Post-incident API security check

After an API-related incident, stabilize the environment and verify that the public interface is still under your control. Use a read-only scanner to re-enumerate the surface without making changes. The tool accepts a URL and returns a risk score with prioritized findings in under a minute, using only GET and HEAD methods plus text-only POST for LLM probes.

The scanner maps findings directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For every finding, you receive specific guidance on how the result aligns with security controls described in these frameworks. This supports audit evidence collection without implying certification or guarantees of compliance.

Additional regulations are treated with alignment language only. The tool helps you prepare for audits, supports audit evidence for reviews, and surfaces findings relevant to controls, while avoiding any claim of meeting requirements for HIPAA, GDPR, ISO 27001, NIST, CCPA, or other external regimes.

The scan covers 12 categories aligned to OWASP API Top 10. Authentication issues include multi-method bypass and JWT misconfigurations such as alg=none, HS256, expired claims, and sensitive data in claims. Authorization flaws like BOLA and BFLA are detected via sequential ID enumeration and admin endpoint probing, while property over-exposure and mass-assignment surfaces are identified through schema comparison.

Input validation checks include CORS wildcard usage, dangerous methods, and debug endpoints. Rate limiting, data exposure patterns (emails, Luhn-validated cards, SSN variants), and API key formats (AWS, Stripe, GitHub, Slack) are flagged. Infrastructure issues such as SSRF and server fingerprinting are also covered, alongside LLM/AI security probes that test for prompt injection, data exfiltration, and token smuggling across multiple scan tiers.

During a post-incident review, the scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution. It cross-references spec definitions against runtime behavior to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. Discrepancies between documented and observed behavior often indicate misconfigurations introduced during incident response.

Authenticated scanning requires domain verification and supports Bearer, API key, Basic auth, and cookies. Only specific headers are forwarded, and credentials can be restricted to your domain through DNS TXT or HTTP well-known file verification. This ensures that authenticated checks are safe and scoped to your environment.

Use the dashboard to track score trends, download branded compliance PDFs, and manage findings across APIs. The CLI allows repeatable scans from the command line, and the GitHub Action can gate CI/CD when scores drop below a defined threshold. For recurring coverage, Pro tier provides scheduled rescans, diff detection across scans, and email alerts at controlled rates.

Signed webhooks notify external systems of significant changes, with auto-disable after repeated failures to prevent notification storms. Continuous monitoring helps you correlate fixes with risk reduction after an incident, while respecting that the tool detects and reports only and does not perform active exploitation or automated remediation.