Find exploitable API bugs before release.
Upload an OpenAPI spec and get a security report in 10-20 minutes: impact, proof, affected request, and remediation notes your developers can act on.
First 100 users get 3 months of Developer plan free. No credit card required.
GET /api/users/{id}/invoicesObject ID swap exposes another user's invoice
PATCH /api/org/members/{id}Role field accepts admin assignment from member token
POST /api/auth/resetNo rate limit on password reset token generation
A finding developers can fix
Redmai is not a vulnerability list. Each result shows the affected endpoint, a reproducible proof, the impact, and a concrete remediation path.
GET /api/users/{id}/invoicesUser token A can retrieve invoice data owned by user B by changing the path parameter.
Cross-account billing data exposure. Affected objects include invoice IDs, customer emails, and payment status.
Enforce ownership checks after object lookup and add regression tests for mixed-user invoice access.
Why teams skip API security
The problem is rarely intent. It is cost, time, and the gap between scanner output and a fixable issue.
Manual pentests do not fit every release
A proper engagement can cost thousands and usually happens after the product has already shipped.
Security tools assume expert operators
ZAP, Burp, and Nuclei are powerful, but teams still need someone who knows what to test and how to read it.
Fix cycles need evidence, not vague risk
Developers need the endpoint, proof, impact, and remediation note in one place.
How it works
Three steps from schema to fixable security work.
Upload the spec
OpenAPI, Swagger, or a generated schema. Redmai builds the endpoint map and identifies auth boundaries.
Run attack scenarios
The scanner exercises BOLA, auth bypass, injection, mass assignment, rate limits, and data exposure paths.
Ship the fix
Each finding includes impact, proof, affected request, and a remediation note written for the owning developer.
What Redmai tests
Coverage follows the OWASP API risk model and focuses on exploitable paths.
Designed for sensitive API specs
Redmai avoids third-party LLM processing for customer specs. AI analysis runs on controlled infrastructure, with product-level retention and deployment policies to be finalized before general availability.
Pricing
Start with automated coverage. Upgrade when API security becomes a repeatable workflow.
Developer
For small teams shipping APIs weekly
- 5 API scans per month
- All 8 attack categories
- Severity-ranked findings
- Request proof and fix guidance
- No external LLM processing
Security
For teams that need repeatable coverage
- Unlimited API scans
- All Developer features
- Regression scans after fixes
- Executive summary
- Priority support
Agency
For security firms and consultancies
- Unlimited client workspaces
- White-label reports
- 5 team seats
- Client portal
- Dedicated support
Why not just use free tools?
| Tool | Price | Tradeoff |
|---|---|---|
| OWASP ZAP | Free | Powerful, but requires security expertise and manual triage |
| Burp Suite Pro | $499/yr | Excellent toolkit, but still operator-driven |
| 42Crunch | $499+/mo | Strong spec checks, less focused on live exploit proof |
| Manual pentest | $5k-20k | High signal, but slow and hard to run on every release |
| Redmai | $79/mo | Automated attack scenarios with proof and remediation |
Scan your first API
Create an account and join the early access cohort.
Free to join. No credit card required.