Services

We do not sell you a
dashboard and wish
you luck

Software finds and blocks most of it. People handle the rest — the pen test, the 3 a.m. alert, the audit evidence, the post-incident timeline. Both are included, and both are ours.

DISCOVERY

API discovery and inventory

We rebuild your true API surface from live traffic rather than from a spec file that went stale eighteen months ago. Undocumented, deprecated and internal endpoints all get pulled into the open.

Stops

Shadow APIs, zombie endpoints, undocumented admin routes

RUNTIME

Runtime threat protection

Inline inspection of every request and response. Schema enforcement, injection filtering, token validation and adaptive rate limits, applied before traffic reaches your origin.

Stops

Injection, mass assignment, parameter tampering, floods

TESTING

Penetration testing and audit

Our team attacks your APIs the way a motivated adversary would, then hands you a report with reproducible steps, severity, and the fix — not a scanner dump.

Stops

Broken object-level authorisation, chained logic flaws

COMPLIANCE

Compliance readiness

Evidence collection, control mapping and audit trails for SOC 2, PCI-DSS, GDPR and HIPAA. You get the artefacts your auditor asks for, generated continuously.

Stops

Failed audits, manual evidence gathering

SOC

Managed detection, 24/7

Analysts watching your API traffic around the clock. When something crosses the line at 03:00 on a Sunday, a human has already looked at it before you wake up.

Stops

Alerts nobody triaged, weekend breaches

RESPONSE

Incident response and forensics

Full request replay, blast-radius analysis and a written timeline of what the attacker touched. Contain first, then know exactly what happened.

Stops

Unanswerable breach questions, silent data loss

Coverage

The OWASP API Top 10,
one by one

Every vendor claims the list. Here is the specific mechanism behind each claim. Open any row.

API1 Broken object-level authorisation

The attack

A valid user swaps an ID in the path and reads a record that is not theirs.

Our answer

Talon learns which objects each subject normally touches and strikes the request when a caller reaches outside its own set.

API2 Broken authentication

The attack

Weak tokens, missing expiry, endpoints that forgot to check at all.

Our answer

Sentinel validates signature, issuer, audience and expiry on every call, and refuses any route with no auth rule attached.

API3 Excessive data exposure

The attack

The endpoint returns the whole user object; the client renders three fields.

Our answer

Radar flags responses carrying PII the caller never needed. Sentinel strips or blocks them at the edge.

API4 Unrestricted resource consumption

The attack

One caller requests a million records and takes the database down with it.

Our answer

Adaptive budgets per identity, not per IP. Cost-weighted limits on expensive queries.

API5 Broken function-level authorisation

The attack

A standard user calls an admin route that never checked their role.

Our answer

Route-level role policy, enforced inline. Any undeclared privileged route is quarantined the moment Radar sees it.

API6 Business-logic abuse

The attack

Negative amounts, replayed coupons, quantities of minus one. Valid JSON, invalid intent.

Our answer

Behavioural rules on your own semantics — value ranges, state transitions, sequence — not just schema shape.

API7 Server-side request forgery

The attack

Your API fetches a URL the attacker supplied, from inside your network.

Our answer

Outbound destination allowlists and blocking of internal address ranges in user-supplied URLs.

API8 Security misconfiguration

The attack

Debug routes in production, permissive CORS, verbose stack traces.

Our answer

Continuous configuration drift checks with alerts the moment a non-production setting reaches a production gateway.

API9 Improper inventory management

The attack

Version 1 is still live, unpatched, and nobody remembers who owns it.

Our answer

Radar tracks every live version, its traffic, and its last deploy. Zombie versions get flagged for retirement.

API10 Unsafe third-party consumption

The attack

You trust the API you call as much as your own. It gets compromised.

Our answer

Outbound response validation and anomaly scoring on the third-party APIs your services depend on.

Evidence

Audit-ready by default

Controls mapped, evidence collected continuously, logs tamper-evident. Your auditor asks; the console answers.

SOC 2 Type II

PCI-DSS 4.0

GDPR

HIPAA

Ready when you are

Find out what is already flying through your APIs

A 30-minute session. We put Radar on a week of your traffic in dry-run and show you the endpoints you did not know you had.