Product update: Dynamic API Scanning, Recommendations & Classifications, and more

We know the importance of staying ahead of threats. At Detectify, we’re committed to providing you with the tools you need to secure your applications effectively. This update covers our new Dynamic API Scanning feature, updates over the last few months, and the latest additions to our vulnerability testing capabilities. 

What have we shipped to customers over the last few months?

Introducing Dynamic API Scanning

We’re excited to announce the launch of Dynamic API Scanning, now integrated into the Detectify platform. As APIs become increasingly critical to modern applications, they also present a growing attack surface. Our new API Scanning engine is designed to provide you with unified visibility and research-led testing for your APIs.

Key capabilities include:

• Comprehensive Vulnerability Coverage: We test for a broad range of vulnerabilities, including the OWASP API Top 10, to ensure your APIs are protected against the most critical threats.
• Unified Platform: By integrating API scanning into the Detectify platform, we provide a single pane of glass for managing the security of your entire attack surface.

This new feature will help you tackle challenges such as incomplete API inventories and the use of disparate testing solutions. The new API Scanner uses an advanced dynamic approach where the payloads used for testing are randomized and rotated with every single scan, meaning that every scan that we run against customer API is going to be unique; something that we never scanned before. Read more about Dynamic Payloads here.

Get started with Detectify API Scanning with this guide.

Not sure what to scan? We do. 

Prioritizing deep application scanning across hundreds of assets is a significant challenge. To solve this, our new Scan Recommendations feature helps you move from guessing to certainty. It analyzes your attack surface to identify complex, interactive web apps and recommends them for deeper scanning, ensuring your most critical assets are always covered.

Detectify now presents asset classification in a single view

To decide what to test, you first need to know what each asset does. Our new Asset Classification feature automates this by analyzing and categorizing your web assets (e.g., rich web apps, APIs). This gives you the insight needed to prioritize security testing and ensure your attack surface is covered.

We’ve also made major improvements to how Detectify performs

New improved subdomain discovery with 3x wordlist

We’ve enhanced active subdomain discovery. It now runs recursively to find deeply nested subdomains and uses a wordlist that is three times larger. This expanded wordlist is explored over time to uncover obscure assets with minimal impact. To support these improvements, passive subdomain discovery must be enabled to run active discovery.

Filter Vulnerabilities based on a modification timestamp via API

We’ve improved vulnerability filtering in the API. The vulnerabilities endpoint now returns a <modified_at> timestamp that updates on any change, including manual actions. This allows for more granular queries using the new <modified_before> and <modified_after> filters.

We released a lot of new tests thanks to Alfred, Crowsource, and our internal Security Research team.

This product update would be very, very long if we listed all of the new vulnerabilities we implemented thanks to our Alfred, our AI Security Researcher, Crowdsource, and our incredible team of Security Researchers. So, you can check out all of our new tests here.