic OpenAPI mock: point --spec at any OpenAPI 3.x document and every documented operation is served from its examples and schemas.
    • MITRE ATT&CK-shaped scenario library (10 ready-made scenarios: ransomware response T1486, credential stuffing T1110.004, lateral movement TA0008, data exfiltration TA0010, C2 detection T1071/T1573, phishing T1566, insider threat, persistence hunt, EDR mass-isolate T1490 response, Sentinel incident-triage rehearsal).
    • Terraform module (s4-mockapi-aws) with IMDSv2 required, encrypted root, default 10.0.0.0/8 ingress, admin port instance-local unless opted-in; per-profile Postman collections included.
    • Deterministic fault injection (TOML scenarios): nth-call 500s, probabilistic 429s with Retry-After, injected latency - test your integration's failure paths reproducibly.
    • Stateful round-trips, per-credential rate limiting, TLS, admin API with health checks, Prometheus metrics, and one-call factory reset for CI.

    Use it for SIEM/SOAR connector development, MSSP labs, SOC integration QA, integration test environments that spin up in seconds, partner demos, and CI pipelines. State is in-memory: restarting (or POST /reset) restores a clean dataset.

    This product is an independent work built from publicly available API documentation. Trend Micro, Vision One, Palo Alto Networks, PAN-OS, Microsoft, Sentinel, CrowdStrike and Falcon are trademarks of their respective owners, used nominatively to identify compatibility targets; this product is not affiliated with or endorsed by those vendors.

    Highlights

    • Four vendor-faithful profiles (Vision One / PAN-OS / Microsoft Sentinel / CrowdStrike Falcon) plus a generic OpenAPI 3.x mock - one AMI covers your integration-test surface.
    • ATT&CK-shaped scenario library (10 scenarios: ransomware T1486, credential stuffing, lateral movement, C2, data exfiltration, and more) plus deterministic fault injection makes IR-grade API load and failure-path tests reproducible in CI.
    • Terraform module (s4-mockapi-aws) and per-profile Postman collections included; boots to a working mock in under a minute, factory-resets in one API call, nothing leaves the instance.

    Details

    Delivery method

    Delivery option
    64-bit (x86) Amazon Machine Image (AMI)

    Latest version

    Operating system
    AmazonLinux 2023

    Deployed on AWS
    New

    Introducing multi-product solutions

    You can now purchase comprehensive solutions tailored to use cases and industries.

    Multi-product solutions

    Features and programs

    Financing for AWS Marketplace purchases

    AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
    Financing for AWS Marketplace purchases

    Pricing

    S4 MockAPI - Security API Simulator

     Info
    Pricing is based on actual usage, with charges varying according to how much you consume. Subscriptions have no end date and may be canceled any time.
    Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator  to estimate your infrastructure costs.
    If you are an AWS Free Tier customer with a free plan, you are eligible to subscribe to this offer. You can use free credits to cover the cost of eligible AWS infrastructure. See AWS Free Tier  for more details. If you created an AWS account before July 15th, 2025, and qualify for the Legacy AWS Free Tier, Amazon EC2 charges for Micro instances are free for up to 750 hours per month. See Legacy AWS Free Tier  for more details.

    Usage costs (86)

     Info
    Dimension
    Cost/hour
    t3.micro
    Recommended
    $0.08
    m6i.2xlarge
    $0.08
    m7i.2xlarge
    $0.08
    t3.2xlarge
    $0.08
    c5.18xlarge
    $0.08
    c7i-flex.16xlarge
    $0.08
    t3.medium
    $0.08
    c6i.8xlarge
    $0.08
    c6i.large
    $0.08
    t3.nano
    $0.08

    Vendor refund policy

    Standard AWS Marketplace refund policy applies. For hourly usage, charges stop when the instance is terminated. For annual subscriptions, refund requests within the AWS Marketplace cancellation window are honored per AWS Marketplace terms. Contact abyo.software@gmail.com  for billing questions.

    How can we make this page better?

    Tell us how we can improve this page, or report an issue with this product.
    Tell us how we can improve this page, or report an issue with this product.

    Legal

    Vendor terms and conditions

    Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .

    Content disclaimer

    Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.

    Usage information

     Info

    Delivery details

    64-bit (x86) Amazon Machine Image (AMI)

    Amazon Machine Image (AMI)

    An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.

    Version release notes

    S4 MockAPI 1.2.0 - Marketplace-conversion release.

    New profiles (both at parity with vision-one/panw depth):

    • Microsoft Sentinel compatible: Azure AD v2 OAuth2 client_credentials, Log Analytics KQL subset over 7 seeded tables (SecurityAlert / SecurityIncident / SigninLogs / Heartbeat / AuditLogs / AzureActivity / SecurityEvent), Sentinel Incidents CRUD with ETag/If-Match, comments, entities/expand, runPlaybook LRO polling. Standard ARM + Log Analytics + OAuth2 error envelopes.
    • CrowdStrike Falcon compatible: OAuth2 client_credentials, /detects (query / summaries / stateful PATCH), /devices (query / details / contain-lift actions with async lifecycle), /real-time-response (session / execute / status), Falcon Query Language subset for filter=.

    Also new:

    • ATT&CK-shaped scenario library (10 ready-made fault-injection scenarios keyed to MITRE ATT&CK tactics: ransomware response T1486, credential stuffing T1110.004, lateral movement TA0008, data exfiltration TA0010, C2 detection T1071, EDR mass-isolate T1490 response, and more).
    • Terraform module (github.com/abyo-software/s4mockapi//terraform/s4-mockapi-aws) with IMDSv2 required, encrypted root, 10.0.0.0/8 default ingress, admin port instance-local unless opted-in. Three example root modules.
    • Postman collections for every profile under /opt/s4-mockapi/assets/postman/.

    Total: 495+ automated tests (v1.1.1: 318), 20 new JSON schemas from public vendor docs, clippy -D warnings clean, cargo audit 0 advisory, gate.sh 7/7 PASS, 20s soak on all 4 static profiles with RSS <= 19 MB per profile.

    Convergence: self-review + Codex CLI review loop (R1 + R2 + R3) all CONVERGED before release.

    Additional details

    Usage instructions

    1. Launch the instance (t3.micro is sufficient). Allow inbound TCP 8080 from your test network only; do not expose it to the public internet. Port 9090 (admin/health) must stay private to the instance or VPC. For IaC provisioning, the Terraform module at github.com/abyo-software/s4mockapi//terraform/s4-mockapi-aws sets these defaults for you.

    2. The mock starts automatically on boot: the Vision One compatible profile listens on port 8080. Verify from an allowed host: curl -H "Authorization: Bearer test" http://<instance>:8080/v3.0/healthcheck/connectivity Expected: {"status":"available"}

    3. To switch profiles or options, SSH in (ec2-user) and edit /etc/s4-mockapi/s4-mockapi.env:

      • MOCKAPI_PROFILE=vision-one | panw | sentinel | crowdstrike | openapi
      • MOCKAPI_EXTRA_ARGS for TLS certificates, bearer tokens, fault injection (--scenario-file), rate limiting (--rate-limit), seed data (--seed-file), OpenAPI spec (--spec). Then: sudo systemctl restart s4-mockapi
    4. Full documentation is on the instance: /opt/s4-mockapi/README.md. Ready-made ATT&CK-shaped scenarios are at /opt/s4-mockapi/assets/scenarios/attck/. Postman collections for every profile are at /opt/s4-mockapi/assets/postman/.

    5. Reset all mock state to factory data between test runs (on the instance): curl -X POST http://127.0.0.1:9090/reset 

    6. Logs: journalctl -u s4-mockapi -f

    All served data is synthetic; the instance makes no outbound calls.

    Support

    Vendor support

    Support is provided by abyo software LLC. via email. Email: aws-support@abyo.net  Website:

    AWS infrastructure support

    AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.

    Similar products

    Customer reviews

    Ratings and reviews

     Info
    0 ratings
    5 star
    4 star
    3 star
    2 star
    1 star
    0%
    0%
    0%
    0%
    0%
    0 reviews
    No customer reviews yet
    Be the first to review this product . We've partnered with PeerSpot to gather customer feedback. You can share your experience by writing or recording a review, or scheduling a call with a PeerSpot analyst.