Migrating from APIsec to Astra

This guide outlines how to move from APIsec to this self-service scanner. The source and target tools differ in architecture and operation; this document focuses on practical data and workflow migration rather than feature feature parity.

Use this as a peer reference for expectation setting. It does not position this scanner as a replacement for a full audit, and it does not map every security control from APIsec. Instead, it highlights what can be carried forward and where manual follow-up is required.

APIsec typically relies on instrumentation or agents, whereas this scanner performs black-box assessment using only HTTP interactions. This approach removes the need for code access, SDK integration, or runtime agents, and supports any language, framework, or cloud target.

Scan time remains under one minute for most endpoints. The scanner exercises GET and HEAD methods by default, with limited text-only POST support for LLM probes. Because no authentication of the scanner engine is required, setup is faster, but authenticated coverage requires explicit domain verification and header allowlisting.

For authenticated scans, you must provide Bearer tokens, API keys, Basic credentials, or cookies. The system verifies domain ownership via DNS TXT records or a well-known HTTP file, and it forwards only a strict allowlist of headers, including Authorization, X-API-Key, Cookie, and X-Custom-*.

The scanner evaluates 12 categories aligned to OWASP API Top 10 (2023). It checks authentication bypasses, JWT misconfigurations such as alg=none or expired tokens, security header compliance, and WWW-Authenticate behavior.

It probes for BOLA and IDOR via sequential ID enumeration and adjacent ID probing, and tests for BFLA and privilege escalation through admin endpoint discovery and role leakage. Property over-exposure, mass-assignment surfaces, and sensitive data exposure are assessed, including PII patterns, Luhn-validated card numbers, SSN variants, and API key formats for AWS, Stripe, GitHub, and Slack.

Input validation checks include CORS wildcard usage with credentials, dangerous HTTP methods, and debug endpoints. Rate limiting is evaluated via response headers and oversized or unpaginated responses. Server-side risks such as SSRF indicators and known vulnerable endpoints are also covered, alongside inventory issues like missing versioning and legacy paths.

LLM-specific testing is included, with 18 adversarial probes across Quick, Standard, and Deep scan tiers, targeting system prompt extraction, instruction override, jailbreak techniques, data exfiltration, and token smuggling. OpenAPI 3.0, 3.1, and Swagger 2.0 files are parsed with recursive $ref resolution, and spec findings are cross-referenced against runtime behavior to highlight undefined security schemes or deprecated operations.

Beyond one-off scans, the platform supports scheduled reassessments at intervals of 6 hours, daily, weekly, or monthly. Each new scan is compared against prior runs to surface new findings, resolved items, and score drift.

For CI/CD workflows, a GitHub Action is available to enforce quality gates and fail builds when the score drops below a defined threshold. The CLI provides JSON and text output for scripting, and an MCP server enables scanning from AI coding assistants. Programmatic access to the API allows integration into custom tooling.

Notifications include email alerts, rate-limited to one per hour per API, and signed webhooks using HMAC-SHA256. Webhooks are automatically disabled after 5 consecutive failures. Compliance reporting is available in the dashboard, and Pro tier includes Slack or Teams alerts along with signed compliance PDFs.

This scanner does not correct, patch, or block issues. It detects and reports findings with remediation guidance, but implementation of fixes remains a manual task.

It does not execute active SQL injection or command injection tests, as those require intrusive payloads outside the stated scope. Business logic vulnerabilities are also outside automated detection, since they demand domain context. Blind SSRF and indirect prompt injection are not in scope, and the tool does not replace a human pentester for high-stakes assessments.

Compliance references are framed as alignment or support for audit evidence only. Terms such as certified, guaranteed compliant, ensures compliance with, or meets all requirements of are not used for HIPAA, GDPR, ISO 27001, NIST, CIS, CCPA, NIS2, DORA, FedRAMP, DPDP, APPI, PDPA, PIPEDA, PIPA, UK DPA, LGPD, SOX, GLBA, FERPA, or similar frameworks.