StackHawk review

StackHawk positions itself as a developer-friendly security scanner focused on runtime API testing. It operates as a black-box solution that requires no agents, SDKs, or code access, making it applicable to any language, framework, or cloud environment. The tool submits a target URL and returns a risk score on an A–F scale alongside prioritized findings. Scan duration is under one minute, limited to read-only methods plus text-only POST for LLM probes. This review focuses on capabilities, coverage, and limits rather than marketing claims.

StackHawk detects findings mapped to OWASP API Top 10 (2023), addressing authentication bypass, JWT misconfigurations such as alg=none or expired tokens, security header compliance, and WWW-Authenticate requirements. It probes for Broken Object Level Authorization (BOLA) and Insecure Direct Object References (IDOR) via sequential ID enumeration and active adjacent-ID testing. The scanner checks for Broken Function Level Authorization (BFLA) and privilege escalation by probing admin endpoints and inspecting role/permission field leakage.

Additional coverage includes input validation checks for CORS wildcard usage (with and without credentials), dangerous HTTP methods, and debug endpoints. It evaluates rate-limiting headers, oversized responses, and unpaginated arrays to surface resource consumption risks. Data exposure detection identifies PII patterns such as email addresses, Luhn-validated card numbers, context-aware SSN formats, and various API key formats including AWS, Stripe, GitHub, and Slack. Encryption checks verify HTTPS redirects, HSTS presence, cookie flags, and mixed content. The tool also tests for SSRF via URL-accepting parameters and body fields, including active probes for internal IP bypass. Inventory management checks for missing versioning, legacy path patterns, and server fingerprinting. Unsafe consumption surfaces such as excessive third-party URLs and webhook/callback endpoints are assessed. LLM/AI Security testing includes 18 adversarial probes across Quick, Standard, and Deep scan tiers, covering system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool-abuse, nested instruction injection, and PII extraction.

OpenAPI analysis supports versions 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Authenticated scanning is available from the Starter tier upward, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced via DNS TXT records or an HTTP well-known file, ensuring only the domain owner can scan with credentials. Header forwarding is restricted to Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The scanner maintains a safety-first posture by using read-only methods only and never sending destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation. It is not sold and is not used for model training.

The Web Dashboard provides centralized scan management, report viewing, score trend tracking, and downloadable branded compliance PDFs. The CLI, distributed as an npm package, enables commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is available to act as a CI/CD gate, failing the build when the score drops below a defined threshold. An MCP Server allows scanning from AI coding assistants such as Claude and Cursor.

Continuous Monitoring in the Pro tier supports scheduled rescans at six-hour, daily, weekly, or monthly intervals. It provides diff detection across scans to highlight new findings, resolved findings, and score drift. Email alerts are rate-limited to one per hour per API. HMAC-SHA256 signed webhooks are included, with auto-disable after five consecutive failures. The Enterprise tier adds unlimited APIs, custom rules, SSO, audit logs, SLA-backed support, and dedicated assistance.

StackHawk maps findings directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, it helps you prepare for audits by aligning with security controls described in or supporting audit evidence for specific controls, without asserting certification or compliance guarantees.

The tool does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside its scope. Business logic vulnerabilities are not detected, as they require domain-specific human analysis. Blind SSRF is out of scope due to the lack of out-of-band infrastructure. The scanner does not replace a human pentester for high-stakes audits.