Service 02, included in your subscription

API security testing

We test APIs as first-class attack surfaces, using documentation, captured traffic and role-aware testing to expose authorisation, data and abuse paths.

What we test

Object authorisation

BOLA, IDOR and broken ownership checks across tenants and roles.

Authentication & tokens

JWT handling, session expiry, refresh flows and weak claims validation.

Data exposure

Over-broad responses, sensitive fields and unsafe object expansion.

Rate limiting

Resource exhaustion, brute force windows and GraphQL batching abuse.

Input handling

Injection, SSRF, parameter pollution and mass assignment.

API inventory

Legacy endpoints, undocumented methods and versioning gaps.

What you get

A report your auditor and your engineers both understand

Executive summary, per-finding reproduction steps, severity-rated remediation guidance and retesting included once you have fixed the issue.

Book a call
PT-2026-0007 · REPORTRetest passed
Cross-tenant account lookup via BOLAFIXED
Refresh token accepted after logoutFIXED
GraphQL query depth unrestrictedFIXED