Invicti review

This tool is a self-service API security scanner that accepts a target URL and returns a risk score from A to F along with prioritized findings. It operates as a black-box scanner, requiring no agents, code access, or SDK integration, and supports any language, framework, or cloud. Scans complete in under a minute, using read-only methods such as GET and HEAD, with text-only POST used for LLM probes. The approach is detection-focused, reporting findings with remediation guidance rather than attempting to fix or block issues.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023), including authentication bypass, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation through admin endpoint probing, property over-exposure, input validation issues like CORS wildcards and dangerous HTTP methods, rate limiting and resource consumption signals, data exposure including PII patterns and API key formats, encryption misconfigurations, SSRF indicators involving internal IP probing, inventory management gaps, and unsafe consumption surfaces. It also performs 18 adversarial LLM security probes across Quick, Standard, and Deep tiers, covering prompt extraction, jailbreak techniques, data exfiltration attempts, and token smuggling.

For compliance framing, the tool maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, it helps you prepare for audit evidence and aligns with security controls described in relevant standards.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, cross-referencing spec definitions against runtime behavior to identify undefined security schemes, sensitive field exposure, deprecated operations, and missing pagination. Authenticated scanning, available from Starter tier onward, supports Bearer, API key, Basic auth, and Cookie credentials. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only domain owners can scan with credentials. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.

The Web Dashboard provides centralized scan management, score trend visualization, branded compliance PDF downloads, and report sharing. The CLI, distributed as an npm package, supports commands such as middlebrick scan with JSON or text output. A GitHub Action is available for CI/CD gating, failing builds when scores drop below a defined threshold. The MCP Server enables scanning from AI coding assistants including Claude and Cursor, while a programmable API supports custom integrations.

Continuous Monitoring in Pro tier enables scheduled rescans at intervals of 6 hours, daily, weekly, or monthly, with diff detection for new and resolved findings, hourly rate-limited email alerts, and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures. Pricing tiers include a Free plan with 3 monthly scans and CLI access, Starter at 99 dollars per month for 15 APIs with dashboard and alerts, Pro at 499 dollars per month for 100 APIs with continuous monitoring and CI/CD integration, and Enterprise at 2000 dollars per month for unlimited APIs, custom rules, and dedicated support.

The scanner follows a read-only methodology, never sending destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers, and customer data is deletable on demand, purged within 30 days of cancellation, and not used for model training. The tool does not perform fixes, patches, or active exploitation such as SQL injection or command injection, which are outside its scope. It does not detect business logic vulnerabilities, blind SSRF requiring out-of-band infrastructure, or replace a human pentester for high-stakes audits.