APIsec pricing

The scanner operates on a subscription model with four published tiers. The Free tier is zero cost and limited to 3 scans per month with CLI access. The Starter tier is billed monthly and supports up to 15 APIs, providing dashboard access, monthly scans, email alerts, and the MCP Server. The Pro tier is priced per month for 100 APIs, with additional APIs charged incrementally, and adds continuous monitoring, GitHub Action gates, CI/CD integration, Slack and Teams alerts, compliance reports, and signed webhooks. The Enterprise tier is custom priced and intended for unlimited APIs, with negotiated add-ons such as custom rules, SSO, audit logs, SLA, and dedicated support.

Published tiers provide a baseline, but final quotes can vary based on specific deployment choices. The number of APIs you register for scanning directly affects pricing, especially beyond the included caps in Starter and Pro. Scan frequency options, such as moving from monthly to daily monitoring, change the cost structure under continuous monitoring. Delivery preferences for alerts and reports, including webhook endpoints and Slack or Teams routing, can add configuration overhead. Organizations with unique compliance needs may require custom rules or additional integrations, which influence negotiation in the Enterprise tier.

Authenticated scanning is available from Starter upward and supports Bearer tokens, API keys, Basic auth, and cookies. Before credentials are accepted, the domain must pass a verification gate, such as a DNS TXT record or an HTTP well-known file, ensuring only the domain owner can enable authenticated scans. The scanner forwards a restricted set of headers, including Authorization, X-API-Key, Cookie, and X-Custom-*, and does not store or persist credentials beyond the scan session.

The published tiers cover the use of the scanner, the web dashboard, scheduled rescans, and standard integrations such as the CLI, GitHub Action, and MCP Server. Continuous monitoring, compliance reports, and signed webhooks are exclusive to Pro and Enterprise. The tool does not perform intrusive testing such as active SQL injection or command injection, does not fix or patch findings, and does not detect business logic vulnerabilities. It is designed to surface findings relevant to security reviews and to help prepare for audits aligned with specific frameworks, rather than to replace human-led penetration tests.

The scanner maps findings directly to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, it helps you prepare for and aligns with security controls described in relevant standards, supporting audit evidence without asserting certification or compliance. Because the tool is a scanner and not an auditor, it cannot certify environments or guarantee any compliance state.