New: Agentic AI Pentester for Enterprise — full recon, exploitation & chain probing Learn more

Your API has
vulnerabilities.
Find them in 60 seconds.

19 security plugins. AI-verified findings. Attack chain correlation. No false positives.

Start Free Scan View Example Report
No credit card required
Free tier, always
MIT open-source CLI
Results in ~60 seconds
app.apiscan.ai / dashboard
Workspace
Dashboard 4
Scans
Vulnerabilities 12
Reports
Settings
Integrations
Settings
Security Dashboard
Last scan: 2 minutes ago
Security Score
6.2
↓ from 7.1 last scan
Total Issues
12
across 3 scans
Critical
2
require immediate action
Last Scan
DONE
●●●●●●●●.●● · 58s
API Target Severity Finding Status
api.example.com CRITICAL CORS + JWT → Account Takeover Open
api.example.com HIGH JWT Algorithm Confusion (RS256→HS256) Open
staging.internal MEDIUM Missing Security Headers (HSTS, CSP) Fixed
staging.internal LOW Rate Limit Not Enforced on /api/auth In Review
16
Security plugins
OWASP API Top 10 — full coverage
55+
Individual checks
Per scan, run in parallel
~60s
Time to first finding
From URL to full report
MIT
Open-source CLI
Audit the scanner itself
How it works

From endpoint to report
in three steps.

STEP 01
Import your API
Paste a URL, upload an OpenAPI/Swagger spec, or fetch it directly from a URL. Works with REST, GraphQL, and any HTTP API.
apiscan scan \
  --url https://api.example.com \
  --spec openapi.yaml
STEP 02
Configure your scan
Choose plugins, add auth headers, confirm scope. Free tier runs 3 plugins. Pro unlocks all 16 with AI chain analysis.
plugins: [cors, jwt, bola, auth, ssrf]
auth: Bearer $API_TOKEN
scope_acknowledged: true
STEP 03
Get your report
AI chain analyzes every finding — removes false positives, verifies exploits, builds attack chains, generates fix code for your exact stack.
✗ CRITICAL: CORS + JWT → ATO
⚠ HIGH: RS256→HS256 confusion
✓ Remediation code generated
Features

Everything a security team needs.
In a tool developers actually use.

The AI chain does what manual review misses — correlating individual findings into multi-step attack paths.

AI Security Chain
Five-stage analysis pipeline: Triage removes false positives → Exploit verification confirms findings with live HTTP requests → Chain analysis builds multi-step attack paths → AI executive report with business impact and remediation roadmap.
01 · Scan   19 plugins · 38 HTTP probes
02 · Triage 9 signals → 6 confirmed · 3 FP removed
03 · Verify 6/6 HTTP-confirmed · PoC curls ready
04 · Chain  CORS+JWT → ATO · RateLimit → BruteForce
05 · Report Risk 8.7/10 · PDF + JSON ready · 58s
Pro & Enterprise
Framework-Aware Fix Code
Detects your stack from HTTP headers — Django, Express, Laravel, Spring, FastAPI, 15+ more. Generates the exact fix for your framework, not generic advice.
Shareable Live Reports
Share a secure URL with your team or client. 7-day TTL, PoC commands stripped for public view. One link — no login required for stakeholders.
One-Click Re-Test
Fixed a vulnerability? Re-test that specific finding in seconds. Closes the remediation loop without running a full scan again.
Vulnerability Reports

Every finding backed
by real HTTP proof.

Not alerts. Verified exploits with full request/response evidence, curl reproduction steps, and framework-specific remediation code.

Critical — CORS Policy
Arbitrary Origin Reflection Enables Cross-Site Request Forgery
GET https://api.example.com/v1/ · OWASP API8:2023
Description
The API reflects any arbitrary Origin header in the Access-Control-Allow-Origin response header with credentials enabled. An attacker can host a malicious page that reads authenticated API responses from any victim who visits it.
Exploit — Proof of Concept
curl command
curl https://api.example.com/v1/ \ -H "Origin: https://attacker.com" \ -H "Cookie: session=victim_token" -v ← HTTP/2 200 ← Access-Control-Allow-Origin: https://attacker.com ← Access-Control-Allow-Credentials: true
Remediation
1
Define an explicit allowlist of trusted origins. Never reflect the request Origin header directly.
2
Set Access-Control-Allow-Origin to a specific domain, not a dynamic reflection or wildcard with credentials.
Per-finding breakdown
Critical
2
High
3
Medium
4
Low / Info
3
Fix code — FastAPI
fastapi / middleware
from fastapi.middleware.cors import CORSMiddleware app.add_middleware( CORSMiddleware, allow_origins=["https://app.example.com"], allow_credentials=True, allow_methods=["GET", "POST"], )
Integrations

Fits into your pipeline.
No friction.

REST API, webhooks, CLI — everything you need to gate deployments on security.

CI/CD & Automation
GitHub Actions
PR security gate
GitLab CI
Pipeline step
Docker
Container-native
Kubernetes
Pre-deploy hook
Webhooks
HMAC-signed events
REST API
Full automation
Alerts & Notifications
Telegram
Bot scan alerts
Discord
Channel webhook
Slack
Findings to channel
MS Teams
Team notifications
Email
Scan complete alerts
PagerDuty
Incident routing
Issue Tracking
Linear
Auto-create issues
GitHub Issues
Issues from findings
Jira
Auto-create tickets
Webhooks
Any endpoint
Splunk
SIEM integration
Datadog
Security monitoring
GitHub Actions
REST API
CLI
- name: API Security Scan uses: apiscan/scan-action@v1 with: target-url: ${{ secrets.API_URL }} api-key: ${{ secrets.APISCAN_KEY }} fail-on: critical,high plugins: all
Pricing

Start free.
Scale with your team.

Monthly
Annual Save ~20%
Free
$0
Forever free. Start scanning immediately — no credit card.
3 plugins (TLS, Headers, CORS)
5 scans / month
JSON results
AI chain analysis
PDF reports
Get started free
Pro · Most popular
$ 39 /mo
Per month, billed monthly. Cancel any time.
All 19 security plugins
50 scans / month
Full AI chain (Triage → Report)
PDF reports + attack graph
Shareable reports + re-test
REST API + 3 webhooks
Framework-aware fix code
Get started →
Enterprise
$ 299 /mo
Unlimited scans, 5 seats, AI pentesting.
Everything in Pro
Unlimited scans · 5 seats
AI Intelligence Mode
Standalone AI Pentester
10 webhooks + SLA
Priority support
Contact sales

Start scanning your API today.

Free tier. No credit card. First finding in 60 seconds.

Start Free Scan Read the docs GitHub