Wallarm review

This review covers a self-service API security scanner that accepts a URL and returns a risk grade with prioritized findings. The approach is black-box, requiring no agents, SDKs, or code access. It supports any language, framework, or cloud target. Scan duration is under one minute and uses read-only methods, including GET and HEAD, with text-only POST for LLM probes.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023). It checks authentication mechanisms, including multi-method bypass and JWT misconfigurations such as alg=none, HS256 usage, expired tokens, missing claims, and sensitive data in claims. It identifies BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, and BFLA related to privilege escalation through admin endpoint probing and role/permission leakage.

Additional coverage includes property authorization over-exposure, input validation issues like CORS wildcards and dangerous HTTP methods, rate limiting and resource consumption through header detection and oversized responses, and data exposure patterns such as emails, Luhn-validated card numbers, context-aware SSNs, and API key formats for AWS, Stripe, GitHub, and Slack. Encryption checks cover HTTPS redirects, HSTS, cookie flags, and mixed content. SSRF probes target URL-accepting parameters and internal IP bypass attempts. Inventory management examines missing versioning and legacy paths, while unsafe consumption reviews third-party URLs and webhook surfaces. The LLM/AI security component runs 18 adversarial probes across Quick, Standard, and Deep tiers, testing system prompt extraction, instruction override, jailbreak techniques, data exfiltration, and token smuggling.

OpenAPI analysis supports versions 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Authenticated scanning is available from the Starter tier upward, supporting Bearer, API key, Basic auth, and Cookie methods. Domain verification is enforced via DNS TXT records or an HTTP well-known file, ensuring only the domain owner can scan with credentials. Header forwarding is restricted to Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The scanner follows a strict read-only posture, never sending destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data can be deleted on demand and is purged within 30 days of cancellation. It is not used for model training and is not sold.

The Web Dashboard provides scan management, report viewing, score trend tracking, and downloadable branded compliance PDFs. The CLI, distributed as an npm package, enables commands such as middlebrick scan <url> with JSON or text output. A GitHub Action supports CI/CD gating by failing builds when scores drop below defined thresholds. An MCP Server allows scans from AI coding assistants like Claude and Cursor, and a dedicated API client facilitates custom integrations.

Pro tier adds continuous monitoring with configurable intervals of 6 hours, daily, weekly, or monthly. It performs diff detection across scans to surface new findings, resolved findings, and score drift. Alerts are rate-limited to one email per hour per API and support HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures. Teams and Slack or Microsoft Teams alerts are available at this tier.

findings map directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, the scanner helps you prepare for and aligns with security controls described in relevant standards, supporting audit evidence without asserting certification or compliance guarantees.

Tiered pricing starts with a Free plan at zero cost, offering 3 scans per month and CLI access. Starter is billed at 99 US dollars per month for 15 APIs, monthly scans, dashboard access, email alerts, and the MCP Server. Pro is priced at 499 US dollars per month for 100 APIs, with additional APIs at 7 US dollars each, plus continuous monitoring, GitHub Action gates, CI/CD integration, Slack and Teams alerts, compliance reports, and signed webhooks. Enterprise is positioned at 2000 US dollars per month and above, providing unlimited APIs, custom rules, SSO, audit logs, SLA, and dedicated support.