Early access for API teams

Find exploitable API bugs before release.

Upload an OpenAPI spec and get a security report in 10-20 minutes: impact, proof, affected request, and remediation notes your developers can act on.

Your API spec never leaves your region by default. AI runs on our own infrastructure, not OpenAI or other clouds.
View sample finding

First 100 users get 3 months of Developer plan free. No credit card required.

Scan report
checkout-api.yaml
3 urgent
CriticalGET /api/users/{id}/invoices

Object ID swap exposes another user's invoice

HighPATCH /api/org/members/{id}

Role field accepts admin assignment from member token

MediumPOST /api/auth/reset

No rate limit on password reset token generation

42
endpoints
8
categories
14m
runtime
10-20m
typical scan runtime
8
attack categories covered
0
external LLM processing
$79
entry plan for teams

A finding developers can fix

Redmai is not a vulnerability list. Each result shows the affected endpoint, a reproducible proof, the impact, and a concrete remediation path.

CriticalGET /api/users/{id}/invoices
Proof

User token A can retrieve invoice data owned by user B by changing the path parameter.

Impact

Cross-account billing data exposure. Affected objects include invoice IDs, customer emails, and payment status.

Fix

Enforce ownership checks after object lookup and add regression tests for mixed-user invoice access.

Why teams skip API security

The problem is rarely intent. It is cost, time, and the gap between scanner output and a fixable issue.

Cost

Manual pentests do not fit every release

A proper engagement can cost thousands and usually happens after the product has already shipped.

Skill

Security tools assume expert operators

ZAP, Burp, and Nuclei are powerful, but teams still need someone who knows what to test and how to read it.

Speed

Fix cycles need evidence, not vague risk

Developers need the endpoint, proof, impact, and remediation note in one place.

How it works

Three steps from schema to fixable security work.

01

Upload the spec

OpenAPI, Swagger, or a generated schema. Redmai builds the endpoint map and identifies auth boundaries.

02

Run attack scenarios

The scanner exercises BOLA, auth bypass, injection, mass assignment, rate limits, and data exposure paths.

03

Ship the fix

Each finding includes impact, proof, affected request, and a remediation note written for the owning developer.

What Redmai tests

Coverage follows the OWASP API risk model and focuses on exploitable paths.

Broken Object Level Auth
IDOR checks across user, org, and project boundaries
Authentication Bypass
Missing auth, weak JWT handling, role escalation
Mass Assignment
Privileged request fields accepted by the API
Injection
SQL, NoSQL, SSTI, command injection, path traversal
Rate Limiting
Brute force, enumeration, and abuse controls
Sensitive Data Exposure
Tokens, keys, PII, and debug data in responses
SSRF
Server-side request forgery entry points
Broken Function Level Auth
Admin or internal endpoints reachable by low-privilege users

Built for compliance-sensitive teams

Most API scanners send your spec and findings to OpenAI or a third-party cloud. By default, Redmai runs AI analysis on our own infrastructure — your spec and findings never leave your region. Enterprise teams can optionally enable frontier models with explicit data-processing consent.

On-prem by default
AI runs on our own infrastructure. Frontier models optional for Enterprise.
Request-level evidence
Every finding includes the exact request that triggered it
Fix-oriented reports
Each result maps directly to a developer action

Pricing

Start with automated coverage. Upgrade when API security becomes a repeatable workflow.

Developer

For small teams shipping APIs weekly

$79/mo
  • 5 API scans per month
  • All 8 attack categories
  • Severity-ranked findings
  • Request proof and fix guidance
  • No external LLM processing
Most popular

Security

For teams that need repeatable coverage

$299/mo
  • Unlimited API scans
  • All Developer features
  • Regression scans after fixes
  • Executive summary
  • Priority support

Agency

For security firms and consultancies

$2,500/mo
  • Unlimited client workspaces
  • White-label reports
  • 5 team seats
  • Client portal
  • Dedicated support

Scan your first API

Create an account and join the early access cohort.

Free to join. No credit card required.