API Pentest

To start an API pentest with our AI agent, go to the Launch Pentest tab in the left sidebar, then click the API Pentest card as shown in the image below. The API pentest agent scans your API endpoints for OWASP Top 10-style vulnerabilities, such as injection flaws, authorization issues, insecure deserialization, and more. To get started, simply enter the API URL, upload your Swagger/OpenAPI documentation, and add any required authentication headers. If your API is unauthenticated, you can skip the auth headers entirely. From this page, you can kick off a new API pentest in as little as 30 seconds.

After selecting the pentest type, give your engagement a name. You can also assign it to a specific organization or client for easier tracking and reporting.

Next, define the scope of the API pentest. Enter the base API URL, upload your Swagger/OpenAPI documentation, and provide any required authentication headers (such as Basic, JWT, or custom headers).

When you’re ready to begin, click Next to deploy the agent and start the scan. The agent will automatically run using your selected settings and report results back to the platform.

If everything works correctly, you’ll be greeted with a Congratulations page confirming that your agent has been successfully deployed and your scan has started. If the agent appears to hang on the deployment step for too long, try running it again, as something may have failed. In most cases, deployment should complete in under a minute.

The scan may take a few hours or longer to complete, depending on the size and complexity of the target. Once the scan has started you can come back later to review the pentest results when they’re ready.