Is Detectify worth it?

The platform is a self-service API security scanner that accepts a target URL and returns a risk grade from A to F along with prioritized findings. It operates as a black-box scanner, requiring no agents, code access, or SDK integration and supporting any language, framework, or cloud. Read-only methods such as GET and HEAD are used by default, with text-only POST allowed for LLM probes, and typical scan completion is under one minute.

Findings map to three specific frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Detection coverage across 12 categories includes authentication bypass and JWT misconfigurations, broken object level authorization, broken function level authorization, property authorization and over-exposure, input validation issues such as CORS misconfigurations and dangerous methods, rate limiting and resource consumption, data exposure including PII and API key formats, encryption and transport misconfigurations, SSRF against URL-accepting parameters, inventory and versioning issues, unsafe consumption surfaces, and LLM/AI security probes that test for prompt injection, data exfiltration, and token smuggling.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime findings such as undefined security schemes or deprecated operations. Authenticated scanning is available from the Starter tier upward, supporting Bearer, API key, Basic auth, and Cookie. Domain verification is enforced through DNS TXT records or an HTTP well-known file so that only domain owners can scan with credentials, and a strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.

The Web Dashboard supports scan management, trend tracking, and downloadable compliance PDFs. The CLI offers command-line scanning with JSON or text output, and a GitHub Action can fail builds when scores drop below a set threshold. Continuous monitoring in Pro tier provides scheduled rescans, diff detection, hourly rate-limited email alerts, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures. Pricing includes a free tier with three scans per month, Starter at 99 dollars per month for 15 APIs, Pro at 499 dollars per month for 100 APIs with add-ons, and Enterprise at 2000 dollars per month for unlimited APIs and advanced controls.

The scanner does not fix, patch, block, or remediate; it detects and provides guidance. It does not perform active SQL injection or command injection testing, does not detect business logic flaws that require domain understanding, and does not identify blind SSRF due to lack of out-of-band infrastructure. It also does not replace a human pentester for high-stakes audits. This tool is worth it for teams that need fast, repeatable risk scoring and prioritized findings to track posture over time. It is less suitable for organizations that expect automated fixes, deep business logic validation, or compliance certification.