Zvitsev API Shield

Zvitsev API Shield is a self-hosted API security platform that unifies gateway routing, OWASP-aligned WAF, OAuth and mTLS authentication, AI guardrails, and immutable audit in one control plane. Deploy from AWS Marketplace into your VPC to protect REST, GraphQL, and gRPC traffic with sub 5ms median gateway overhead. Built for SaaS, fintech, healthcare, and regulated teams that need API-native security not legacy web WAFs.

View purchase options

Overview

Try agent mode

Create proposal

Ask question

Zvitsev API Shield secures, controls, and scales every API from a single platform deployed in your AWS account. Subscribe on AWS Marketplace, launch the CloudFormation or Helm stack, and connect Amazon RDS and ElastiCache, your API traffic stays in your VPC while you gain enterprise-grade gateway, security, and compliance controls in minutes.

The platform combines an API-native gateway with runtime threat defense tuned for programmatic clients, not HTML forms. Route and transform REST, GraphQL, gRPC, and WebSocket traffic with per-tenant rate limits, circuit breakers, and blue-green upstream pools. OWASP API Security Top 10 rulesets, behavioral bot detection, schema validation, and geo/ASN blocklists stop BOLA, credential stuffing, SSRF, and abuse before requests reach origin. Identity is handled at the edge with OAuth 2.1, OIDC, API keys, JWT validation, and mutual TLS, including centralized revocation and federation with Okta, Auth0, Cognito, and Azure AD.

For AI and LLM workloads, Zvitsev adds guardrails that security teams can enforce without blocking product velocity: prompt injection detection, tool-call allowlists, token budgets, PII redaction, and model routing by sensitivity tier. OpenTelemetry traces, RED metrics per route, and SIEM-ready exports give operations visibility without a separate APM stack. Every policy change, auth decision, and security block is captured in append-only audit logs with exportable bundles for PCI, HIPAA, SOC 2, and FedRAMP reviews.

Deploy as a single container on ECS Fargate or EKS with PrivateLink-ready topologies, native AWS WAF/KMS/CloudWatch integration, and upgrade paths for multi-account AWS Organizations. Starter tier is free plus your AWS compute; Growth and Business tiers bill through Marketplace metering with optional committed-use discounts.

Highlights

Unified API gateway for REST, GraphQL, gRPC, and WebSocket with per-route rate limits, circuit breakers, OpenAPI import, and blue-green upstream routing, all managed from one control plane in your AWS account.
OWASP API Top 10 WAF, bot and anomaly detection, OAuth 2.1/OIDC/mTLS/API keys at the edge, plus AI guardrails for prompt injection, tool-call allowlists, token budgets, and PII redaction before traffic reaches LLM providers.
OWASP API Top 10 WAF, bot and anomaly detection, OAuth 2.1/OIDC/mTLS/API keys at the edge, plus AI guardrails for prompt injection, tool-call allowlists, token budgets, and PII redaction before traffic reaches LLM providers.

Details

Sold by

ZvitSev LLC

Introducing multi-product solutions

You can now purchase comprehensive solutions tailored to use cases and industries.

Learn more

Explore multi-product solutions

Features and programs

Financing for AWS Marketplace purchases

AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.

View financing details

Pricing

Zvitsev API Shield

Info

View purchase options

Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.

Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.

1-month contract (3)

Info

Dimension	Description	Cost/month
Starter	Includes up to 1M gateway requests per month, shared gateway cluster, core WAF rulesets, OAuth and API key authentication, and 7-day audit retention. Community support via documentation. Ideal for teams shipping their first protected APIs in a single region.	$300.00
Growth	For scaling SaaS products with multiple services and environments. Includes up to 25M gateway requests per month, dedicated tenant namespace, custom rate limits and quotas, AI guardrail starter pack, 90-day audit retention, and email support (8 by 5 business days).	$500.00
Business	For regulated teams requiring high availability, SSO, and advanced threat analytics. Includes up to 250M gateway requests per month, multi-region active-active deployment, advanced bot and anomaly detection, full AI security policy suite, 1-year audit with legal hold, and priority support (24 by 7). HIPAA BAA available.	$1,000.00

Vendor refund policy

Zvitsev offers a 30-day refund for first-time AWS Marketplace subscriptions if you contact us within 30 days of initial purchase. Refunds apply to Marketplace software charges only, not AWS infrastructure, data transfer, or third-party services; Enterprise private offers follow negotiated contract terms. To request a refund, email hello@zvitsev.net with your AWS account ID, subscription ID, and reason. We respond within 5 business days.

How can we make this page better?

Tell us how we can improve this page, or report an issue with this product.

Legal

Vendor terms and conditions

Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .

Content disclaimer

Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.

Usage information

Info

Delivery details

Zvitsev API Shield - ECS & EKS Container

Supported services: Learn more

Amazon ECS
Amazon EKS

Container image

Containers are lightweight, portable execution environments that wrap server application software in a filesystem that includes everything it needs to run. Container applications run on supported container runtimes and orchestration services, such as Amazon Elastic Container Service (Amazon ECS) or Amazon Elastic Kubernetes Service (Amazon EKS). Both eliminate the need for you to install and operate your own container orchestration software by managing and scheduling containers on a scalable cluster of virtual machines.

Version release notes

Initial release of Zvitsev API Shield on AWS Marketplace.

Includes a single container with embedded admin dashboard, control plane API (port 8080), and API gateway data plane (port 8081). Buyers provide Amazon RDS for PostgreSQL 16+ and Amazon ElastiCache for Redis 7+.

Features in this release:

Unified API gateway for REST, GraphQL, gRPC, and WebSocket
OWASP-aligned API WAF, rate limiting, and bot detection
OAuth 2.1, OIDC, API keys, JWT validation, and mTLS at the edge
AI guardrails: prompt injection detection, token budgets, and PII redaction
OpenTelemetry metrics and immutable audit logs
First-run setup wizard and smoke-test verification script

Deploy on Amazon ECS Fargate or Amazon EKS using the included CloudFormation template or Helm chart. See usage instructions for prerequisites, secrets, and health checks.

Additional details

Usage instructions

OVERVIEW Zvitsev runs as one container with two listening ports:

8080 - Admin UI, control plane API (/api/v1/*), health checks
8081 - API gateway (proxy traffic for your upstream APIs)

You must provision PostgreSQL 16+ (RDS) and Redis 7+ (ElastiCache) before launch.

PREREQUISITES

VPC with public and private subnets in at least two Availability Zones
Amazon RDS for PostgreSQL 16+ (database name: zvitsev)
Amazon ElastiCache for Redis 7+
AWS Secrets Manager (recommended)
ECS Fargate cluster or EKS cluster
Application Load Balancer with target groups for ports 8080 and 8081

REQUIRED SECRETS / ENVIRONMENT VARIABLES Store in Secrets Manager or inject into the task:

DATABASE_URL - postgres://user:pass@host:5432/zvitsev?sslmode=require
REDIS_URL - redis://:password@your-cluster.cache.amazonaws.com :6379/0
ZVITSEV_ENCRYPTION_KEY - random string, 32+ characters
ZVITSEV_JWT_SECRET - optional; defaults to encryption key

Recommended:

ZVITSEV_MIGRATE_ON_START=true
ZVITSEV_WEB_DIST=/app/web/dist
ZVITSEV_CORS_ALLOW_ORIGINS=https://your-admin-domain

DEPLOY (ECS)

Subscribe on AWS Marketplace and complete entitlement.
Deploy the CloudFormation template from the deployment resources section (or your own ECS task definition using the container image URI above).
Map secrets to container environment variables.
Point ALB listeners:
- Control: /api/, /healthz, /readyz, /metrics, / port 8080
- Gateway: customer API hostname port 8081
Run tasks in private subnets; only the ALB should be public.

FIRST-RUN SETUP Open the control plane URL and complete setup, or call: GET http://<control-host>/api/v1/auth/setup/status POST http://<control-host>/api/v1/auth/setup {"email":"admin@example.com ","password":"***","name":"Admin","org_name":"Acme"}

VERIFY curl http://<control-host>/readyz curl http://<gateway-host>/healthz

Create an upstream and route in the dashboard, issue a gateway API key (zvitsev_sk_...), and proxy a test request through the gateway.

OBSERVABILITY

Prometheus: scrape /metrics on ports 8080 and 8081
Logs: container stdout - Amazon CloudWatch Logs
Health checks: use /readyz (checks Postgres and Redis)

SUPPORT Email: hello@zvitsev.net Documentation: https://zvitsev.net/docs/quickstart

Resources

Vendor resources

documentation

Support

Vendor support

Zvitsev provides tiered support for AWS Marketplace subscribers:

Growth: Email support (8 by 5 business days) at hello@zvitsev.net , typical response within one business day Business: Priority email support (24 by 7) at hello@zvitsev.net , critical issues acknowledged within 4 hours Enterprise: Named technical account manager, architecture reviews, and private offers via hello@zvitsev.net

General inquiries, sales, security reviews, and FedRAMP/HIPAA package requests: hello@zvitsev.net

Documentation and quickstart: https://zvitsev.net/docs/quickstart API reference: https://zvitsev.net/docs/api-reference Contact form: https://zvitsev.net/contact Live demo requests: https://zvitsev.net/demo

Install guide and smoke-test scripts ship with the listing. Business and Enterprise customers receive escalation paths for production incidents affecting gateway availability or data-plane security policy enforcement.

AWS infrastructure support

AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.

Get support

Customer reviews

Leave a review

Ratings and reviews

Info

0 ratings

5 star

4 star

3 star

2 star

1 star

0 reviews

No customer reviews yet

Be the first to review this product . We've partnered with PeerSpot to gather customer feedback. You can share your experience by writing or recording a review, or scheduling a call with a PeerSpot analyst.