API Security Testing
API Scanning tests REST and GraphQL APIs for exploitable vulnerabilities. It uses your OpenAPI specification or GraphQL schema to identify endpoints, queries, and mutations, then sends real payloads to detect exploitable vulnerabilities.
How It Works
- Import — Upload your OpenAPI spec (REST) or GraphQL schema. Detectify parses it to discover your API’s structure.
- Configure — Set authentication credentials, rate limits, scan scope, and scheduling. See Configuration.
- Scan — Detectify sends exploit payloads to each endpoint or operation. Payloads are rotated across scan runs — the scanner tracks what has been sent per target and prioritizes untested variations in subsequent runs. See Coverage for vulnerability types and payload rotation details.
- Analyze — Findings are validated through actual payload execution, not signature matching. Each finding includes the exact request and response, severity, and remediation guidance. See Results & Remediation.
Key Capabilities
| Capability | Description |
|---|---|
| Spec-driven testing | Scans are built from your OpenAPI specification or GraphQL schema |
| Payload rotation | Rotates through payload libraries per target, expanding coverage across scan runs |
| Authentication support | OAuth 2.0, Basic Auth, and API key — see Configuration |
| Continuous monitoring | Schedule recurring scans to catch regressions as your API evolves |
| Prompt injection testing | Detects prompt injection in AI and LLM-powered endpoints |
Getting Started
See the Getting Started guide for a step-by-step walkthrough of your first scan, including supported formats for both REST and GraphQL.
Last updated on