100+ Free Akamai App & API Protector Practice Questions

Pass your Akamai Certified — App & API Protector (WAAP) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~65-75% Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

What is the purpose of Akamai's rate controls feature in App & API Protector?

Throttle or block clients that exceed a defined request threshold within a time window

Validate JWT tokens on API endpoints

Balance traffic load across multiple origin servers

Compress response payloads to reduce bandwidth usage

to track

Same family resources

Explore More Akamai Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Akamai Certified — Web Performance

Practice Questions100 questions

2026 Statistics

Key Facts: Akamai App & API Protector Exam

~60

Exam Questions

Akamai

~70%

Passing Score

Akamai

90 min

Exam Duration

Akamai

~$300

Exam Fee

Akamai

2 years

Certification Validity

Akamai

100

Practice Questions

OpenExamPrep

Approximately 60 questions in 90 minutes, ~70% passing score, ~$300 fee. Key domains: WAF Rules & Policy Management (25-30%), Bot Management (20-25%), DDoS & Rate Controls (20-25%), API Security (15-20%), and Origin Protection (10-15%). Certification valid for 2 years. Available online proctored.

Sample Akamai App & API Protector Practice Questions

Try these sample questions to test your Akamai App & API Protector exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1What is the primary function of Akamai App & API Protector's WAF component?

A.Inspect and filter HTTP/HTTPS traffic to block malicious requests before they reach the origin

B.Accelerate static asset delivery through edge caching

C.Encrypt communication between the CDN and the origin server

D.Manage DNS resolution for edge nodes

Explanation: The WAF component of App & API Protector inspects HTTP/HTTPS requests at the Akamai edge, applying rule sets to detect and block SQL injection, XSS, RFI, and other OWASP Top 10 attack patterns before they reach the customer origin. It acts as the primary inline defense layer.

2In Akamai App & API Protector, what does 'evaluation mode' allow security teams to do?

A.Test new rule sets or policy changes in shadow mode without blocking live traffic

B.Block all traffic from untrusted ASNs while monitoring allowed requests

C.Disable bot management to measure raw origin performance

D.Enable DDoS scrubbing at the network layer only

Explanation: Evaluation mode lets teams stage new security policies or rule updates so that matching events are logged and scored but traffic is not actually blocked. This allows security teams to assess false-positive impact before promoting rules to enforcement mode.

3Which Akamai feature uses behavioral analysis to distinguish automated bot traffic from legitimate human users?

A.Akamai Bot Manager

B.Kona Site Defender rate controls

C.EdgeScape geolocation

D.SiteShield origin protection

Explanation: Akamai Bot Manager (integrated into App & API Protector) uses behavioral signals, device fingerprinting, and challenge-response mechanisms to classify traffic as human, known bot, or unknown bot, enabling appropriate allow, block, or challenge responses.

4A customer notices that a legitimate third-party monitoring tool is being blocked by App & API Protector. Which configuration option should they use to resolve this without disabling bot management globally?

A.Add the monitoring tool's IP range or user-agent to a bot exception list

B.Switch the entire security policy to evaluation mode

C.Disable all WAF rules for the affected URL path

D.Route the monitoring tool through a separate Akamai property

Explanation: Bot exception lists allow operators to designate specific IP addresses, ASNs, or user-agent strings as trusted, ensuring that known legitimate bots like monitoring tools or search engine crawlers are not blocked while the rest of bot management remains active.

5What is the purpose of Akamai's rate controls feature in App & API Protector?

A.Throttle or block clients that exceed a defined request threshold within a time window

B.Balance traffic load across multiple origin servers

C.Compress response payloads to reduce bandwidth usage

D.Validate JWT tokens on API endpoints

Explanation: Rate controls allow security policies to define thresholds — for example, 100 requests per IP per minute — and apply actions (alert, slow down, deny) when a client exceeds them. This is effective against credential stuffing, scraping, and volumetric abuse.

6In the Akamai security model, what does 'Kona' refer to within App & API Protector?

A.The underlying WAF rule set engine derived from the Kona Site Defender product

B.A cloud-based SIEM integration platform

C.An IP reputation feed built from EdgeScape data

D.A DDoS scrubbing center located in Hawaii

Explanation: Kona refers to the WAF rule engine and attack definition set originally branded as Kona Site Defender. App & API Protector evolved from Kona Site Defender and retains its rule logic for detecting and blocking OWASP attack patterns, custom attacks, and protocol violations.

7Which of the following best describes an Akamai 'custom rule' in App & API Protector?

A.A user-defined WAF rule that matches on specific request attributes like headers, cookies, or query parameters

B.A predefined Akamai rule that cannot be modified by the customer

C.A scheduled maintenance window to update managed rule sets

D.A bot management profile for a known search engine crawler

Explanation: Custom rules allow customers to define match conditions on any combination of request attributes — HTTP method, URI, headers, cookies, query string, or request body — and apply actions such as deny, alert, or redirect. They extend managed rule sets for application-specific threats.

8What is the role of Akamai's 'network list' feature in App & API Protector?

A.Maintain IP or CIDR-based allowlists and blocklists referenced by security policies

B.Define the set of Akamai edge servers that serve a property

C.Manage DNS zone records for customer domains

D.Configure TLS cipher suites for origin connections

Explanation: Network lists are reusable collections of IP addresses and CIDR ranges that can be referenced across multiple security policies. They support both allow and deny use cases and can be updated programmatically via API without redeploying a full security configuration.

9How does Akamai App & API Protector protect against DDoS attacks at the application layer (Layer 7)?

A.Rate controls, behavioral anomaly detection, and challenge-response mechanisms absorb volumetric HTTP floods at the edge

B.All traffic is scrubbed through an off-path Prolexic device before reaching the edge

C.BGP route advertisements are used to blackhole attacker IP ranges

D.DNS TTLs are lowered dynamically to reroute traffic during an attack

Explanation: App & API Protector defends against Layer 7 DDoS (HTTP floods, slow loris, etc.) using rate controls to throttle excessive requesters, WAF rules to detect attack patterns, and JavaScript/CAPTCHA challenges to filter bots at the edge — all without requiring traffic to traverse off-path scrubbing infrastructure.

10What does Akamai's EdgeScape service provide that is useful in security policies?

A.Real-time geographic, network-type, and connection-speed metadata for incoming IP addresses

B.Encryption key management for TLS handshakes at the edge

C.JavaScript injection for real user monitoring

D.Automatic certificate renewal via ACME protocol

Explanation: EdgeScape maps IP addresses to attributes including country, region, city, connection type (broadband, mobile, satellite), and ISP. Security policies can use this data to apply geo-based access controls, challenge high-risk regions, or tune rate-control thresholds by network type.

About the Akamai App & API Protector Exam

The Akamai Certified — App & API Protector exam validates expertise in Akamai's WAAP platform, covering WAF rule management, bot detection, Layer 7 DDoS protection, rate controls, API security, and origin protection. It is the successor to the Kona Site Defender certification.

Questions

60 scored questions

Time Limit

90 minutes

Passing Score

~70%

Exam Fee

~$300 (Akamai Technologies)

Akamai App & API Protector Exam Content Outline

25-30%

WAF Rules and Policy Management

Kona Rule Set (KRS), custom rules, match conditions, attack group scoring, evaluation mode vs. deny mode, false positive tuning, managed threat intelligence updates, security configurations and policies

20-25%

Bot Management

Akamai Bot Manager, known-bot classification and categories, behavioral analysis, JavaScript challenges, CAPTCHA, client reputation, bot exception lists, credential stuffing mitigation

20-25%

DDoS Protection and Rate Controls

Layer 7 DDoS mitigation (HTTP floods, slow POST), rate control thresholds, time-window throttling, Prolexic comparison (L3/L4 vs. L7), volumetric and application-layer attack handling

15-20%

API Security and Advanced Features

API discovery, shadow/zombie API identification, WAAP concepts, OWASP API Security Top 10, schema validation, Page Integrity Manager for Magecart protection, Adaptive Security Engine

10-15%

Origin Protection and Monitoring

SiteShield origin IP protection, IP reputation feeds, network lists, EdgeScape geolocation, DataStream 2 SIEM export, Security Center analytics dashboard

How to Pass the Akamai App & API Protector Exam

What You Need to Know

Passing score: ~70%
Exam length: 60 questions
Time limit: 90 minutes
Exam fee: ~$300

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

Akamai App & API Protector Study Tips from Top Performers

1Understand the Kona Rule Set (KRS) architecture — attack groups, scoring thresholds, evaluation vs. deny mode

2Know the difference between Bot Manager (behavioral classification) and rate controls (volume throttling)

3Remember SiteShield's role: preventing WAF bypass by hiding origin IPs from public access

4Study EdgeScape and how geolocation data integrates with security policy decisions

5Understand DataStream 2 vs. older log delivery methods for SIEM integration

6Know WAAP vs. traditional WAF — the key addition is OWASP API Security Top 10 coverage

7Practice identifying the right tool: Prolexic (L3/L4 DDoS) vs. App & API Protector (L7 DDoS/WAF)

Frequently Asked Questions

What is Akamai App & API Protector?

App & API Protector is Akamai's unified Web Application and API Protection (WAAP) platform that evolved from Kona Site Defender. It provides WAF protection using the Kona Rule Set, bot management with behavioral analysis, Layer 7 DDoS mitigation, rate controls, API discovery and protection, and origin protection through SiteShield.

What is the Kona Rule Set (KRS)?

The Kona Rule Set is Akamai's managed WAF rule engine inherited from Kona Site Defender. It includes continuously updated attack definitions for OWASP Top 10 attacks (SQL injection, XSS, RFI, path traversal, RCE), organized into attack groups with configurable scoring thresholds. Akamai's threat intelligence team updates KRS automatically without customer action.

What is evaluation mode in App & API Protector?

Evaluation mode allows security teams to stage new rules or policy changes in shadow mode — requests are logged and scored but not blocked. This enables teams to assess false-positive impact before promoting rules to deny mode, preventing service disruption during policy tuning.

What is SiteShield?

SiteShield restricts access to the customer origin server to only Akamai's designated edge IP ranges. This prevents attackers who discover the origin IP from sending requests directly, bypassing the WAF. SiteShield is implemented by configuring origin server firewall rules to only accept connections from Akamai's SiteShield IP list.

How does Akamai Bot Manager classify bots?

Akamai Bot Manager uses behavioral signals, device fingerprinting, JavaScript challenge-response, and its global threat intelligence to classify traffic as human, known bot (categorized by type: search engine, monitoring, ad network), or unknown/suspicious bot. Per-category actions (allow, monitor, deny, challenge) are configured in security policies.

What is DataStream 2?

Akamai DataStream 2 delivers structured security event logs from App & API Protector to external destinations in near real-time — including Splunk, Sumo Logic, Amazon S3, Azure Blob Storage, and other SIEM/analytics platforms. It replaces older log delivery mechanisms with lower latency and richer structured data.