All AWS Marketplace products
S4 MockAPI
Security

S4 MockAPI

Security API simulator

Integration tests, no licenses AWS service it replaces: Security product licenses for testing
Get it on AWS Marketplace

Mock server that answers like real security products' APIs. Build and test SIEM/SOAR integrations without product licenses: Trend Micro Vision One compatible REST shapes, Palo Alto Networks PAN-OS compatible XML API shapes, plus a generic mock for any OpenAPI 3.x document.

S4 MockAPI reproduces the shape of security-product APIs — status codes, headers, authentication flows, pagination, rate-limit and error bodies — reconstructed from public API documentation only. All data is synthetic. Vision One compatible profile (public API v3.0): workbench alerts with ETag/If-Match flows, endpoint inventory, endpoint-activity search, OAT detections, isolate/restore response actions with a realistic task lifecycle (207 Multi-Status). PAN-OS compatible profile (11.x-era XML API): keygen authentication, op commands, stateful candidate-config CRUD, and commit job lifecycle.

The problem

Building and testing SIEM/SOAR integrations means hitting real security-product APIs like Trend Micro Vision One or Palo Alto Networks PAN-OS, but licenses are expensive and limited, and there is rarely a spare sandbox to develop against. You cannot point CI at production security tooling, and failure paths like errors and throttling are hard to reproduce on demand. So integration code goes under-tested and breaks for the first time in production.

How it works

  1. 1

    Launch the AMI, pick a profile

    Boot the AMI and the Vision One compatible profile starts on :8080 by default, switchable to the PAN-OS or generic OpenAPI profile via one env file.

  2. 2

    Point your integration at the mock

    Repoint your connector or pipeline from the real API to the mock's endpoint and get faithful status codes, headers, auth flows and pagination without a product license.

  3. 3

    Inject faults, then reset

    Inject failures like a 500 on the nth call, throttling with Retry-After, or latency deterministically via TOML scenarios, then factory-reset in one API call to rerun from a clean state.

Highlights

Vision One / PAN-OS compatible API shapes plus a generic OpenAPI 3.x mock — one appliance covers your integration-test surface.

Deterministic fault injection (nth-call 500s, throttling, latency) makes failure-path tests reproducible in CI.

Boots to a working mock in under a minute; factory-resets in one API call; nothing leaves the instance.

What's included

  • Trend Micro Vision One compatible REST profile (public API v3.0): workbench alerts with ETag/If-Match flows, endpoint inventory, endpoint-activity search, OAT detections, and isolate/restore response actions with a realistic task lifecycle (incl. 207 Multi-Status).
  • Palo Alto Networks PAN-OS compatible XML API profile (11.x era): keygen authentication, op commands, stateful candidate-config CRUD, commit job lifecycle, and asynchronous log retrieval.
  • Generic OpenAPI 3.x mock: feed any OpenAPI document and every documented operation is served from its examples and schemas.
  • Faithful reproduction of status codes, headers, auth flows, pagination, rate-limiting and error bodies as documented, with schema conformance enforced in CI.
  • Deterministic fault injection: nth-call 500s, probabilistic 429s with Retry-After, and injected latency to make failure-path tests reproducible.
  • One-call factory reset (POST /reset) and seed-file overrides so your own demo data becomes the factory state.
  • Fully offline operation: state is in-memory only, the instance makes no outbound calls, and nothing leaves the instance.

Use cases

Develop SIEM/SOAR connectors and pipelines against Vision One, PAN-OS or any OpenAPI API without a live appliance.

Test failure paths like 500s, throttling and latency reproducibly in CI using deterministic fault injection and reset.

Run partner demos and internal training safely, without touching production security products.

Use it as an onboarding environment for engineers learning the API integration before product licenses are assigned.

FAQ

Is this real vendor data?

No. All returned data is synthetic, reproducing only the shape of the APIs reconstructed from public documentation. Trend Micro, Vision One, Palo Alto Networks and PAN-OS are trademarks used nominatively to identify compatibility targets; this product is not affiliated with or endorsed by those vendors.

Can I use it in CI?

Yes, it is designed for CI. Deterministic fault injection via TOML scenarios (nth-call 500s, 429s with Retry-After, latency) reproduces failure paths, and POST /reset returns it to factory state between runs so every test starts from the same baseline.

Does anything leave the instance?

No. It runs fully offline inside your own VPC. State is held in-memory only, the instance makes no outbound calls, and the synthetic data never leaves the instance.

Which APIs are covered?

Three: Trend Micro Vision One compatible REST shapes (public API v3.0), Palo Alto Networks PAN-OS compatible XML API shapes (11.x era), and a generic mock that reproduces any REST API from an OpenAPI 3.x document.

How fast can I stand it up?

It boots to a working mock in under a minute. The AMI auto-starts the Vision One compatible profile on :8080, and a small instance such as t3.micro is enough to run it.

Pricing model

Hourly software fee + EC2 (broad instance-type coverage). Metered per instance type, no license keys.

Get it on AWS Marketplace

Other S4 products

S4 — Squished S3
Storage & data

S4 — Squished S3

Transparent GPU S3-compression gateway

50–80% fewer storage bytes
Replaces: Amazon S3 storage
S4 Logs
Observability

S4 Logs

Archive CloudWatch Logs to zstd S3

70–90% off CloudWatch Logs
Replaces: Amazon CloudWatch Logs
S4 Metrics
Observability

S4 Metrics

Govern CloudWatch metric cardinality

Tame metric cardinality cost
Replaces: CloudWatch custom metrics