Akto for Mid-market companies

This tool is a self-service API security scanner designed to surface security issues early in development and pre-deployment. You submit an API endpoint URL and receive a risk score with prioritized findings within a minute. The scanner operates as a black-box solution, requiring no agents, SDKs, or code access, and supports any language, framework, or cloud environment. It uses read-only methods (GET and HEAD) and text-only POST for LLM probes, ensuring no destructive payloads are ever sent.

The scanner evaluates 12 security categories aligned to the OWASP API Top 10 (2023), including Authentication bypass and JWT misconfigurations, Broken Object Level Authorization, Broken Function Level Authorization, Property Authorization exposure, Input Validation issues such as CORS misconfigurations and dangerous HTTP methods, Rate Limiting and Resource Consumption risks, Data Exposure including PII and API key patterns, Encryption and transport security, SSRF indicators, Inventory Management concerns, Unsafe Consumption surfaces, and LLM / AI Security adversarial probes. Findings map directly to OWASP API Top 10 (2023) and support controls relevant to PCI-DSS 4.0 and SOC 2 Type II.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions with recursive $ref resolution, cross-referencing spec definitions against runtime behavior to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans at the Starter tier and above, support includes Bearer, API key, Basic auth, and Cookie methods. Domain verification is enforced via DNS TXT records or an HTTP well-known file so only the domain owner can scan with credentials, and a strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.

With Pro tier, you can schedule rescans every 6 hours, daily, weekly, or monthly to track score trends over time. Diff detection highlights new findings, resolved findings, and score drift between scans. You receive email alerts at a rate-limited cadence of 1 per hour per API, and HMAC-SHA256 signed webhooks notify external systems with auto-disable after 5 consecutive failures. Integrations include a Web Dashboard for reports and trend tracking, a CLI via the middlebrick npm package, a GitHub Action for CI/CD gating, and an MCP Server for AI coding assistants. Programmatic access is available through an API client for custom integrations.

The scanner does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, which requires intrusive payloads outside its scope. It does not detect business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, or replace a human pentester for high-stakes audits. These limitations are documented so you can plan complementary testing strategies.