Introducing Dynamic API Scanning

Application environments are more complex than ever, with APIs forming the critical connective tissue. But this proliferation has created a vast, often invisible, attack surface. Security teams are caught in a difficult position: compliance frameworks like PCI and SOC 2 demand API scanning, but offer little guidance. Meanwhile, you’re grappling with incomplete API inventories, and the market is a confusing mix of expensive, hard-to-instrument niche tools.

You need a way to see everything on your attack surface from web apps to APIs, test what matters most, and do it all without derailing your existing workflows.

We are excited to introduce advanced API Scanning, fully integrated into the Detectify platform.

A new approach to a growing problem

We built our API scanner to address the specific challenges we heard from security teams. You told us you needed to:

• Gain a complete API inventory without wrestling with poor documentation.
• Confidently fulfill compliance needs with a clear, defensible testing process.
• Consolidate tools and manage API testing within your existing AppSec program.

Our new capabilities are designed to do exactly that in combination with our intelligent scan recommendations and asset classification, providing unified visibility and research-led testing across your entire attack surface.

What makes the Detectify API scanner engine unique?

When we decided to build API scanning, we made an active choice not to simply wrap an existing open-source tool like ZAP. We believe our customers deserve better than repackaged checks and noisy results. Instead, we built our own proprietary engine from the ground up, focused on three key principles:

1. Dynamic Payloads: Every Scan is Unique

Static API scanners run the same checks time and time again. If your API hasn’t changed, you get the same results, creating a false sense of security. Our engine is different.

We use a dynamic approach where the payloads used for testing are randomized and rotated with every single scan. This means, as one of our engineers put it,

“every scan that we run against the customer’s API is going to be unique – something that we never scanned before”.

This creates a continuous opportunity to find new vulnerabilities that static checks would miss, even in an unchanged API.

2. Massive scale, reproducible results

Our dynamic approach allows for a massive scale of test variations. For certain tests like prompt injection, the number of potential payload permutations is theoretically over 9.2 quintillion. For command injections, we utilize a library of over 330,000 payloads.

But this isn’t chaos. The randomization is predictable. Using a “seed” – much like how a seed in Minecraft creates a specific world – we can precisely reproduce the exact payload that found a vulnerability, ensuring our findings are always verifiable and actionable for your developers.

3. Research-led, high-fidelity findings

Our engine is built by the same internal security research team that powers the rest of Detectify. We focus on exploitability, meaning we try to actually exploit the vulnerability rather than just flagging a potential issue. This approach, combined with our proprietary fuzzing technology that has a history of finding zero-days, results in high-accuracy findings you can trust, drastically reducing the time you waste on triaging false positives.

What does Detectify API scanning mean for you?

• Unified API Visibility: With Surface Monitoring, we map out your attack surface and classify the assets into categories like APIs and Web apps. You combine discovered API endpoints with the ones you upload, providing a unified inventory so you can prioritize scanning across your entire attack surface, not just the parts you already know about.
• Broad Vulnerability Coverage: We go deep on injection tests and also cover a wide range of other categories, including Broken Authentication and Security Misconfigurations in OWASP API Top 10.
• Compliance Confidence: Our platform provides a clear and defensible process to meet API security compliance requirements recently added to PCI and SOC2. By systematically scanning your web apps and APIs for a broad range of vulnerabilities, you can confidently demonstrate a robust testing methodology to auditors.
• Consolidated Workflows: By integrating API scanning into our platform, you can consolidate your AppSec testing with a single vendor, streamlining workflows and gaining a comprehensive view of your security posture without several standalone tools.

Ready to see your full API attack surface? Talk to our experts or start a 2-week free trial.

If you are a Detectify customer already, don’t miss the What’s New page for the latest product updates and new security tests added to the platform.