Find what attackers find.
Before they do.

Evidence-based findings. AI attack chain correlation. Exploit verification at 95%+ confidence.

$

api.example.com staging.yourapp.io/api graphql.service.com

Upload OpenAPI / Swagger spec for deeper, semantic scanning PRO

I confirm I am authorized to perform security testing on this target. Unauthorized scanning is illegal.

Included plugins:

View pricing & all features →

Results in ~60s

16 plugins run in parallel. Full results in one shot.

Evidence-Based

Every finding backed by real HTTP request/response proof.

OWASP Top 10

All 10 categories covered. No blind spots.

Scanning in progress

0 / 0

plugins complete

Scan Complete

Transparent Pricing

Simple, honest pricing

Start free. Upgrade when you need more.

Monthly

Annual Save 17%

Free

$0/month

For trying it out. No credit card.

5 scans / month
3 plugins (TLS, Headers, CORS)
JSON export
Basic findings list
1 free full Pro demo scan
AI analysis & chain correlation
PDF & HTML reports
API keys for CI/CD
All 16 plugins

Dashboard

Your API security posture at a glance

Security Score

—

/10

Total Scans

—

Open Critical

—

Total Findings

—

Recent Scans Refresh

Loading…

Quick Scan

Runs all your plan's security checks against the target URL.

Findings Trend (last 7 scans)

Integrations & API

Embed ApiScan into your CI/CD pipeline, automate scans via the REST API, and receive real-time webhook notifications.

API Keys

Use X-API-Key: sf_live_... to authenticate any API request

Loading…

REST API — Trigger a Scan

Authenticate with your API key. All endpoints available at app.apiscan.ai.

# Start a scan
curl -X POST https://app.apiscan.ai/api/scan \
  -H "X-API-Key: sf_live_your_key" \
  -H "Content-Type: application/json" \
  -d '{"url":"https://api.yourapp.com"}'

# Poll for results
curl https://app.apiscan.ai/api/scan/{scan_id} \
  -H "X-API-Key: sf_live_your_key"

Python

import requests, time

API_KEY = "sf_live_your_key"
HEADERS = {"X-API-Key": API_KEY}

r = requests.post("https://app.apiscan.ai/api/scan",
    headers=HEADERS, json={"url": "https://api.yourapp.com"})
scan_id = r.json()["id"]

while True:
    result = requests.get(f"https://app.apiscan.ai/api/scan/{scan_id}",
        headers=HEADERS).json()
    if result["status"] == "completed": break
    time.sleep(3)

findings = result["findings"]
critical = [f for f in findings if f["severity"] == "CRITICAL"]
if critical:
    raise SystemExit(f"🚨 {len(critical)} CRITICAL finding(s) — failing build")

GitHub Action — Scan on Every PR

Use Apiscan/secforge-action@v1 — posts PR comments, uploads to GitHub Security tab, blocks merges on CRITICAL.

# .github/workflows/apiscan.yml
name: API Security Scan
on: [pull_request]
jobs:
  apiscan:
    runs-on: ubuntu-latest
    permissions:
      security-events: write  # SARIF → GitHub Security tab
      pull-requests: write   # PR comment
    steps:
      - uses: actions/checkout@v4
      - uses: Apiscan/secforge-action@v1
        with:
          url: https://api.example.com
          fail-on: CRITICAL
          api-key: ${{ secrets.APISCAN_API_KEY }}

Verify Webhook Signatures

Always verify the X-ApiScan-Signature header.

import hmac, hashlib

def verify_signature(body: bytes, secret: str, sig_header: str) -> bool:
    expected = "sha256=" + hmac.new(
        secret.encode(), body, hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(expected, sig_header)

Full Pentest Engagement · Enterprise

Autonomous API
Penetration Test

8 exploit agents · verified PoCs · AI executive report
Full engagement in 5–25 minutes

Target API URL

Authentication (optional — enables BOLA, mass assignment, privilege escalation tests)

Cookie (optional)

Scope / Notes (optional — guides the AI attack planner)

I confirm I have explicit written authorization to perform security testing against this target. Unauthorized testing is illegal.

Estimated time: 5–25 minutes · All findings verified with real HTTP evidence · OWASP API Top 10 coverage

Initializing 0%

Agent Console 0 events

--:--:--systemApiScan engagement engine initializing...

Live Findings 0

Findings appear here as agents confirm them

Find what attackers find.
Before they do.

Scanning in progress

Scan Complete

16 more security checks on Pro

AI Security Analysis

Simple, honest pricing

Danger Zone

Dashboard

Welcome to ApiScan

Integrations & API

Autonomous API
Penetration Test

Past Engagements

Engagement Complete

Security Scan Results

Find what attackers find.Before they do.

Scanning in progress

Scan Complete

16 more security checks on Pro

AI Security Analysis

Simple, honest pricing

Danger Zone

Dashboard

Welcome to ApiScan

Integrations & API

Autonomous APIPenetration Test

Past Engagements

Engagement Complete

Security Scan Results

Share Report

Find what attackers find.
Before they do.

Autonomous API
Penetration Test