Apigee for Seed-stage startups

This is a self-service API security scanner designed for early stage programs. You submit an API endpoint URL and receive a risk score from A to F along with prioritized findings. The scanner operates in black-box mode, requiring no agents, code access, or SDK integration. It supports any language, framework, or cloud environment and typically completes a scan in under a minute.

The scanner evaluates 12 security categories aligned to the OWASP API Top 10 (2023). It maps findings to PCI-DSS 4.0 and SOC 2 Type II controls, and it validates controls relevant to the OWASP API Top 10. Detection coverage includes:

• Authentication bypass methods and JWT misconfigurations such as alg=none, HS254 use, expired tokens, missing claims, and sensitive data in claims.
• BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing.
• BFLA and privilege escalation through admin endpoint probing and role/permission field leakage.
• Property authorization issues including over-exposure and mass-assignment surface.
• Input validation checks for CORS wildcard usage, dangerous HTTP methods, and debug endpoints.
• Rate limiting indicators, oversized responses, and unpaginated arrays.
• Data exposure patterns for PII, Luhn-validated cards, SSN context, API key formats, and error/stack-trace leakage.
• Encryption checks for HTTPS redirects, HSTS, cookie flags, and mixed content.
• SSRF probes targeting URL-accepting parameters and internal IP detection.
• Inventory issues such as missing versioning and legacy path patterns.
• Unsafe consumption surface including excessive third-party URLs and webhook endpoints.
• LLM/AI security with adversarial probes covering prompt extraction, instruction override, jailbreaks, data exfiltration, token smuggling, and multi-turn manipulation.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution. It cross-references spec definitions against runtime findings to surface undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, support is provided for Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced via DNS TXT records or an HTTP well-known file so that only the domain owner can scan with credentials. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.

With Pro tier and above, you can schedule rescans every 6 hours, daily, weekly, or monthly. The system detects diffs between scans, highlighting new findings, resolved findings, and score drift. Alerts are rate-limited to one email per hour per API and webhooks are HMAC-SHA256 signed, with auto-disable after 5 consecutive failures. Integration options include a web dashboard for reporting and trend tracking, a CLI via an npm package with JSON or text output, a GitHub Action that can fail builds based on score thresholds, an MCP server for AI coding assistants, and a programmable API for custom integrations.

The scanner uses read-only methods only and never sends destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation. It does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, does not detect business logic vulnerabilities, does not detect blind SSRF, and does not replace a human pentester for high-stakes audits.