// Service

API penetration testing

APIs fail differently from websites: no browser, no UI hints, and every object ID is an invitation. We test yours request by request, with the documentation open and the assumptions off.

Illustration of a code panel connected to three API endpoints
// Coverage

What we test

Mapped to the OWASP API Security Top 10, with heavy emphasis on authorisation, because that's where APIs actually break.

  • Broken object-level authorisation (BOLA/IDOR). Can user A read or modify user B's records by changing an ID? This is the single most common critical API finding.
  • Authentication and token handling. JWT validation, token expiry and revocation, API key exposure and OAuth flow abuse.
  • Broken function-level authorisation. Admin and internal endpoints reachable by ordinary users, hidden methods, and verb tampering.
  • Excessive data exposure and mass assignment. Responses leaking fields the UI never shows, and writable properties you didn't intend to accept.
  • Rate limiting and resource consumption. Brute-forceable endpoints, unbounded queries and expensive operations without throttling.
  • GraphQL specifics. Introspection exposure, query depth and complexity abuse, and batching attacks.
// Approach

How we test it

We work from your OpenAPI/Swagger spec, Postman collection or GraphQL schema when available, and build our own map when it isn't, by proxying your client apps and enumerating endpoints.

Every endpoint is exercised with multiple identities and roles so authorisation failures show up systematically rather than by luck. We chain findings where possible: a minor data leak plus a weak reset flow is often a full account takeover.

Internal and partner APIs are just as testable as public ones. We can work over VPN or through a bastion, whatever access path matches how your real consumers connect.

The full process, severity ratings and reporting format are described in our methodology.

// Deliverables

What you get

  • Executive summary. Risk posture and priorities in plain English, readable by non-technical stakeholders.
  • Technical findings. Every issue with a CVSS rating, evidence, exact reproduction steps and a concrete remediation.
  • Immediate alerts. Anything critical is raised with you the day we find it, not held back for the report.
  • Free retest. Once you've fixed the findings, we verify the fixes and issue an updated report and attestation letter.

Get a fixed quote

Send us a rough description of the target and we'll come back with a sensible scope and a fixed price, usually within two business days.

Related: web application testing for the frontend, and cloud security review for the infrastructure your API runs on.