Aporeto: Container Security Product Overview and Analysis

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.


See our complete list of top container and Kubernetes security vendors


Fundamental to Aporeto’s approach is the principle that everything in an application is accessible to everyone and could be compromised at any time. The company was founded in 2015 with company headquarters in San Jose, CA. The company is led by CEO Jason Schmitt, formerly of HPE, with co-founders from Nuage, Cisco and VMware.


Aporeto uses application context to enforce authentication, authorization, and encryption policies for applications. With Aporeto, enterprises implement a uniform security policy decoupled from the underlying infrastructure, enabling workload isolation, API access control and application identity management across public, private or hybrid clouds.

The Aporet product has two core components :

  • A SaaS security orchestrator for policy management and visibility of application dependencies across a heterogeneous environment.
  • An enforcer that performs distributed policy enforcement. The enforcer can be deployed as an agent, a Kubernetes daemon-set, a privileged container, a sidecar or a customer authorizer for API gateways.

Key Features

  1. Zero Trust policy enforcement for workload segmentation independent of infrastructure: Authenticate and Authorize requests both at L4 (TCP) and L7 (HTTP) between workloads or between a user and a workload. A workload can be container, process or serverless. Policy is defined centrally but enforced in a distributed manner. Policy enforcement works independent of IP addresses and applicable to workloads on public or private clouds.
  2. Service Identity: In order to authenticate and authorize a persistent workload, identity is required. Aporeto assigns workloads (container or process) a cryptographically signed service identity independent of IP infrastructure.
  3. Application visibility for compliance: Dependency maps across all applications protected by Aporeto independent of the infrastructure on which the application is deployed.
  4. Runtime visibility: For containers, Aporeto offer runtime visibility of interactions between the container and the host and enforcement of runtime policies.

Product Performance Metrics

The use of service identity independent of IP infrastructure for policy enforcement allows the solution to scale to tens of thousands of hosts. Performance overhead is very minimal for Layer 4 enforcement. Only TCP connection establishment is in the enforcer data path. Once a connection is mutually authenticated and authorized, the enforcer is no longer in the data path.


SaaS service with options for custom deployments for regulated industries


Subscription pricing model

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Sean Michael Kerner Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis