Apigee for Government

Government workloads process sensitive data and are subject to strict audit expectations. This scanner operates as a read-only assessment of public-facing endpoints, submitting GET and HEAD requests plus text-only LLM probes. It does not modify configurations or invoke destructive payloads. Results are presented with a risk score and prioritized findings to help teams understand current posture before engaging internal or third-party specialists.

The scanner maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It helps you prepare for audits by surfacing issues relevant to access control, authentication integrity, and data exposure. For each finding, you receive context and remediation guidance aligned with these frameworks, enabling audit evidence collection without claiming certification or compliance guarantees.

The scanner evaluates 12 security categories using black-box techniques. It checks authentication bypass and JWT misconfigurations, including alg=none and weak key assumptions. It probes for IDOR via sequential ID enumeration and tests for privilege escalation through role/permission leakage. Additional checks include CORS misconfigurations, unsafe HTTP methods, debug endpoints, PII exposure such as emails and card-like values, and sensitive API key patterns across common providers. Encryption checks verify HTTPS redirects, HSTS, and cookie attributes. SSRF probes target URL-accepting inputs and attempt to identify internal IP references. Inventory and unsafe consumption checks flag missing versioning and excessive third-party callback exposure.

The scanner includes LLM-specific testing with 18 adversarial probes across Quick, Standard, and Deep tiers. These probes assess system prompt extraction, instruction override attempts, DAN and roleplay jailbreaks, data exfiltration techniques, cost exploitation, encoding bypasses such as base64 and ROT13, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool-abuse patterns, nested instruction injection, and PII extraction. This coverage helps teams understand exposure surfaces unique to AI-integrated APIs.

Authenticated scanning supports Bearer tokens, API keys, Basic auth, and cookies, gated by domain verification to ensure only domain owners can scan with credentials. The tool integrates into multiple environments via a web dashboard, CLI, GitHub Action, MCP Server for AI coding assistants, and a programmable API. Continuous monitoring options provide scheduled rescans, diff detection, email alerts, signed webhooks, and compliance report downloads. Note that the scanner detects issues but does not fix, patch, block, or remediate. It does not perform active SQL injection or command injection testing and does not replace human pentesters for high-stakes audits.