API security scans

An API scan focuses Vortex on your API specifically — its endpoints, parameters, and contracts — rather than the browser-facing surfaces of a web app. Use it when the thing you’re securing is a service or backend API rather than a rendered front end.

When to use it

Your target is a REST or HTTP API rather than a browser-rendered web app.
You want scanning concentrated on endpoint behavior, parameters, and data handling.
You’re testing a service that backs a mobile app, single-page app, or another system.

How it differs from an Analog scan

An Analog scan crawls and probes an application broadly, including the surfaces a browser would reach. An API scan is tuned for programmatic interfaces — it concentrates on the endpoints and the data they accept and return, rather than on page crawling and front-end behavior.

In practice:

Choose API when the target is an API.
Choose Analog when the target is a web application.
For an attacker-style, reasoning-driven assessment of either, use an AI pen-test.

Run an API scan

Go to Vortex → Run scan.
Choose your target site — register it as an API target if it isn’t already.
Set the scan type to API.
Choose an intensity — Quick is available on every plan; higher intensities generally require Growth or higher.
Optionally choose which endpoints to test. If you’ve configured routes for the API, you can scan all of them or narrow to specific endpoints; a targeted scan tests only the routes you select.
Optionally attach test users so the scanner can authenticate against protected endpoints.
Launch. The report page shows live progress.

Reading the results

An API report follows the same shape as an Analog report: an overview tile, a severity breakdown, and a grouped findings list you can drill into. See Reading a Vortex report for the full tour, and Findings & accepting risk for the per-finding actions.