APIsec for SaaS

This tool is a self-service API security scanner designed for environments where APIs are the primary product surface. Submit any reachable API URL and receive a risk score from A to F with prioritized findings. The scanner operates in black-box mode, requiring no agents, SDKs, or code access, and supports any language, framework, or cloud stack. Scan completion typically occurs in under one minute using read-only methods plus text-only POST for LLM probes.

The scanner evaluates 12 security categories aligned to the OWASP API Top 10 (2023). It maps findings to this standard to validate controls relevant to common API risks. Detection coverage includes authentication bypasses and JWT misconfigurations, broken object level authorization and IDOR, broken function level authorization and privilege escalation, property authorization and over-exposed fields, input validation issues such as CORS wildcard usage, rate limiting and resource consumption indicators, data exposure including PII and API key patterns, encryption and transport misconfigurations, SSRF indicators, inventory management concerns, unsafe consumption surfaces, and LLM/AI security probes across tiered scan depths. The tool also parses OpenAPI 3.0, 3.1, and Swagger 2.0 specifications with recursive $ref resolution and cross-references spec definitions against runtime behavior to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Authenticated scanning is available from the Starter tier upward, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only the domain owner can submit credentials. The scanner limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-* headers to reduce exposure. All scanning is read-only; destructive payloads are never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data is deletable on demand, purged within 30 days of cancellation, and is never sold or used for model training.

The Web Dashboard centralizes scan management, report viewing, score trend tracking, and branded compliance PDF downloads. The CLI npm package enables command line usage with JSON or text output via a simple scan command. A GitHub Action acts as a CI/CD gate, failing builds when scores drop below configured thresholds. An MCP Server allows scanning from AI coding assistants such as Claude and Cursor. A programmable API supports custom integrations for continuous workflows.

Pro tier adds scheduled rescans at intervals of six hours, daily, weekly, or monthly. It provides diff detection across scans to surface new findings, resolved findings, and score drift, with email alerts rate limited to one per hour per API and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures. Pricing starts with a free tier offering three scans per month and CLI access, a Starter tier at 99 US dollars per month for 15 APIs with dashboard and alerts, a Pro tier at 499 US dollars per month for 100 APIs with continuous monitoring and CI/CD integrations, and an Enterprise tier at 2000 US dollars per month for unlimited APIs with custom rules and SSO. These tiers support use cases common to SaaS platforms handling sensitive customer interactions and data exchanges.

The tool does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, which requires intrusive payloads outside its scope. It does not detect business logic vulnerabilities, blind SSRF, or replace a human pentester for high-stakes audits. This scanner helps you prepare for audits and aligns with security controls described in PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, it surfaces findings relevant to audit evidence and supports controls described in their documentation, but it is not a certified compliance solution.