Overview
S4 MockAPI reproduces the shape of security-product APIs - status codes, headers, authentication flows, pagination, rate-limit and error bodies - reconstructed from public API documentation only. All data is synthetic.
- Vision One compatible profile (public API v3.0): workbench alerts with ETag/If-Match flows, endpoint inventory, endpoint-activity search, OAT detections, isolate/restore response actions with realistic task lifecycle (207 Multi-Status).
- PAN-OS compatible profile (11.x-era XML API): keygen authentication, op commands, stateful candidate-config CRUD, commit job lifecycle, async log retrieval with canonical traffic/threat/system fields.
- Microsoft Sentinel compatible profile: Azure AD OAuth2 client_credentials token, Log Analytics /v1/workspaces/{id}/query with a KQL subset (where / take / limit / project / count) over 7 seeded tables (SecurityAlert, SecurityIncident, SigninLogs, Heartbeat, AuditLogs, AzureActivity, SecurityEvent), Sentinel Incidents CRUD with ETag/If-Match and comments, entities/{id}/expand returning a 3-node graph, runPlaybook long-running-operation polling.
- CrowdStrike Falcon compatible profile: POST /oauth2/token (client_credentials, opaque bearer with expires_in) and /oauth2/revoke, Detects (queries / summaries / stateful PATCH), Devices (queries / summaries / contain-and-lift with stateful containment_status), Real Time Response session/execute/status lifecycle, Falcon Query Language subset for filter=.
- Generic OpenAPI mock: point --spec at any OpenAPI 3.x document and every documented operation is served from its examples and schemas.
- MITRE ATT&CK-shaped scenario library (10 ready-made scenarios: ransomware response T1486, credential stuffing T1110.004, lateral movement TA0008, data exfiltration TA0010, C2 detection T1071/T1573, phishing T1566, insider threat, persistence hunt, EDR mass-isolate T1490 response, Sentinel incident-triage rehearsal).
- Terraform module (s4-mockapi-aws) with IMDSv2 required, encrypted root, default 10.0.0.0/8 ingress, admin port instance-local unless opted-in; per-profile Postman collections included.
- Deterministic fault injection (TOML scenarios): nth-call 500s, probabilistic 429s with Retry-After, injected latency - test your integration's failure paths reproducibly.
- Stateful round-trips, per-credential rate limiting, TLS, admin API with health checks, Prometheus metrics, and one-call factory reset for CI.
Use it for SIEM/SOAR connector development, MSSP labs, SOC integration QA, integration test environments that spin up in seconds, partner demos, and CI pipelines. State is in-memory: restarting (or POST /reset) restores a clean dataset.
This product is an independent work built from publicly available API documentation. Trend Micro, Vision One, Palo Alto Networks, PAN-OS, Microsoft, Sentinel, CrowdStrike and Falcon are trademarks of their respective owners, used nominatively to identify compatibility targets; this product is not affiliated with or endorsed by those vendors.
Highlights
- Four vendor-faithful profiles (Vision One / PAN-OS / Microsoft Sentinel / CrowdStrike Falcon) plus a generic OpenAPI 3.x mock - one AMI covers your integration-test surface.
- ATT&CK-shaped scenario library (10 scenarios: ransomware T1486, credential stuffing, lateral movement, C2, data exfiltration, and more) plus deterministic fault injection makes IR-grade API load and failure-path tests reproducible in CI.
- Terraform module (s4-mockapi-aws) and per-profile Postman collections included; boots to a working mock in under a minute, factory-resets in one API call, nothing leaves the instance.
Details
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
Pricing
Dimension | Cost/hour |
|---|---|
t3.micro Recommended | $0.08 |
m6i.2xlarge | $0.08 |
m7i.2xlarge | $0.08 |
t3.2xlarge | $0.08 |
c5.18xlarge | $0.08 |
c7i-flex.16xlarge | $0.08 |
t3.medium | $0.08 |
c6i.8xlarge | $0.08 |
c6i.large | $0.08 |
t3.nano | $0.08 |
Vendor refund policy
Standard AWS Marketplace refund policy applies. For hourly usage, charges stop when the instance is terminated. For annual subscriptions, refund requests within the AWS Marketplace cancellation window are honored per AWS Marketplace terms. Contact abyo.software@gmail.com for billing questions.
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
S4 MockAPI 1.2.0 - Marketplace-conversion release.
New profiles (both at parity with vision-one/panw depth):
- Microsoft Sentinel compatible: Azure AD v2 OAuth2 client_credentials, Log Analytics KQL subset over 7 seeded tables (SecurityAlert / SecurityIncident / SigninLogs / Heartbeat / AuditLogs / AzureActivity / SecurityEvent), Sentinel Incidents CRUD with ETag/If-Match, comments, entities/expand, runPlaybook LRO polling. Standard ARM + Log Analytics + OAuth2 error envelopes.
- CrowdStrike Falcon compatible: OAuth2 client_credentials, /detects (query / summaries / stateful PATCH), /devices (query / details / contain-lift actions with async lifecycle), /real-time-response (session / execute / status), Falcon Query Language subset for filter=.
Also new:
- ATT&CK-shaped scenario library (10 ready-made fault-injection scenarios keyed to MITRE ATT&CK tactics: ransomware response T1486, credential stuffing T1110.004, lateral movement TA0008, data exfiltration TA0010, C2 detection T1071, EDR mass-isolate T1490 response, and more).
- Terraform module (github.com/abyo-software/s4mockapi//terraform/s4-mockapi-aws) with IMDSv2 required, encrypted root, 10.0.0.0/8 default ingress, admin port instance-local unless opted-in. Three example root modules.
- Postman collections for every profile under /opt/s4-mockapi/assets/postman/.
Total: 495+ automated tests (v1.1.1: 318), 20 new JSON schemas from public vendor docs, clippy -D warnings clean, cargo audit 0 advisory, gate.sh 7/7 PASS, 20s soak on all 4 static profiles with RSS <= 19 MB per profile.
Convergence: self-review + Codex CLI review loop (R1 + R2 + R3) all CONVERGED before release.
Additional details
Usage instructions
-
Launch the instance (t3.micro is sufficient). Allow inbound TCP 8080 from your test network only; do not expose it to the public internet. Port 9090 (admin/health) must stay private to the instance or VPC. For IaC provisioning, the Terraform module at github.com/abyo-software/s4mockapi//terraform/s4-mockapi-aws sets these defaults for you.
-
The mock starts automatically on boot: the Vision One compatible profile listens on port 8080. Verify from an allowed host: curl -H "Authorization: Bearer test" http://<instance>:8080/v3.0/healthcheck/connectivity Expected: {"status":"available"}
-
To switch profiles or options, SSH in (ec2-user) and edit /etc/s4-mockapi/s4-mockapi.env:
- MOCKAPI_PROFILE=vision-one | panw | sentinel | crowdstrike | openapi
- MOCKAPI_EXTRA_ARGS for TLS certificates, bearer tokens, fault injection (--scenario-file), rate limiting (--rate-limit), seed data (--seed-file), OpenAPI spec (--spec). Then: sudo systemctl restart s4-mockapi
-
Full documentation is on the instance: /opt/s4-mockapi/README.md. Ready-made ATT&CK-shaped scenarios are at /opt/s4-mockapi/assets/scenarios/attck/. Postman collections for every profile are at /opt/s4-mockapi/assets/postman/.
-
Reset all mock state to factory data between test runs (on the instance): curl -X POST http://127.0.0.1:9090/reset
-
Logs: journalctl -u s4-mockapi -f
All served data is synthetic; the instance makes no outbound calls.
Support
Vendor support
Support is provided by abyo software LLC. via email. Email: aws-support@abyo.net Website:
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products

