Get invited
Our Method

Every test mapped.
Every finding proven.

A defined framework, not a black box. See exactly what Heist tests, how it validates, and why you can trust the results.

Heist
/api/v2/users
PASSED
ASVS 4.2.1 · Access control
/api/v2/users/{id}
CRITICAL
IDOR — horizontal privilege
/auth/login
PASSED
ASVS 2.1.1 · Authentication
/api/v2/billing
PASSED
ASVS 13.1.1 · API security
/settings/team
ASVS 4.3.1 · Testing...
/webhooks
PASSED
ASVS 5.1.1 · Input validation
/api/v2/exports
HIGH
ASVS 7.1.1 · Stack trace leak
/admin/users
PASSED
ASVS 4.2.2 · Admin controls
01 — Map

Discover every surface

Heist crawls every route, API endpoint, and interactive element. It models users, roles, and workflows — public and authenticated surfaces mapped separately. Nothing assumed.

app.example.com
/dashboard auth
/api/v2/users api
/api/v2/billing api
/auth/login public
/settings/team auth
/webhooks api
/admin/users admin
/api/v2/exports api
38 endpoints discovered4 roles mapped3 auth flows
02 — Test

350 requirements, applied systematically

Every test follows OWASP ASVS 5.0 — the industry's most comprehensive framework. 17 categories, tested methodically. Not random. Not partial.

Authentication
Session Mgmt
Access Control
Input Validation
Cryptography
Error Handling
Data Protection
Communication
Business Logic
API Security
Files & Resources
Configuration
Architecture
Malicious Code
WebSockets
Mobile
Business Objects
~350requirements tested per scan
03 — Validate

No finding without proof

Each result includes reproduction steps, evidence, and a severity classification. Exploits are validated without destructive actions. What you see is what's real.

IDOR on User Endpoint

Critical
ASVS 4.2.1 — Access Control
Target /api/v2/users/{id}/profile
Method GET with modified user ID
GET /api/v2/users/4812/profile
Authorization: Bearer tok_user_3291

→ 200 OK — returned profile of user 4812
  // Authenticated as user 3291
04 — Fix

Act on findings directly

Findings arrive in Linear and Slack with severity, reproduction steps, and the specific ASVS requirement violated. No PDF handoffs. No triage meetings.

Li
Linear Issue Created
HEI-247 · IDOR on /api/v2/users/{id}/profile
Sl
Slack Alert Sent
#security-alerts · Critical finding with repro steps
{ }
Webhook Fired
POST https://api.example.com/heist/events
05 — Retest

Confirm the fix

Trigger a retest on any finding. Heist confirms the fix and updates the record. Every fix is timestamped and traceable.

!
Finding reported — IDOR on user endpoint
Mar 14, 2026 · 09:12 UTC
Fix deployed — added ownership check
Mar 15, 2026 · 14:38 UTC
Retest passed — confirmed resolved
Mar 15, 2026 · 14:41 UTC

Gets smarter over time

Carries forward your app's structure, roles, and workflows. When something changes, it focuses on what's new.

Audit-ready from day one

Every finding timestamped, reproducible, and mapped to ASVS requirements. Satisfies SOC 2 and ISO 27001.

Safe by design

Scope limits, guardrails, and a kill switch. Exploit validation without destructive actions.

Ship but verify.

Get invitedView Pricing