API security from your terminal
Run one command. Ship secure APIs. OWASP Top 10. CI/CD-native. $19/month.
┌─ Scanning API...
│ ✓ API discovered (47 endpoints)
│ 🔍 Running OWASP Top 10 checks
│ ────────────────────────────────
│ ✗ BOLA — GET /users/:id
│ → Missing authorization
│ ! Rate limit — POST /checkout
│ → No rate limiting configured
│ ────────────────────────────────
│ ✓ 3 vulnerabilities found. 0 false positives.
└────────────────────────────────
$
Trusted by engineers building
[PROBLEM]
Security shouldn't need a dedicated tool
API security tools are enterprise software wearing developer costumes. They need config, training, and a budget line item.
Burp Suite costs $449/year and needs hours of setup. Enterprise scanners quote $20K+/year. Most small teams ship blind.
[SOLUTION]
One command. Ship secure.
xa-v is a CLI command. Install it. Point it at your API. It finds real vulnerabilities and shuts up about everything else.
Zero false positives. CI/CD-native. No config files needed. Just npm install -g xa-v.
[HOW IT WORKS]
Three commands. Ship secure.
Install
One command. No dependencies. Works on macOS, Linux, and CI runners.
Scan
Point it at your OpenAPI spec or running API. Auto-discovers 47+ endpoint types.
Ship
CI scan passes or it doesn't merge. Real vulnerabilities only. Zero noise.
[FEATURES]
Everything you need. Nothing you don't.
CLI-native
It's a command. That's the whole point. No GUI, no config files.
Auto-discovery
Maps your API surface from traffic or OpenAPI spec automatically.
OWASP Top 10
Tests all 10 API risk categories. BOLA, auth, injection, and more.
AI-powered
Real findings only. Zero noise. We exploit-validate every detection.
CI/CD-native
Fails builds on real vulnerabilities. GitHub Actions, GitLab CI, CircleCI.
Dashboard
Real-time security posture across all your APIs in one place.
Webhook alerts
Slack, Discord, email — get notified when something matters.
Audit trail
Compliance evidence for SOC 2, ISO 27001, and customer audits.
GraphQL ready
Parse GraphQL schemas and test for depth attacks, auth bypasses, and more.
[COMPARISON]
The math is simple.
| xa-v | Burp Suite | Enterprise | Nothing | |
|---|---|---|---|---|
| Setup time | 5 minutes | Hours | Days | — |
| Price | $19/mo | $449/yr | $20K+/yr | $0 |
| False positives | Zero | Many | Managed | Infinite |
| CI/CD integration | Built-in | Manual | Custom | N/A |
| OWASP Top 10 | Full | Partial | Full | None |
| CLI-native | Yes | No | No | — |
[PRICING]
Simple pricing. No surprises.
Dev
For solo devs and side projects
Team
For small engineering teams that ship fast
Growth
For growing teams with multiple APIs
Free tier: 10 endpoints, 100 scans/month, forever.
[TESTIMONIALS]
Used by teams that ship.
“We caught a BOLA vulnerability in production within 5 minutes of running xa-v. That alone paid for a year of subscription.”
@alexchen
Founder, PayConnect (Fintech SaaS)
“Finally, an API security tool that doesn't scream at us. Zero false positives in 3 months of daily use — our CI has never been this quiet.”
@maya.r
Lead Engineer, StockSphere
“Set it up in CI in 10 minutes. Now every PR gets scanned automatically. Security reviews went from 2 days to 5 minutes. Game changer.”
@rajdev
DevOps Lead, ShopGrid
[EARLY ACCESS]
Get early access
xa-v is in private beta. Join the waitlist — early adopters get extended free tier and priority support.
No spam. Unsubscribe anytime. Early adopters get lifetime 50% discount.
[FAQ]
Questions? We've got answers.
It's a CLI command for API security. Install it, run it, ship secure. Think 'curl for security testing' — but it writes reports, not requests.
[GET STARTED]
xa-v /eks-ā-ˈvē/
One command. Ship secure.
Private beta · macOS · Linux · CI runners · No dependencies