Pynt review

Pynt is a self-service API security scanner that accepts a target URL and returns a risk score with prioritized findings. It operates as a black-box scanner, requiring no agents, code access, or SDK integration, and supports any language, framework, or cloud. Scan completion typically occurs under one minute using read-only methods such as GET and HEAD, with text-only POST allowed for LLM probes.

The scanner evaluates 12 security categories aligned to the OWASP API Top 10 (2023). These include Authentication issues such as multi-method bypass and JWT misconfigurations, BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation checks, Property Authorization exposure, Input Validation covering CORS wildcard usage and dangerous methods, Rate Limiting and Resource Consumption indicators, Data Exposure patterns including PII and API key leakage, Encryption misconfigurations, SSRF probes against URL-accepting parameters, Inventory Management anomalies, Unsafe Consumption surfaces, and LLM / AI Security probes spanning 18 adversarial techniques across Quick, Standard, and Deep tiers. The tool also parses OpenAPI 3.0, 3.1, and Swagger 2.0 specifications with recursive $ref resolution and cross-references spec definitions against runtime findings.

Authenticated scanning is available from the Starter tier onward, supporting Bearer tokens, API keys, Basic authentication, and Cookies. Domain verification is enforced through a DNS TXT record or an HTTP well-known file, ensuring only the domain owner can submit credentials. Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers. The scanner adheres to a read-only safety posture, with destructive payloads never sent and sensitive infrastructure endpoints blocked at multiple layers.

Results are accessed through a Web Dashboard for scanning, report viewing, and score trend tracking, with branded compliance PDF exports. The CLI via the middlebrick npm package supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is available to gate CI/CD, failing builds when scores drop below defined thresholds. The MCP Server enables scanning from AI coding assistants. Continuous monitoring in higher tiers provides scheduled rescans, diff detection, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks with auto-disable after five consecutive failures.

The Free tier offers three scans per month and CLI access. The Starter tier at 99 dollars per month supports 15 APIs, monthly scans, dashboard access, email alerts, and the MCP Server. The Pro tier at 499 dollars per month covers 100 APIs with additional APIs billed separately, adding continuous monitoring, GitHub Action gates, CI/CD integration, Slack and Teams alerts, compliance reports, and signed webhooks. Enterprise tiers provide unlimited APIs, custom rules, SSO, audit logs, SLAs, and dedicated support. Customer scan data can be deleted on demand and is purged within 30 days of cancellation; data is never sold and is not used for model training.