Most of the breaches we read about in the news now start at an API — the quiet plumbing behind your apps where a single missing check can let one customer read another's data.
We test those checks the way an attacker would. We learn how your API works, walk every door and every user role, and show you exactly where a boundary breaks — with a short proof your engineers can replay and fix the same day.
Just your domain and your work email. We'll handle the rest.
What it does
Broken object-level authorisation (BOLA), broken authentication, broken function-level authorisation, unrestricted resource consumption, server-side request forgery, security misconfiguration, improper inventory management, unsafe consumption of APIs — every category, with confirmed exploitation where present.
The platform speaks the wire format that your APIs speak. GraphQL introspection-aware. gRPC reflection-aware. REST schema-aware via OpenAPI 3.x or learned-from-traffic. The Proof Capsule format is identical across protocols, so triage doesn't fragment.
Public schema is rarely the whole API. We discover undocumented paths through subdomain enumeration, JS bundle analysis, error-response leakage, and historical-archive crawling. Findings on hidden paths often carry the highest severity — the auth model wasn't designed for them.
We model your role hierarchy and exercise the boundaries: can a customer-tier token access an admin-tier resource? Can a tenant-A account read tenant-B data? Each authorisation finding ships with the role pair, the object scope, and the request that crossed the boundary.
JWT confusion attacks, refresh-token replay, session-fixation, OAuth scope-escalation, MFA bypass paths. We test the auth surface as a state machine, not as a list of endpoints — that's where the worst findings live.
Unrestricted resource consumption is a silent killer. We probe rate limits with controlled-burst patterns, find the queries that scale linearly with input size, and surface the endpoints where a single client can saturate a backend — before someone hostile finds them.
What you get
CELVEX Groupcelvex retest against the same endpoint after the patchFind. Prove. Fix. Verify. — applied to API security
OpenAPI ingestion, GraphQL introspection, gRPC reflection, plus undocumented-path discovery from traffic and JS bundles.
The exploit captures the role-pair request, the privileged response, and the object that shouldn't have been reachable.
Where in the codebase the missing check belongs. Where the framework's middleware should have intercepted. The standard pattern.
The retest replays the boundary-crossing request and confirms the new authorisation check returns 403 for the wrong role.
Where it fits in CTEM
In Gartner's CTEM framework, the Discovery and Validation stages cover the work of finding all exposures and proving which ones are actually exploitable. APIs are increasingly the first surface attackers test — and the surface where the most-severe authorisation flaws live. Schema-aware testing makes the Discovery stage thorough; Proof Capsule makes the Validation stage verifiable.
Start where it costs you nothing
Drop your domain. We'll quietly look at your external footprint and send a short, plain-language report — with at least one real finding your team can verify themselves. No sales pressure. No surprise calls.
Just your domain and your work email. We'll handle the rest.