Akto for VP of Engineerings

The tool is a self-service API security scanner that accepts a target URL and returns a risk score from A to F with prioritized findings. It operates as a black-box scanner, requiring no agents, code access, or SDK integration, and supports any language, framework, or cloud. Scans complete in under a minute using read-only methods (GET and HEAD) plus text-only POST for LLM probes.

Workflow begins with submitting an endpoint, after which the engine evaluates 12 security categories aligned to the OWASP API Top 10. Each finding includes severity, description, and remediation guidance. You can initiate scans via the web dashboard, the CLI, or programmatically through the API client, and view results in a centralized view that supports filtering by severity and category.

Authenticated scanning is available from the Starter tier and above, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is required, enforced by a DNS TXT record or an HTTP well-known file so that only the domain owner can scan with credentials.

When credentials are provided, the scanner forwards a strict header allowlist limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers. OpenAPI specifications in versions 3.0, 3.1, and Swagger 2.0 are parsed with recursive $ref resolution, enabling cross-reference between the spec and runtime behavior to detect undefined security schemes or deprecated operations.

The scanner evaluates findings across 12 security categories mapped to the OWASP API Top 10 (2023), including Authentication bypass, BOLA and IDOR, BFLA and privilege escalation, property authorization over-exposure, and input validation issues such as CORS wildcard misconfigurations and dangerous HTTP methods.

Additional categories cover rate limiting and resource consumption, data exposure including PII and API key patterns, encryption and HTTPS enforcement, SSRF probes, inventory management issues like missing versioning, unsafe consumption surfaces, and LLM/AI security probes across Quick, Standard, and Deep tiers. These categories help you prepare for security controls described in PCI-DSS 4.0 and SOC 2 Type II, and they validate controls from the OWASP API Top 10 (2023).

The web dashboard centralizes scans, report viewing, score trend analysis, and downloadable branded compliance PDFs. For automation, the CLI supports middlebrick scan <url> with JSON or text output, and the GitHub Action can gate CI/CD, failing the build when the score drops below a defined threshold.

Pro tier enables scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection across scans to surface new findings, resolved issues, and score drift. Alerts are delivered via email at a rate-limited pace of 1 per hour per API, and HMAC-SHA256 signed webhooks can notify external systems, with auto-disable after 5 consecutive failures.

The scanner does not fix, patch, block, or remediate issues; it detects and reports with guidance. It does not perform active SQL injection or command injection testing, does not detect business logic vulnerabilities, and does not perform blind SSRF testing due to the lack of out-of-band infrastructure.

Safety measures include read-only methods only, blocking of destructive payloads, and protection against private IPs, localhost, and cloud metadata endpoints at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training.