Akto for Fintech

Financial applications process high-value transactions and highly sensitive personal data, requiring a security approach that balances depth with operational continuity. This scanner is a self-service API security tool designed for environments where uptime and data protection are critical. It performs black-box scans that require no code access, agents, or SDKs, and it supports any language, framework, or cloud deployment model. Scan duration is under one minute, using read-only methods plus text-only POST for LLM probes, ensuring production systems remain undisturbed while exposing surface risks.

The scanner evaluates APIs against the OWASP API Top 10 (2023), mapping findings directly to this framework to highlight common web API risks. It also aligns with security controls described in PCI-DSS 4.0 and supports audit evidence for SOC 2 Type II, helping teams demonstrate due diligence without claiming certification. Coverage includes authentication bypass, JWT misconfigurations such as alg=none or expired tokens, IDOR and BOLA via sequential ID enumeration, privilege escalation through role/permission leakage, and sensitive data exposure including PII, Luhn-validated card numbers, and API key formats like AWS, Stripe, GitHub, and Slack. Additional checks cover CORS wildcard configurations, dangerous HTTP methods, error and stack-trace leakage, missing encryption indicators, and SSRF indicators involving internal IP probing.

For deeper coverage, authenticated scanning is available from the Starter tier and above, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can run authenticated scans. The scanner uses a strict header allowlist, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers. Read-only methods are strictly enforced, with destructive payloads never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers, and customer data is deletable on demand and purged within 30 days of cancellation, with no use for model training.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions, resolving recursive $ref elements and cross-referencing spec definitions against runtime behavior. This highlights mismatches such as undefined security schemes, sensitive fields in responses, deprecated operations, and missing pagination. For LLM-facing endpoints, it conducts 18 adversarial probes across Quick, Standard, and Deep scan tiers, testing for system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration attempts, cost exploitation, encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool-abuse patterns, nested instruction injection, and PII extraction.

The Web Dashboard centralizes scan results, score trends, and report downloads with branded compliance PDFs. The CLI, distributed as an npm package, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is available for CI/CD gating, failing builds when scores drop below a configurable threshold. The MCP Server enables scanning from AI coding assistants including Claude and Cursor. For ongoing risk management, the Pro tier offers scheduled rescans every six hours, daily, weekly, or monthly, diff detection across scans, email alerts limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures. The Enterprise tier provides unlimited APIs, custom rules, SSO, audit logs, an SLA, and dedicated support.