Skip to main content

Pentrova is launching soon. Join the waitlist for early access.Join the waitlist

Product · API Pentesting

API penetration testing.
Every auth mode, verified.

Automated API penetration testing: upload a spec and Pentrova exercises every endpoint under the auth mode production actually uses — and replays every finding before it ships.

Join the waitlist See the Authorization Matrix

5 spec parsers 6 auth modes · cross-role replay

app.pentrova.ai/scansLive

New API Scan

Upload an API specification to start scanning

Specification Format

OpenAPI 3.x

Base URL

https://api.example.com
File Upload URL

Parsing specification…

Drag & drop a spec file, or click to select

OpenAPI · Postman · GraphQL · Protobuf · WSDL

payments-api.openapi.json12.4 KB

OpenAPI 3.1 parsed

142 endpoints discovered ·6 auth modes detected

Bearer API Key OAuth 2.0 mTLS
Step 1 of 3 · SpecConfigure auth

Engagement flow

Five stages. Every API surface.

Specs and credentials rotate with your environment — there is nothing to re-record when you ship.

  1. INGEST

    Spec ingestion

    Upload an OpenAPI 2/3, Postman v2.1, GraphQL, Protobuf, or WSDL spec — or pull from a private URL at scan time. Endpoints are inventoried automatically.

  2. AUTH

    Auth attached

    Six auth modes are wired in: bearer, API key, basic, OAuth 2.0, custom (HMAC / SigV4 / etc.), and mTLS. Token refresh is automatic.

  3. EXERCISE

    Endpoints exercised

    Pentrova generates realistic payloads from message types, exercises every endpoint under each role, and captures the reference response per role.

  4. VERIFY

    Cross-role replay

    The Authorization Matrix replays every endpoint across roles and surfaces broken object-level authorization with deterministic differential evidence.

  5. CHAIN

    Automatic escalation

    Confirmed BOLA, BFLA, and injection findings feed the chain resolver to surface multi-step attack paths across the API surface.

Coverage

Every parser. Every auth mode.

Five spec parsers across six authentication modes. Every cell in the matrix below is a production-supported combination — not a roadmap claim.

Pentrova API Pentesting supports 5 parser families across 6 authentication modes — every cell in the matrix is production-supported.
PARSER × AUTH BearerAPI KeyBasicOAuth 2CustommTLS
OpenAPI v2 / v3 / v3.1
Postman Collections v2.1
GraphQL Introspection + uploads
Protobuf gRPC + reflection
WSDL SOAP/1.1 + 1.2
30/30  · every parser × auth combination is production-supported

API Pentesting questions

  • Common objection We already have a scanner — why add another tool?
    Most scanners score findings probabilistically, which is why AppSec queues grow faster than they shrink. Pentrova only publishes findings our verifier can reproduce, so you are not adding a second queue — you are retiring the unreproducible half of the first one. The product is engineered so backlog should shrink as Pentrova lands, not expand.
  • Common objection Aren't you too expensive compared to free open-source tools?
    Free scanners are excellent at what they do and we ship our own four free tools for that reason. Pentrova replaces the human hours teams spend triaging and reproducing probabilistic findings, not the scanners themselves. The pricing is set so a verified PoC bundle costs less than the engineering time a probabilistic queue would consume.
  • Common objection DAST scanners are too noisy — what stops Pentrova from drowning us in alerts?
    Every candidate finding is replayed in a clean session by our verifier and the differential signal that flagged it — status code, response body hash, sensitive byte sequences, error patterns — is compared against a clean baseline before it becomes a ticket. Findings whose differential does not reproduce never enter the queue. In practice that turns the "noise vs signal" ratio into a binary gate: if the differential reproduces, it is signal.
  • Which API specification formats does API Pentesting accept?
    OpenAPI 2/3/3.1, Postman Collections v2.1, GraphQL schemas (introspected or uploaded), Protobuf service definitions, and WSDL documents. Specs can be uploaded directly or pulled from a private URL at scan time.
  • How does API Pentesting handle authentication?
    Six modes are supported out of the box: bearer, API key, basic, OAuth 2.0, custom script-driven schemes such as HMAC / AWS SigV4, and mutual TLS. Token refresh, short-lived credentials, and rotated keys are handled automatically.
  • Does API Pentesting support GraphQL subscriptions and persisted queries?
    Yes. Pentrova discovers subscription fields alongside queries and mutations, and it accepts persisted-query IDs and a hashing salt when your gateway requires them.
  • Can Pentrova test gRPC APIs?
    Yes. Upload the .proto definitions or enable server reflection; Pentrova will exercise unary, server-streaming, client-streaming, and bidi-streaming methods with realistic payloads derived from the message types.
  • How does API Pentesting handle broken object-level authorization (BOLA)?
    Every API engagement runs the Authorization Matrix to replay requests across roles, flag privilege bypasses on identifier fields, and surface the reference-response comparison alongside the exploit evidence — see /product/platform#authorization-matrix.
  • What does an API Pentesting finding look like?
    Every finding ships with the captured HTTP exchange (request headers, body, response headers, body), the exploitation reasoning, a sanitized PoC, and a reproducible curl command so engineering can replay the finding without Pentrova tooling.

Next step

Start your first pentest.

No sales call. No setup fee. Proof in minutes.

Start free Explore the platform

Site search

↑↓ navigateEnter openEsc close