Service 02, included in your subscription
API security testing
We test APIs as first-class attack surfaces, using documentation, captured traffic and role-aware testing to expose authorisation, data and abuse paths.
What we test
Object authorisation
BOLA, IDOR and broken ownership checks across tenants and roles.
Authentication & tokens
JWT handling, session expiry, refresh flows and weak claims validation.
Data exposure
Over-broad responses, sensitive fields and unsafe object expansion.
Rate limiting
Resource exhaustion, brute force windows and GraphQL batching abuse.
Input handling
Injection, SSRF, parameter pollution and mass assignment.
API inventory
Legacy endpoints, undocumented methods and versioning gaps.
What you get
A report your auditor and your engineers both understand
Executive summary, per-finding reproduction steps, severity-rated remediation guidance and retesting included once you have fixed the issue.
Book a callPT-2026-0007 · REPORTRetest passed
Cross-tenant account lookup via BOLAFIXED
Refresh token accepted after logoutFIXED
GraphQL query depth unrestrictedFIXED