OWASP Top 10

Best-in-class API security for finding, prioritizing, and filtering false positives for the OWASP API Top 10.

Accuracy

You can have confidence bugs reported are real, have the most extensive checking possible,  and that you do not waste time on false positives because every result comes with a POV (Proof of Vulnerability) that shows the issue and how to trigger it.

Intelligent API Stress Testing

Take the work out of exploring sequences of API operations. Let Mayhem test them for you.

Plugin support to check custom business logic

Check in your own way by writing custom plugins in Rust and Python

API Authentication

Support for Basic Auth, Bearer Tokens, Cookie Authentication, and custom authentication methods.

REST API Security

Handle all REST verbs, and automatically find novel sequences of verbs to trigger previously unknown bugs.

GRPC Security

Mayhem supports your gRPC servers via a gRPC gateway.

Test Coverage Level (TCL)

Verify and validate that your API implementation meets your specification so that downstream consumers can program against it with confidence.  Mayhem for API is the only tool of its kind to reach (TCL) Test Coverage Level 7.

Agentless Positive and Negative Verification

Check that the API does what it's suppose to (positive testing), and that it doesn't do anything else (negative testing) automatically.

Endpoint P50/90/99 latency metrics

Measure your API performance to find bottlenecks that can cause customer churn.  Mayhem measures P50, P90, and P99 response latency in your pipeline

Incomplete response measurements

Find incomplete responses that trigger additional requests and slow down your servers.

Timeout measurements

Find out where your API can time out -- before customers navigate away.

OpenAPI Support

Check any valid OpenAPI specification, including the latest v3.1.

Built-in Postman Collections support

You can use your existing postman collection specs within Mayhem out-of-the-box.

Native HAR to OpenAPI conversion

Record your sessions in a HAR file and then test against them using Mayhem.

ZAP Built-in integration

Mayhem API docker image includes ZAP, and can optionally run it and integrate findings with our report. I.e., Mayhem API is a superset of ZAP.

Stacktrace Parsing

See defects and the code stack trace responsible -- all in the UI.

Reproduce with curl

Reproduce results with a CURL command so you can reproduce findings on your own.

Performance

5x faster than ZAP, StackHawk, and other alterantives so your tests and pipelines run as fast as possible.

Robust OpenAPI Specification Parsing

Mayhem supports loose parsing of OpenAPI specifications so that small errors in your spec do not prevent Mayhem from running.

POVs

Zero false positives with a  Proof of Vulnerability exploit that triggers the underlying issue.

Linux binaries

Support your containerized Linux apps.

Windows binaries

Check Windows (PE) files for both 32 and 64-bit architectures.

Performance

Find 2x more bugs than fuzzing alone with symbolic execution.

ARM/MIPS/PPC Support

Check your code running on native hardware -- all in the cloud.

Network input support

Check TCP and UDP applications without recompiling or harnessing.

Automotive vECU

Fuzz Vector vVirtualTargets directly without extra steps.

Containerized Apps

Support your containerized apps today

Exploit mitigation detection

Reports on exploit mitigations that make weaponization more difficulty, such as ASLR, DEP, and stack canaries.

Increase test coverage automatically

Identify untested, risky code as part of automatic coverage measurements.

Coverage measurements w/o recompiling

Coverage reports in the "lcov" vendor neutral format without needing recompilation. View results in your IDE and CodeCov.

Automotive vECU

Fuzz Vector vVirtualTargets directly without extra steps.

Containerized Apps

Support your containerized apps today

Exploit mitigation detection

Reports on exploit mitigations that make weaponization more difficulty, such as ASLR, DEP, and stack canaries.

Increase test coverage automatically

Identify untested, risky code as part of automatic coverage measurements.

Coverage measurements w/o recompiling

Coverage reports in the "lcov" vendor neutral format without needing recompilation. View results in your IDE and CodeCov.

Detect memory leaks & silent errors

Advanced triage detects memory leaks and unsafe memory operations other fuzzers miss

Test suite minimization

Identifies and removes redundant test cases from your test suite so your CICD pipeline completes faster (2.7x better than AFL)

Fuzz dictionary support

Provide hints via fuzz dictionaries.

Test suite perf measurements

Find slow code before it impacts your users.

AFL++ support

Like using AFL++, but having difficulty implementing in your pipeline? Mayhem has you covered.

Libfuzzer support

Like using libfuzzer, but having difficulty implementing in your pipeline? Mayhem has you covered.

Hongfuzz support

Like using hongfuzz, but having difficulty implementing in your pipeline? Mayhem has you covered.

SARIF support

Integrate results with other code and posture management solutions using the vendor-neutral SARIF format

Bug report deduplication

Automatic bug deduplication means you aren't staring at crashes, you're getting unique issues.

Reproduce command

Get the precise command to reproduce the defect on your own

Heisenbug elimination

Eliminate heisenbugs and other non-reproducible issues from your reports.

Worker management

Scale up and down as your workload changes -- automatically and without hidden extra costs.

Test suite artifacts

Tests are stored as vendor-neutral flat files, avoiding any lock-in.

Reduce SBOM noise by 80% on average

Customers report an average of 80% reduction in SBOM noise using Mayhem's Dynamic SBOM service.

Smart filtering

Pinpoints which packages are actually in use during runtime

Seamless integration

Works with your existing container slack and runtime

Standards support

Compatible with CycloneDX and SPDX formats

Broad coverage

Supports analysis on Dokcer containers and Kubernetes clusters