Post-deploy API security check

Post-deploy API security begins with visibility into what is actually exposed. Use a black-box scanner that requires no agents or code access. Submit a URL, receive a risk score from A to F, and a prioritized list of findings aligned to OWASP API Top 10 (2023). Because the scan is read-only, it validates surface risk without changing production behavior. Typical scan time is under one minute, using GET and HEAD methods plus text-only POST for LLM probes.

The scanner checks 12 categories covering authentication bypass, JWT misconfigurations such as alg=none or expired tokens, security header compliance, and WWW-Authenticate requirements. It probes for Broken Object Level Authorization (BOLA) via sequential ID enumeration and adjacent ID probing, and identifies BFLA risks by testing admin endpoints and role/permission field leakage. Input validation checks include CORS wildcard usage with credentials, dangerous HTTP methods, and debug endpoints. Data exposure findings highlight PII patterns, Luhn-validated card numbers, context-aware SSN formats, API key formats for AWS, Stripe, GitHub, and Slack, as well as error and stack-trace leakage. Encryption checks validate HTTPS redirects, HSTS, and cookie flags. SSRF probes target URL-accepting parameters and body fields, including active attempts to identify internal IP references. Inventory and unsafe consumption checks cover missing versioning, legacy paths, server fingerprinting, and an extended surface of third-party URLs and webhook endpoints.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime behavior to surface undefined security schemes, unexpected sensitive fields, deprecated operations, and missing pagination. This helps you validate controls described in API documentation and supports audit evidence collection when compared to runtime behavior. By aligning spec intent with observed endpoints, the scanner highlights discrepancies that often lead to misconfigurations.

For authenticated scans at the Starter tier and above, support includes Bearer tokens, API keys, Basic auth, and cookies. Domain verification requires a DNS TXT record or an HTTP well-known file to ensure only the domain owner can scan with credentials. The scanner uses a strict header allowlist, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers. This approach limits exposure while still enabling coverage of authenticated workflows. Continuous monitoring in the Pro tier adds scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection for new findings, resolved issues, and score drift. Alerts are rate-limited to one email per hour per API, and webhooks are HMAC-SHA256 signed with auto-disable after five consecutive failures.

The scanner includes an LLM / AI Security module with 18 adversarial probes across three scan tiers: Quick, Standard, and Deep. These probes target system prompt extraction, instruction override attempts, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, and encoding bypasses such as base64 and ROT13. Additional checks include translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool-abuse patterns, nested instruction injection, and PII extraction. These tests help surface prompt-injection risks and model-consumption issues without executing destructive payloads.