Is Intruder worth it?

The tool performs a read-only black-box scan against any reachable API surface. It supports GET and HEAD methods by default and allows text-only POST for LLM probes without executing destructive payloads. Scan completion typically occurs in under a minute, and no agents, SDKs, or code access are required. Because it does not modify state, it is suitable for environments where intrusive testing is restricted. The scanner does not perform active SQL injection or command injection testing, as those require payloads outside its scope.

Twelve security categories are covered, aligned to OWASP API Top 10 (2023). The scanner maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It detects authentication bypasses, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation attempts, over-exposed properties and mass-assignment surfaces, input validation issues like CORS wildcard usage and dangerous HTTP methods, rate-limiting behaviors, data exposure including PII and API key patterns, encryption misconfigurations, SSRF indicators, and inventory management gaps. It also includes LLM security probes across tiered scan depths. For other regulations, the tool helps you prepare for audits and surfaces findings relevant to controls, but it does not certify compliance.

Authenticated scanning is available in paid tiers and supports Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only the domain owner can submit credentials. A strict header allowlist is applied: Authorization, X-API-Key, Cookie, and X-Custom-* headers are forwarded. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. Continuous monitoring is available in higher tiers, with scheduled rescans every 6 hours, daily, weekly, or monthly. Diff detection identifies new findings, resolved findings, and score drift, while email alerts are rate-limited to one per hour per API. HMAC-SHA256 signed webhooks are supported, with auto-disable after five consecutive failures.

The platform offers a web dashboard for scan management and score trends, a CLI via an npm package for on-demand scans, a GitHub Action for CI/CD gating, an MCP server for AI coding assistants, and a programmable API for custom integrations. Pricing includes a free tier with three scans per month and CLI access, a Starter tier at 100 USD per month for 15 APIs with dashboard and email alerts, a Pro tier at 499 USD per month for 100 APIs with continuous monitoring and CI/CD integration, and an Enterprise tier at 2000 USD per month for unlimited APIs, custom rules, and SSO. The tool does not fix, patch, block, or remediate findings; it detects and provides remediation guidance. It cannot replace a human pentester for high-stakes audits, and it does not detect business logic vulnerabilities that require domain understanding.