Akto as a API security scanner

This tool is a self-service API security scanner that operates as a black-box solution. You submit an API endpoint URL and receive a risk score from A to F along with prioritized findings. It requires no agents, no SDK integration, and no access to source code, making it applicable to any language, framework, or cloud environment. Scans complete in under a minute using read-only methods such as GET and HEAD, with text-only POST used only for LLM probe checks.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023). It maps findings to this standard to validate controls relevant to API security. Detection capabilities include authentication bypass and JWT misconfigurations, BOLA and IDOR via sequential and adjacent ID probing, BFLA and privilege escalation attempts, property over-exposure and mass-ass assignment surface, input validation issues like CORS wildcard usage and dangerous HTTP methods, rate limiting and resource consumption signals, data exposure patterns including PII and API key formats, encryption misconfigurations, SSRF indicators, and inventory management deficiencies. It also covers unsafe consumption surfaces and LLM/AI security through multi-tier adversarial probes. Findings are additionally aligned to PCI-DSS 4.0 and SOC 2 Type II for compliance framing.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime behavior to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, supported methods include Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only domain owners can scan with credentials. The scanner forwards a strict allowlist of headers, including Authorization, X-API-Key, Cookie, and X-Custom-*.

Pro tier features enable scheduled rescans at intervals of six hours, daily, weekly, or monthly. It provides diff detection across scans to surface new findings, resolved items, and score drift. Notifications include rate-limited email alerts, HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures, and optional Slack or Teams alerts. Integrations include a web dashboard for report review and score trends, a CLI via the middlebrick npm package, a GitHub Action for CI/CD gating, and an MCP server for use with AI coding assistants. Custom integrations are supported through an API client.

The tool does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, which requires intrusive payloads outside its scope. Business logic vulnerabilities are not detected, as they require domain-specific human review. Blind SSRF is out of scope due to the absence of out-of-band infrastructure. The scanner does not replace a human pentester for high-stakes audits. Customer data is deletable on demand and purged within 30 days of cancellation. Scan data is never sold or used for model training.