Skip to main content
API Security Agent tests APIs systematically, starting from a specification or by discovering endpoints directly. It covers authentication, authorization, input validation, and business logic vulnerabilities across REST and GraphQL interfaces.

What it does

  • Specification-driven testing: ingests OpenAPI and Swagger specs to build a complete endpoint map before testing begins
  • REST API testing: tests every endpoint for injection, IDOR, broken authentication, mass assignment, and other API-specific vulnerabilities
  • GraphQL testing: probes introspection, query depth, batching abuse, and authorization gaps
  • Authentication and authorization testing: validates token handling, session management, privilege escalation, and tenant isolation
  • Rate limiting analysis: verifies that endpoints enforce rate limits and that bypass techniques do not work
  • Input validation: tests parameter tampering, type confusion, and boundary conditions across all input surfaces
  • Credential management: handles API authentication secrets for testing authenticated endpoints

How it fits in

API Security Agent runs on any task that involves an API target, either explicitly via the API schema field in the Pentest workflow, or inferred from recon output. It coordinates with Browser Agent to cross-reference what the frontend calls against what the API actually accepts.