v0.1.0 — Pre-release

API security from your terminal

Run one command. Ship secure APIs. OWASP Top 10. CI/CD-native. $19/month.

bash
$ xa-v scan ./openapi.yaml

┌─ Scanning API...
✓ API discovered (47 endpoints)
🔍 Running OWASP Top 10 checks
────────────────────────────────
✗ BOLA — GET /users/:id
Missing authorization
! Rate limit — POST /checkout
No rate limiting configured
────────────────────────────────
✓ 3 vulnerabilities found. 0 false positives.
└────────────────────────────────

$

Trusted by engineers building

SaaS APIsFintech APIsE-commerce APIsHealth APIsDev Tools

[PROBLEM]

Security shouldn't need a dedicated tool

API security tools are enterprise software wearing developer costumes. They need config, training, and a budget line item.

Burp Suite costs $449/year and needs hours of setup. Enterprise scanners quote $20K+/year. Most small teams ship blind.

[SOLUTION]

One command. Ship secure.

xa-v is a CLI command. Install it. Point it at your API. It finds real vulnerabilities and shuts up about everything else.

Zero false positives. CI/CD-native. No config files needed. Just npm install -g xa-v.

[HOW IT WORKS]

Three commands. Ship secure.

01
$ npm install -g xa-v

Install

One command. No dependencies. Works on macOS, Linux, and CI runners.

02
$ xa-v scan ./openapi.yaml

Scan

Point it at your OpenAPI spec or running API. Auto-discovers 47+ endpoint types.

03
$ git push

Ship

CI scan passes or it doesn't merge. Real vulnerabilities only. Zero noise.

[FEATURES]

Everything you need. Nothing you don't.

CLI-native

It's a command. That's the whole point. No GUI, no config files.

🔍

Auto-discovery

Maps your API surface from traffic or OpenAPI spec automatically.

🛡️

OWASP Top 10

Tests all 10 API risk categories. BOLA, auth, injection, and more.

🧠

AI-powered

Real findings only. Zero noise. We exploit-validate every detection.

⚙️

CI/CD-native

Fails builds on real vulnerabilities. GitHub Actions, GitLab CI, CircleCI.

📊

Dashboard

Real-time security posture across all your APIs in one place.

🔗

Webhook alerts

Slack, Discord, email — get notified when something matters.

📝

Audit trail

Compliance evidence for SOC 2, ISO 27001, and customer audits.

🚀

GraphQL ready

Parse GraphQL schemas and test for depth attacks, auth bypasses, and more.

[COMPARISON]

The math is simple.

xa-vBurp SuiteEnterpriseNothing
Setup time5 minutesHoursDays
Price$19/mo$449/yr$20K+/yr$0
False positivesZeroManyManagedInfinite
CI/CD integrationBuilt-inManualCustomN/A
OWASP Top 10FullPartialFullNone
CLI-nativeYesNoNo

[PRICING]

Simple pricing. No surprises.

Dev

$19/month

For solo devs and side projects

1 user
50 endpoints
1,000 scans/month
Basic reports
Email support
CLI + Dashboard
Join waitlist →
★ Most popular

Team

$99/month

For small engineering teams that ship fast

5 users
200 endpoints
5,000 scans/month
Advanced reports
Slack support
Team dashboard
CI/CD integrations
Join waitlist →

Growth

$299/month

For growing teams with multiple APIs

Unlimited users
Unlimited endpoints
25,000 scans/month
Custom reports
Priority + Slack support
SSO + RBAC
Custom integrations
Audit trail
Contact Sales

Free tier: 10 endpoints, 100 scans/month, forever.

[TESTIMONIALS]

Used by teams that ship.

We caught a BOLA vulnerability in production within 5 minutes of running xa-v. That alone paid for a year of subscription.

@alexchen

Founder, PayConnect (Fintech SaaS)

Finally, an API security tool that doesn't scream at us. Zero false positives in 3 months of daily use — our CI has never been this quiet.

@maya.r

Lead Engineer, StockSphere

Set it up in CI in 10 minutes. Now every PR gets scanned automatically. Security reviews went from 2 days to 5 minutes. Game changer.

@rajdev

DevOps Lead, ShopGrid

[EARLY ACCESS]

Get early access

xa-v is in private beta. Join the waitlist — early adopters get extended free tier and priority support.

No spam. Unsubscribe anytime. Early adopters get lifetime 50% discount.

[FAQ]

Questions? We've got answers.

It's a CLI command for API security. Install it, run it, ship secure. Think 'curl for security testing' — but it writes reports, not requests.

[GET STARTED]

xa-v /eks-ā-ˈvē/

One command. Ship secure.

Private beta · macOS · Linux · CI runners · No dependencies