API security for Platform engineers

Platform engineers own the surface area. APIs expose integrations, data paths, and deployment pipelines to many teams, which increases risk complexity. You need visibility that does not depend on changing every service language or adding runtime agents. This scanner performs a black-box assessment from an external vantage point, requiring no code access, SDKs, or build changes.

The scanner probes APIs using only read-only methods (GET and HEAD) and text-only POST for LLM probes. A scan completes in under a minute and does not modify state or send destructive payloads. Sensitive endpoints, localhost, private IP ranges, and cloud metadata addresses are blocked at multiple layers to prevent accidental impact on internal systems.

Findings map directly to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II controls. Detection includes authentication bypasses, JWT misconfigurations such as alg=none and expired tokens, BOLA and IDOR via sequential ID probing, BFLA and privilege escalation attempts, over-exposed properties, CORS wildcard misconfigurations, rate-limit header inconsistencies, and data exposure patterns like emails, Luhn-validated card numbers, and API key formats.

For LLM-facing APIs, the scanner runs 18 adversarial probes across Quick, Standard, and Deep tiers, testing system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool-abuse, nested instruction injection, and PII extraction.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime behavior to find undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, Bearer tokens, API keys, Basic auth, and cookies are supported. Domain verification requires a DNS TXT record or an HTTP well-known file to ensure only the domain owner can submit credentials. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.

The Web Dashboard centralizes scans, score trends, and branded compliance PDF downloads. The CLI offers JSON and text output via a simple command. A GitHub Action can gate CI/CD when scores drop below a threshold. The MCP Server enables scanning from AI coding assistants. Continuous monitoring (Pro tier) provides scheduled rescans, diff detection, hourly rate-limited alerts, HMAC-SHA256 signed webhooks, and automatic disable after five consecutive failures. Customer data is deletable on demand and purged within 30 days of cancellation; it is never sold or used for model training.