API security in an agentic AI world
From blind spots to best practices
A full-day, hands-on workshop for API and application security teams. In the morning, exploit a vulnerable API yourself using Postman and Burp. In the afternoon, secure MCP and agent traffic with Tyk. Leave with a Credly badge and CPE credits toward CISSP, CISM, CISA, and CRISC.
- Thursday 21 May 2026
- 10:00 am to 3:30 pm
- TAB Bank HQ, Ogden, UT
(approx. 30 mins from Salt Lake City)
Earn a Credly badge and CPE credits toward CISSP, CISM, CISA, and CRISC.
About the event
APIs are how modern applications talk to each other. They're also how attackers get in. Most of the tools your team relies on to catch these problems were built for a different era, before APIs were everywhere and long before AI agents started making calls of their own. The gap is widening. Attacks that look obvious in hindsight keep slipping past the scanners your team already owns, and every new copilot or AI agent adds another door to defend.
This workshop is built to close that gap for one team in a single day. Bring your security leads, architects, engineers, and the developers shipping AI integrations, and they come back with a shared understanding of how modern API attacks work and how to stop them.
In the morning, Corey Ball (author of Hacking APIs, founder of APIsec University) and Jess Freeman show the team how API attacks actually unfold. Your people watch common security scanners miss real vulnerabilities in a live application, then exploit those same vulnerabilities themselves. These are the same kinds of flaws behind well-known breaches at Peloton, Coinbase, and Parler.
In the afternoon, Tyk's Laura Heritage and Kuldeepak Angrish pick up where the morning leaves off. The team sees first-hand why AI agents and the protocols they use create new security gaps, then works through hands-on labs that show how to close them.
Everyone who attends leaves with practical skills, a Credly badge, and CPE credits toward CISSP, CISM, CISA, and CRISC. You get back a team that shares the same reference points, the same vocabulary, and the same working patterns for defending APIs in production.
Register for the event
Who should attend
Send the team responsible for defending your APIs and AI integrations in production. The workshop is designed so a mixed group, from leaders to hands-on engineers, walks out with the same reference points.
AppSec and Security Leaders
Security Architects
DevSecOps Engineers
Platform and API Owners
Product Security Teams
Developers Building AI Integrations
Key takeaways
From the morning with APIsec:
How API attacks actually unfold, step by step, the way attackers run them
The most exploited API vulnerabilities, including BOLA, BOPLA, broken auth, and mass assignment
Why WAFs and traditional scanners miss these attacks, and what shift-left security actually looks like
How AI agents and MCP multiply trust boundaries and widen the attack surface your team has to defend
From the afternoon with Tyk:
What an API gateway must do to secure MCP traffic and AI-mediated interactions
What MCP is, how it works, and the new categories of attack it introduces
Hands-on experience with Tyk's MCP Gateway and the patterns that close these gaps
A working approach your team can take back and apply to your own MCP and AI deployments
Agenda
The workshop runs as two linked sessions with a working lunch in the middle. The morning grounds your team in how API attacks actually happen. The afternoon picks up where the morning leaves off and moves into securing AI agent traffic with Tyk’s MCP Gateway.
Please bring your laptop — both sessions include hands-on labs.
10:00 am – 12:00 pm
Proof of Exploit
Led by Corey Ball and Jess Freeman, APISec
A live, hands-on lab. Your team watches common security scanners return almost nothing useful against a vulnerable banking-style application, then exploits the same application themselves using Postman and Burp Suite against crAPI (the Completely Ridiculous API).
- The attacker’s step-by-step playbook, the way API attacks actually run in the wild
- The most exploited API vulnerabilities in practice, including BOLA, BOPLA, broken auth, mass assignment, and business logic abuse
- The real-world flaws behind the Peloton, Coinbase, and Parler incidents, and why current tooling misses them
- Why WAFs and traditional scanners are not enough, and what shift-left security looks like in practice
- Closing primer on MCP trust boundaries that sets up the afternoon labs
12:00 pm – 1:30 pm
Networking Lunch and Lightning Session
TAB Bank
1:30 pm – 3:30 pm
MCP Gateway Security Fundamentals
Led by Laura Heritage and Kuldeepak Angrish, Tyk
The afternoon starts by connecting directly to a raw MCP server to see the trust-boundary problem first-hand, then moves into three hands-on labs using Tyk’s MCP Gateway.
- Lab 1: Deploy and secure an MCP proxy using Tyk, including authentication, keys, and security policies
- Lab 2: Implement full-stack observability with analytics, logging, and end-to-end tracing for MCP traffic
- Lab 3: Advanced defense and discovery: RBAC-filtered tools, per-tool rate limiting, and client connections
Your team leaves with a working defense pattern they can apply to your own MCP deployments.
Why attend
Learn how to eliminate AI constraints and build scalable, extensible infrastructure that keeps you in control.
Break free from vendor lock-in
Take control of your AI stack across providers, models, and tools, confidently.
Enable true governance and auditability
Discover how open architectures improve visibility, compliance, and control across your AI stack.
Accelerate innovation without bottlenecks
Explore how removing closed-system limitations empowers teams to experiment and iterate faster.
Build AI systems that scale with your business
Learn how extensibility enables your infrastructure to grow and adapt as your AI use cases expand.
Customise without constraints
See how you can tailor AI control planes to your organisation’s specific needs and workflows.
Future-proof your AI strategy
Understand why adaptability is critical in a rapidly changing AI landscape, and how to achieve it.
Can't make it to the event?
We’re always keen to hear from people who’d like an event in their area. If you’d like to explore the potential of a Tyk event near you, get in touch. We’d love to hear from you.
Further resources
Learn more about building flexible, enterprise-ready AI infrastructure.
The AI Control Stack eBook
AI is evolving faster than the infrastructure built to control it. This ebook explores why legacy API platforms struggle with modern AI workloads like streaming, tokens, and agentic systems—and what’s needed instead.
The AI Control Stack eBook
AI is evolving faster than the infrastructure built to control it. This ebook explores why legacy API platforms struggle with modern AI workloads like streaming, tokens, and agentic systems—and what’s needed instead.
FAQ
How do I join the webinar?
Once you’ve registered using the form on this webpage, you’ll be sent a link to join via email. Don’t forget to add the event to your calendar! On the day, click the link and you’ll be taken to the Zoom webinar area. Enter the email address you registered with to gain access.
I’m having technical issues. What should I do?
Please make sure you have downloaded Zoom in advance here and you are using the email address you registered with to join. Switch off any VPNs or use a personal device if you are having issues. You can email [email protected], and we can try to help you. Read the joining guide here.
Still have questions?
Our team is here to help. Reach out and we’ll get back to you shortly.