Kong review

This is a neutral review of a self-service API security scanner that focuses on detection rather than remediation. The tool accepts a target URL and returns a risk grade from A to F along with prioritized findings. It operates as a black-box scanner, requiring no agents, SDKs, or code access, and supports any language, framework, or cloud environment. Scan duration is under one minute, using read-only methods such as GET and HEAD, with text-only POST support for LLM probes.

The scanner covers 12 categories aligned to the OWASP API Top 10 (2023), including Authentication bypass, BOLA and IDOR, BFLA and privilege escalation, Property Authorization exposure, Input Validation issues such as CORS wildcard misconfigurations, Rate Limiting and Resource Consumption, Data Exposure patterns including PII and API key formats, Encryption checks, SSRF indicators, Inventory Management problems, Unsafe Consumption surfaces, and LLM/AI Security probes. For LLM testing, it runs 18 adversarial probes across three scan tiers: Quick, Standard, and Deep, targeting jailbreaks, data exfiltration attempts, prompt injection variants, and token smuggling. The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 specifications with recursive $ref resolution and cross-references spec definitions against runtime observations to identify undefined security schemes or deprecated operations.

Authenticated scanning is available from the Starter tier upward, supporting Bearer tokens, API keys, Basic authentication, and Cookies. Domain verification is enforced through a DNS TXT record or an HTTP well-known file to ensure only domain owners can submit credentials. The scanner forwards a restricted set of headers, including Authorization, X-API-Key, Cookie, and X-Custom-* headers. All scanning is read-only, with destructive payloads never sent. Private IP addresses, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data can be deleted on demand and is purged within 30 days of cancellation; the data is not sold or used for model training.

The tool provides a Web Dashboard for scanning, viewing reports, tracking score trends, and downloading branded compliance PDFs. A CLI via the middlebrick npm package supports JSON or text output for scripted workflows. A GitHub Action enables CI/CD gating, failing builds when the score drops below a defined threshold. An MCP Server allows scanning from AI coding assistants such as Claude or Cursor. For ongoing coverage, the Pro tier offers scheduled rescans at intervals of six hours, daily, weekly, or monthly, with diff detection for new or resolved findings and score drift. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks can be configured with auto-disable after five consecutive failures.

The scanner maps findings directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023), using language that references alignment with security controls described in these frameworks. For other regulations, it supports audit evidence collection and helps prepare documentation, but it does not assert certification or compliance. The tool is a scanner and does not fix, patch, or block issues; it provides detection and guidance. It does not perform active SQL injection or command injection testing, does not detect business logic flaws that require domain context, and does not identify blind SSRF without out-of-band infrastructure. It is not a replacement for a human pentester in high-stakes audit scenarios.