Akto for Education

This scanner operates as a black-box solution. It requires no agents, SDKs, or access to source code, making it applicable across languages, frameworks, and cloud environments. You submit an API endpoint, and within under a minute you receive a risk score from A to F with prioritized findings.

The scanner evaluates 12 security categories aligned to the OWASP API Top 10 (2023). It checks authentication bypasses and JWT misconfigurations such as alg=none, HS256 usage, expired tokens, missing claims, and sensitive data in claims. It tests for Broken Object Level Authorization (BOLA) and Insecure Direct Object References (IDOR) via sequential ID enumeration and active adjacent-ID probing. It also probes for Broken Function Level Authorization (BFLA) and privilege escalation, over-exposed properties and mass-assignment surfaces, input validation issues like CORS wildcard usage and dangerous HTTP methods, rate limiting headers and oversized responses, and data exposure including PII patterns and API key formats.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents, resolving recursive $ref entries, and cross-references the spec with runtime behavior to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination. Authenticated scanning supports Bearer tokens, API keys, Basic auth, and cookies. Access is gated by domain verification through DNS TXT records or an HTTP well-known file to ensure only domain owners can scan with credentials. The scanner only forwards a strict header allowlist including Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The scanner includes 18 adversarial probes across three scan tiers labeled Quick, Standard, and Deep. These probes target LLM and AI security through system prompt extraction, instruction override attempts, DAN and roleplay jailbreaks, data exfiltration techniques, cost exploitation, base64 and ROT13 encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction.

Findings map directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). The product supports audit evidence collection and helps you prepare for regulatory frameworks through alignment with security controls described in relevant standards. The Pro tier adds scheduled rescans every six hours, daily, weekly, or monthly, diff detection across scans, email alerts at a rate-limited pace of one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures.