An Application Programming Interface (API) Assessment reviews and assesses the request and response system which is typically setup for web services. An API can often present additionally or extended functionality than a typical Application front end and exploitation of this interface can result in a range of vulnerabilities.


A large array of requests may be accessible through an API interface, providing content and functionality in an easy to access way. However, this ease of access also provides an easily accessible interface to malicious attackers.

The security issues which are common in Web Applications can still be present within an API interface, and it is often be the case that these interfaces are more overlooked, provide more functionality and require less authenticated access.

As part of our approach, our Penetration Testers use a combination of the most effective automated tools and manual exploitation techniques to identify vulnerabilities within your API. Our extensive reports provide a thorough assessment of each vulnerability and provide business context alongside each finding.

This is supplemented by technical and non-technical descriptions including evidence of exploitation to assist in prompt remediation activities and provide a thorough understanding of each issue.

An API security assessment and report will allow your business to:

  • Receive assurance around the security posture of any API.
  • Make ongoing improvements to an API’s security via specialist support, advice and consultancy.
  • Adhere to regulatory bodies who require API Testing to be performed.
  • Gain access to a dedicated team of specialist CREST Registered penetration testers who use the latest tools and techniques to accurately assess and identify emerging threats.


1. What is the difference between an Application test and an API test?

An Application Test is focused around the front end of an Application, testing the content and functionality which is presented to a user.

An API assessment will assess the content and functionality which is accessible beyond the standard application front end, revealing a range of vulnerabilities which may otherwise have gone unnoticed.

API security is a specific skill and requires a fully qualified consultant who understands the software architecture in order to provide a thorough assessment.

2. Why do I need an API Assessment?

API’s are traditionally accessible over the internet and attacked by both automated tools and determined attackers on a daily basis. Whether it’s for compliance reasons or for peace of mind all organisations require an API Penetration Test.

3. What API’s can I have tested?

A vast amount of experience throughout the testing team means we can test all web technologies. Each engagement requires a free technical scoping exercise with one of our testers through which we gauge the size of individual projects to provide both a cost effective and thorough assessment.

4. What will I receive after the test has been completed?

The deliverable from any API Test is a complete report, detailing and contextualising each identified vulnerability against your business and relaying the risks that each issue poses to your systems and services.

The report provides a complete description of what each identified issue is, specific remediation advice on how to address the issue, and detailed evidence, wherever necessary to verify the issues impact.