Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Our API scanner can test for dozens of vulnerability types like prompt injections and misconfigurations. We’re excited to share today that we’re releasing vulnerability tests for OAuth API authorization for organizations that use JWT tokens. These JWT, or JSON Web Tokens, are meant to prove that you have access to whatever it is you are accessing. One of the most critical JWT vulnerabilities is algorithm confusion.

Two months since I joined Detectify and I’ve realized something: API security is a completely different game from web application security. And honestly? I think a lot of teams don’t see this yet.

We know the importance of staying ahead of threats. At Detectify, we’re committed to providing you with the tools you need to secure your applications effectively. This update covers our new Dynamic API Scanning feature, updates over the last few months, and the latest additions to our vulnerability testing capabilities.

What if we told you that our newly released API Scanner has 922 quintillion payloads for a single type of vulnerability test? A quintillion is a billion billion – an immense number that highlights the limitations of traditional API security testing. Old methods like relying on signatures, vulnerability-specific payloads, or a fixed set of fuzzing inputs just aren’t enough anymore, especially when dealing with custom-built software and unique API endpoints.

Intruder is a cloud-based vulnerability scanner that provides an automated overview of an organization’s attack surface. Its primary function is to proactively identify weaknesses across internet-facing infrastructure and applications before they are exploited. The platform’s scanning engine runs a set of checks for both infrastructure-level misconfigurations and application-layer vulnerabilities, like those in the OWASP Top 10. It leverages open-source engines like ZAP to execute its checks.

Application environments are more complex than ever, with APIs forming the critical connective tissue. But this proliferation has created a vast, often invisible, attack surface. Security teams are caught in a difficult position: compliance frameworks like PCI and SOC 2 demand API scanning, but offer little guidance. Meanwhile, you’re grappling with incomplete API inventories, and the market is a confusing mix of expensive, hard-to-instrument niche tools.

Navigating the complex and ever-changing compliance landscape is difficult for many companies and organizations. With many regulations, selecting the appropriate security tooling that aligns with the compliance needs of your business becomes a significant challenge.

“You can’t secure what you don’t know exists.” It’s a common refrain in cybersecurity (and for good reason!). But the reality is a bit more complex: it’s not enough to just know that something exists. To effectively secure your assets, you need to understand what each of them is. Without proper classification, applying the right security processes or tools becomes a guessing game.

As 9 out of 10 valuable web apps are missing testing, we’re launching new capabilities to help teams know what else, beyond core applications, is likely to require in-depth testing. The new features automatically classify discovered web assets based on attacker reconnaissance techniques and deliver recommendations on where to run DAST, bridging the gap between broad and deep testing across the entire attack surface.

A series of vulnerabilities, known as IngressNightmare (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974), have been identified in ingress-nginx, a widely used Kubernetes ingress controller. When exploited together, these vulnerabilities allow for configuration injection through the Validating Admission Controller.