When M&A due diligence

During M&A due diligence, engineering and security teams share a narrow window to validate external and internal API surfaces. You need a fast, reliable signal about risk, not an open-ended assessment. Our scanner delivers a risk score from A to F and prioritizes findings within one minute, using only read-only methods. This allows you to form an evidence-backed view of exposure without requiring code access or agents.

The scanner evaluates 12 categories aligned to OWASP API Top 10 (2023), which maps findings to critical security controls commonly reviewed during due diligence. It covers authentication bypasses, JWT misconfigurations such as alg=none or HS256 with weak secrets, IDOR and BOLA via sequential and adjacent ID probing, and privilege escalation through admin endpoint discovery. It also inspects data exposure including PII patterns, API key formats for AWS and GitHub, error and stack trace leakage, and sensitive field over-exposure relevant to property authorization.

Input validation checks include CORS wildcard usage and dangerous HTTP methods, while rate limiting and resource consumption are assessed via header detection and oversized response analysis. SSRF probes target URL-accepting parameters and internal IP bypass attempts. Inventory management flags missing versioning and legacy paths, and unsafe consumption reviews third-party URL and webhook surfaces. For AI-enabled APIs, 18 adversarial probes across Quick, Standard, and Deep tiers test LLM security, including jailbreak attempts, data exfiltration, token smuggling, and PII extraction.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime behavior to surface undefined security schemes, deprecated operations, missing pagination, and sensitive fields not governed by a security scheme. This helps you verify that declared contracts align with actual behavior, a common diligence checkpoint when assessing third-party integrations.

Authenticated scans, available from Starter tier and above, support Bearer tokens, API keys, Basic auth, and cookies. Before credentials are accepted, a domain verification gate confirms ownership through a DNS TXT record or an HTTP well-known file. Only a limited set of headers is forwarded, including Authorization, X-API-Key, Cookie, and X-Custom-* headers, reducing unintended data leakage during scans.

The Web Dashboard centralizes scan results, score trends, and downloadable compliance PDFs with branded reporting. The CLI supports single scans with JSON or text output, and the GitHub Action can gate CI/CD when scores drop below a defined threshold. For ongoing monitoring, Pro tier provides scheduled rescans at intervals from 6 hours to monthly, diff detection across scans, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks with auto-disable after five consecutive failures.

Because this is a scanning tool, it does not fix, patch, block, or remediate findings; it reports with remediation guidance. It does not perform active SQL injection or command injection tests, which require intrusive payloads outside scope, nor does it detect business logic vulnerabilities that demand domain context. The scanner surfaces findings relevant to audits and helps you prepare for assessments aligned with security controls described in PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, it supports audit evidence collection and aligns with security controls described in relevant standards, but it does not certify or guarantee compliance with any regulation.