Vortex — application & API security

Vortex is BestDefense’s application and API security scanner. Point it at a web app or an API you own, and it probes for vulnerabilities — missing security controls, injectable parameters, exposed data, and more — then ranks what it finds by severity so you know what to fix first.

Vortex offers three scan types, from broad automated reconnaissance to an AI-driven pen-tester that reasons its way through your application like an attacker would. Every finding comes with evidence and per-finding actions: fix it with AI, accept the risk, or hand it to Jira.

Scan types at a glance

Scan type	What it does	Availability
Analog	Broad dynamic (DAST) reconnaissance and scanning across your app or API	Every plan
AI pen-test	An agentic, ML-driven pen-tester that reasons, explores, and attempts exploitation in distinct phases	Growth and higher
API	Programmatic scanning focused on your API endpoints and contracts	Varies by plan

Each scan also has an intensity — Quick, Standard, Thorough, or Maximum. Quick is available on every plan; higher intensities generally require Growth or higher.

How a scan works

Go to Vortex → Run scan.
Choose your target site (or add one).
Choose a scan type — Analog, AI, or API.
Choose an intensity.
Optionally attach pre-configured test users so Vortex can scan behind authentication.
Launch. The report page shows live progress while the scan runs.

When the scan finishes you get a report you can explore, act on, and export.

Where to go next

Analog scans — broad DAST scanning, available on every plan.
AI pen-test scans — the agentic pen-tester and its four phases.
API security scans — scanning APIs specifically.
Reading a Vortex report — the overview, severity breakdown, and grouped findings.
Findings & accepting risk — working with individual findings.
AI remediation — turn a finding into a pull request.
Scheduling scans — run scans automatically on a cadence.

If you’re brand new, start with the Quickstart.