Know where your API breaks before attackers do.

Scan · Detect · Fix

Three steps. No poetry.

What it checks

Static analysis of your contract and declared security — expanded over time.

• Broken authorization risk patterns
• Auth coverage gaps across operations
• Endpoint exposure and sensitive paths
• OAuth / token hygiene (where visible in spec)
• CORS / method / configuration issues (declared)

Built for

• SaaS teams shipping public or partner APIs
• AI products with APIs, OAuth, and service identities
• B2B platforms facing security questionnaires
• Fintech and internal platforms where auth mistakes cost money

Outputs

• Web dashboard with findings and risk score
• PDF report (on roadmap for paid tiers)
• JSON export and API access (higher tiers)
• Webhooks when scans complete (Growth+)

Run a scan

Use the app route /systems/api-risk on this Next deployment (same origin).

Pricing preview

Indicative — final numbers when billing goes live.

Developer

Sample response shape (stable target for v1 API).

POST /api/v1/scans
Content-Type: application/json

{
  "openapi_url": "https://api.example.com/openapi.json"
}

→ 200
{
  "scan_id": "scn_01example",
  "risk_score": 42,
  "findings": [
    {
      "id": "AUTH-001",
      "severity": "high",
      "category": "authorization",
      "title": "Sensitive path may lack operation security",
      "path": "/admin/users",
      "method": "GET",
      "evidence": "No security scheme on operation",
      "remediation": "Attach OAuth2 or API key scheme..."
    }
  ],
  "spec_version": "openapi-3.0",
  "generated_at": "2026-03-30T12:00:00.000Z"
}

Trust

• No production traffic proxy required for static spec analysis.
• Read-only interpretation of the contract you provide.
• Versioned findings and secure handling policy (see legal notice).