Astra for Government

Government workloads often aggregate public and restricted data across internal and external APIs. This scanner operates as a read-only assessment of your public-facing surface, assigning a risk score from A to F and surfacing prioritized findings aligned to OWASP API Top 10 (2023). Because the scan is black-box, no agent, SDK, or code access is required, and it works across any language or cloud stack. Scan duration remains under one minute, using read-only methods plus text-only LLM probes where configured.

The scanner maps findings to three reference frameworks commonly cited in government contexts: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It also helps you prepare for security controls described in other regulatory alignment by surfacing issues relevant to audit evidence. Key detection categories include:

• Authentication bypass, JWT misconfigurations such as alg=none or expired tokens, and security header validation
• BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing
• BFLA and privilege escalation through admin endpoint probing and role/permission leakage
• Property over-exposure, internal field leakage, and mass-assignment surface
• Input validation gaps including CORS wildcard usage and dangerous HTTP methods
• Rate-limiting absence, oversized responses, and unpaginated arrays
• Data exposure patterns for PII, credit card Luhn checks, SSN context-aware detection, API key formats, and error/stack-trace leakage
• Encryption issues such as missing HTTPS redirects, HSTS, and cookie flags
• SSRF against URL-accepting parameters, internal IP detection, and IP-bypass probes
• Inventory issues like missing versioning and legacy path patterns
• Unsafe consumption surface including excessive third-party URLs and webhook/callback exposure
• LLM/AI Security with 18 adversarial probes across Quick, Standard, and Deep tiers, covering system prompt extraction, jailbreaks, data exfiltration, token smuggling, and multi-turn manipulation

For endpoints that require authentication, the scanner supports Bearer tokens, API keys, Basic auth, and cookies in Starter tier and above. Domain verification is enforced through a DNS TXT record or an HTTP well-known file, ensuring only the domain owner can submit credentials. A strict header allowlist is applied—only Authorization, X-API-Key, Cookie, and X-Custom-* headers are forwarded. This controlled access model preserves integrity while enabling assessment of authenticated workflows common in government systems.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. This comparison helps identify discrepancies between declared design and observed behavior, supporting more accurate audit evidence and control validation.

The scanner enforces a strict read-only posture and never sends destructive payloads. Internal infrastructure elements such as private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation; data is never sold or used for model training. These measures help reduce risk to sensitive government information while maintaining transparency about data lifecycle.