Get invited
Our Method

Every test mapped.
Every finding proven.

A defined framework. See exactly what Heist tests, how it validates, and why you can trust the results.

Heist
/api/v2/users
PASSED
ASVS 4.2.1 · Access control
/api/v2/users/{id}
CRITICAL
IDOR: horizontal privilege
/auth/login
PASSED
ASVS 2.1.1 · Authentication
/api/v2/billing
PASSED
ASVS 13.1.1 · API security
/settings/team
ASVS 4.3.1 · Testing...
/webhooks
PASSED
ASVS 5.1.1 · Input validation
/api/v2/exports
HIGH
ASVS 7.1.1 · Stack trace leak
/admin/users
PASSED
ASVS 4.2.2 · Admin controls
01. Map

Discover every surface

Heist crawls every route, API endpoint, and interactive element. It models users, roles, and workflows. Public and authenticated surfaces are mapped separately.

app.example.com
/dashboard auth
/api/v2/users api
/api/v2/billing api
/auth/login public
/settings/team auth
/webhooks api
/admin/users admin
/api/v2/exports api
38 endpoints discovered4 roles mapped3 auth flows
02. Test

350 requirements, applied systematically

Every test follows OWASP ASVS 5.0. All 17 categories are tested methodically.

Authentication
Session Mgmt
Access Control
Input Validation
Cryptography
Error Handling
Data Protection
Communication
Business Logic
API Security
Files & Resources
Configuration
Architecture
Malicious Code
WebSockets
Mobile
Business Objects
~350requirements tested per run
03. Validate

No finding without proof

Each result includes steps-to-reproduce, evidence, and a severity classification. Exploits are validated without destructive actions.

IDOR on User Endpoint

Critical
ASVS 4.2.1: Access Control
Target /api/v2/users/{id}/profile
Method GET with modified user ID
GET /api/v2/users/4812/profile
Authorization: Bearer tok_user_3291

→ 200 OK: returned profile of user 4812
  // Authenticated as user 3291
04. Fix

Act on findings directly

Findings arrive in Linear and Slack with severity, steps-to-reproduce, and the specific ASVS requirement violated.

Li
Linear Issue Created
HEI-247 · IDOR on /api/v2/users/{id}/profile
Sl
Slack Alert Sent
#security-alerts · Critical finding with repro steps
{ }
Webhook Fired
POST https://api.example.com/heist/events
05. Retest

Confirm the fix

Trigger a retest on any finding. Heist confirms the fix and updates the record. Every fix is timestamped and traceable.

!
Finding reported: IDOR on user endpoint
Day 0 · 09:12 UTC
Fix deployed: added ownership check
Day 1 · 14:38 UTC
Retest passed: confirmed resolved
Day 1 · 14:41 UTC

Gets smarter over time

Carries forward your app's structure, roles, and workflows. When something changes, it focuses on what's new.

Audit-ready from day one

Every finding timestamped, reproducible, and mapped to ASVS requirements. Satisfies SOC 2 and ISO 27001.

Safe by design

Scope limits, guardrails, and a kill switch. Exploit validation without destructive actions.

Ship but verify.

Get invitedView Pricing