Akto for SREs

API security for SREs must integrate with reliability practices rather than disrupt them. This scanner acts as a gate that fits into deployment and monitoring workflows. Provide a public URL, receive a risk score graded A to F, and review prioritized findings in a dashboard. Scan duration is under a minute, restricted to read-only methods and controlled text-only probes, avoiding impact on production traffic.

The scanner maps findings to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II, while aligning with security controls described in other frameworks. Coverage includes authentication bypass, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID probing, BFLA and privilege escalation attempts, over-exposed properties and mass-assignment surfaces, and input validation issues like CORS wildcards and dangerous HTTP methods. Additional categories cover rate limiting indicators, data exposure patterns including PII and API key leakage, encryption misconfigurations, SSRF indicators, inventory issues, unsafe consumption surfaces, and LLM/AI security probes across tiered scan depths.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0, resolving recursive $ref definitions and cross-referencing spec definitions against runtime behavior. It flags undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, Bearer tokens, API keys, Basic auth, and cookies are supported after domain verification through DNS TXT records or HTTP well-known files. Only a header allowlist including Authorization, X-API-Key, Cookie, and X-Custom-* headers is forwarded, ensuring controlled credential usage.

Operational models include a web dashboard for scanning, viewing reports, and tracking score trends, with branded compliance PDF exports. The CLI npm package supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can enforce CI/CD gates, failing the build when scores drop below a set threshold. An MCP server allows scanning from AI coding assistants, and a programmable API supports custom integrations. Continuous monitoring options on higher tiers provide scheduled rescans, diff detection, email alerts rate-limited to one per hour, and HMAC-SHA256 signed webhooks with auto-disable after multiple failures.

The scanner does not fix, patch, block, or remediate findings; it reports with remediation guidance. It does not execute active SQL injection or command injection tests, detect business logic vulnerabilities, identify blind SSRF, or replace human pentesters for high-stakes audits. Customer data is deletable on demand and purged within 30 days of cancellation. Scan data is never sold or used for model training, and destructive payloads, private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers.