API Security Review
Free API Security Review (OWASP API Top 10 2023, OAuth, GraphQL, LLM)
A senior-engineer-verified review of your OpenAPI / Swagger, GraphQL, gRPC, and API gateway configuration (AWS API Gateway, Azure APIM, Apigee, Kong, Tyk, Envoy / Istio) - mapped to OWASP API Top 10 (2023), ASVS Level 2, OWASP LLM Top 10, and NIST 800-204. Combines static spec analysis (42Crunch, Spectral), schema-driven fuzzing (Schemathesis, Akto, ZAP, Burp), and manual review of authn, authz, rate limiting, and bot defence.
- Covers REST (OpenAPI / Swagger), GraphQL, gRPC, WebSockets, AsyncAPI, webhooks, and LLM endpoints - across AWS API Gateway, Azure APIM, Apigee, Kong, Tyk, Mulesoft, and Envoy / Istio
- Combines 42Crunch, Spectral, Schemathesis, Akto, StackHawk, OWASP ZAP, Burp, and GraphQL tooling - mapped to OWASP API Top 10 (2023), ASVS Level 2, OWASP LLM Top 10, and NIST 800-204
- Senior security engineer manually models authorisation per endpoint to find BOLA / IDOR, BFLA, and broken object property authorisation - typical first review surfaces 5-15 high-severity findings
- No production access required
- Specs and non-prod environments only
- Senior security-engineer verified
- Live findings walkthrough included
Supported Platforms
What We Review Across Your API Surface
Six areas - specs, authentication, schema validation, authorisation, rate limiting, and inventory - mapped to the OWASP API Top 10 (2023), OWASP ASVS Level 2, OWASP LLM Top 10, and NIST 800-204.
OWASP API Security Top 10 (2023) & ASVS Coverage
Systematic evaluation against API1 BOLA / IDOR, API2 Broken Authentication, API3 Broken Object Property Level Authorization, API4 Unrestricted Resource Consumption, API5 BFLA, API6 Sensitive Business Flows, API7 SSRF, API8 Security Misconfiguration, API9 Improper Inventory, API10 Unsafe Consumption - plus OWASP ASVS Level 2.
OAuth 2.1, OIDC, JWT, mTLS & FAPI 2.0 Review
Audits OAuth 2.0 / 2.1 grant-type selection (auth code with PKCE), OIDC implementation, JWT validation (alg confusion, kid injection, missing aud / iss / exp checks), refresh-token rotation, scope enforcement, mTLS for service-to-service, and FAPI 2.0 conformance for open banking, healthcare, and fintech APIs.
Schema Validation, Fuzzing & Injection Testing
Validates request / response schema enforcement, runs schema-driven fuzzing (Schemathesis, RESTler), dynamic testing (Akto, StackHawk, OWASP ZAP, Burp), and tests for SQL / NoSQL / LDAP / SSTI / XXE / SSRF / command injection. GraphQL APIs also tested for query depth and cost abuse, batching attacks, and introspection leakage.
BOLA / IDOR, BFLA & Sensitive Data Exposure
Manually models authorisation per endpoint to find Broken Object Level Authorization (BOLA / IDOR - the #1 API vulnerability), BFLA, and broken object property authorisation (mass assignment, over-fetching). Identifies excessive-data responses and PII / PHI / cardholder data leakage in error messages and logs.
Rate Limiting, Bot Defence & Business-Logic Abuse
Reviews per-user / per-IP / per-endpoint / per-tenant rate limits, bot defence (Cloudflare Bot Management, AWS WAF Bot Control, Akamai, DataDome, Arkose, hCaptcha), credential-stuffing protection, account-takeover detection, payment-flow abuse, and WAF rule coverage (OWASP CRS) at the gateway, CDN, and application layers.
API Inventory, Versioning, Shadow APIs & LLM Top 10
Identifies undocumented endpoints, shadow APIs, deprecated v1 endpoints still serving traffic, and inventory drift between code and gateway. Maps versioning, deprecation, and EOL policy. For LLM-backed APIs, adds OWASP LLM Top 10 coverage - prompt injection, insecure output handling, sensitive disclosure, excessive agency, and model DoS.
How It Works
Register & Share API Specs
Provide your OpenAPI 3 / Swagger 2, GraphQL schemas (SDL or introspection JSON), gRPC .proto files, Postman collections, or API gateway export (AWS API Gateway, Azure APIM, Apigee, Kong, Tyk, Mulesoft). Optionally grant read-only access to a non-production environment for dynamic testing - production access is never required.
Automated Spec & Schema-Driven Scan
We run static spec analysis (42Crunch, Stoplight Spectral), schema-driven fuzzing (Schemathesis, RESTler, Akto), DAST (OWASP ZAP, Burp), and GraphQL tooling (Inspector, InQL, Cop) against your specs and any non-prod environment - mapped to OWASP API Top 10 (2023) and ASVS Level 2.
Senior Security Engineer Manual Review
A senior security engineer manually models authorisation per endpoint to find BOLA / IDOR, BFLA, and broken object property authorisation no scanner catches; reviews OAuth 2.1 / OIDC / JWT / mTLS implementation; analyses business-logic abuse and bot-defence coverage; and rewrites recommendations as code-level fixes per endpoint.
Receive Report & Live Debrief
Get your API Security Score mapped to OWASP API Top 10 (2023), per-endpoint findings with severity, code-level remediation, WAF / API gateway hardening plan, OAuth / OIDC / JWT backlog, and shadow-API inventory - within 3-5 business days, plus a 45-minute live walkthrough.
What You Get
Your report will include the following deliverables.
Find the API endpoint an attacker (or AI agent) is going to abuse next.
Get a senior-engineer-verified API Security Report mapped to OWASP API Top 10 (2023), OWASP LLM Top 10, and OWASP ASVS - covering REST, GraphQL, gRPC, and LLM endpoints. No production access required, completely free.
Get My API Security ReportHow We Handle Your API Specs & Test Data
An API security review must never become an API incident. Here is exactly what we read - and what never leaves your environment.
Specs and Non-Prod Environments Only
We work from your OpenAPI / Swagger / GraphQL / gRPC specs and an optional non-production environment with synthetic test data. Production access is never required and never requested. If dynamic testing against a staging environment is in scope, traffic is rate-limited and pre-coordinated with your team so it never affects shared services.
No Customer Data in Tests
All dynamic testing uses synthetic accounts and synthetic test data - we never authenticate as a real customer, never query real PII / PHI / cardholder records, and never send traffic to production endpoints. Spec analysis is fully static and runs in an isolated sandbox with no outbound network access except to your test environment.
Auto-Revoked & Destroyed After Review
As soon as your API Security Report is delivered, every test credential is revoked, the analysis sandbox is destroyed, and your specs and any captured traffic are deleted. Only aggregate, anonymised findings are retained for QA - never endpoint paths, customer identifiers, or schema details.
Frequently Asked Questions
The most common questions we hear from teams running this assessment.
Do you need production access? What about customer data?
No production access is required and none is requested. The static review works from your OpenAPI / Swagger / GraphQL / gRPC specs alone. If dynamic testing is in scope it runs against a non-production environment with synthetic accounts and synthetic test data - we never authenticate as a real customer, never query real PII / PHI / cardholder records, and never send traffic to production endpoints. Test traffic is rate-limited and pre-coordinated with your team.
Which API types and gateways do you support?
REST (OpenAPI 3, Swagger 2), GraphQL (SDL or introspection), gRPC (.proto), Connect, WebSockets, Server-Sent Events, AsyncAPI / event-driven APIs, outbound webhooks, and LLM / agentic API endpoints. Across AWS API Gateway, Azure API Management, Google Apigee and Cloud Endpoints, Kong, Tyk, Mulesoft Anypoint, WSO2, Envoy / Istio / Linkerd service mesh, Solo Gloo, Cloudflare API Gateway, or direct application exposure.
Why do you focus so much on BOLA / IDOR? Don't scanners catch that?
BOLA / IDOR (API1 in OWASP API Top 10 2023) is the most common and highest-impact API vulnerability - and it is the one scanners struggle with most because it requires understanding object ownership and authorisation logic, not just spec compliance. A senior security engineer manually models authorisation per endpoint with multiple test users across multiple tenants to find BOLA, BFLA (function-level), and broken object property authorisation (mass assignment, over-fetching) that no automated tool catches. This is typically where 60-80% of high-severity findings come from.
Do you cover GraphQL-specific vulnerabilities?
Yes. GraphQL coverage adds query depth and cost analysis (denial of service via deeply-nested queries), batching attacks, alias abuse, introspection leakage in production, field-suggestions disclosure, broken authorisation at the field and resolver level (a major GraphQL gap because authorisation must run per-resolver, not per-endpoint), persisted query enforcement, and cost-budget rate limiting. We use GraphQL Inspector, InQL, GraphQL Cop, and GraphQL Voyager alongside manual schema review.
Do you cover LLM-backed APIs and agent endpoints?
Yes. For LLM / agentic API endpoints we add OWASP LLM Top 10 coverage - prompt injection (direct and indirect), insecure output handling, training-data poisoning risk, model denial of service, supply-chain risk, sensitive information disclosure in completions, insecure plugin / tool / MCP-server design, excessive agency in tool calling, overreliance on model output, and model theft. Combined with the standard OWASP API Top 10 review of the surrounding API surface, this is one of the only audits today that treats AI agent endpoints as the high-risk APIs they are.
How do you assess WAF and bot defence?
We review WAF rule coverage at the gateway, CDN, and origin layers (AWS WAF including Bot Control, Cloudflare WAF + Bot Management, Azure Front Door + WAF, Akamai App and API Protector, Imperva, F5 Distributed Cloud, OWASP CRS), bot defence and CAPTCHA strategy (DataDome, Arkose, hCaptcha, Cloudflare Turnstile), credential-stuffing and account-takeover protection, scraping defence, and per-tenant rate-limiting strategy. The output is a concrete WAF rule-set and bot-defence configuration plan - not just a list of CVEs.
Will the dynamic testing affect our staging environment?
No. Dynamic testing is rate-limited (configurable, typically 5-20 req/s per endpoint), pre-coordinated with your team, scheduled outside high-traffic windows, and uses synthetic accounts only. We can pre-coordinate with your detection team if your SIEM / WAF will flag the activity, and we always pause if any shared dependency starts showing impact.
How long until we receive the report?
Typical turnaround is 3-5 business days from spec delivery (and from non-prod access if dynamic testing is in scope), plus a 45-minute live findings walkthrough at a time that suits your security and engineering leads. Larger surfaces with hundreds of endpoints across REST, GraphQL, and gRPC can take a little longer; we confirm the timeline as soon as we see the scope.
Register for Your Free API Security Review
Fill out the form below and our team will get back to you within 2 business days.
You Might Also Be Interested In
SDLC Security Gates Audit
Free SDLC and software supply chain audit - branch protection, signed commits, SBOM, SLSA provenance, SAST / DAST / SCA, secrets scanning, runner hardening, and AI-coding-agent governance - verified by a senior security engineer and aligned with SLSA, SSDF, and OWASP SAMM.
Cloud IAM & Permissions Audit
Free read-only audit of your AWS, Azure, and GCP IAM - over-permissive roles, stale credentials, privilege escalation paths, OIDC and federated trust, SCPs and permission boundaries - using IAM Access Analyzer, Access Advisor, IAM Recommender, PMapper, Prowler, and ScoutSuite, verified by a senior cloud-security engineer.
Container & Docker Security Audit
Free read-only audit of your Dockerfiles, base images, build pipelines, and registries - combining Trivy, Grype, Hadolint, Dockle, Syft SBOMs, and Cosign signing checks against the CIS Docker Benchmark, NIST SSDF, and SLSA Build levels - verified by a senior security engineer.