Escape is a modern DAST platform built specifically for APIs and single-page applications.
Its proprietary Business Logic Security Testing (BLST) engine detects vulnerabilities that traditional scanners miss, including broken object level authorization (BOLA), insecure direct object references (IDOR), and complex access control flaws.
What is Escape?
Escape reimagines dynamic application security testing for the API-first era.
While traditional DAST tools evolved from web crawlers designed for server-rendered HTML, Escape was built from the ground up to test GraphQL, REST, and gRPC APIs.
It understands API schemas and generates intelligent test cases that probe business logic, not just injection flaws.
The platform uses generative AI to construct requests that explore authorization boundaries.
Rather than blindly fuzzing endpoints, Escape reasons about what an API should prevent and crafts requests to verify those assumptions.
This approach catches the access control vulnerabilities that top OWASP’s API Security Top 10.
Founded in 2020 and backed by Y Combinator, Escape has grown rapidly by addressing a gap that legacy DAST vendors struggle to fill.
Key Features
Business Logic Security Testing (BLST)
Escape’s BLST engine goes beyond standard vulnerability signatures to test application business logic.
It identifies:
- Resources that should be isolated between users but are not
- Operations that should require elevated privileges but do not
- Data that should be filtered by ownership but is not
These tests require understanding the application context, which Escape builds from API schemas and observed behavior.
BOLA and IDOR Detection
Broken Object Level Authorization (BOLA) is the most critical API vulnerability according to OWASP.
Escape systematically tests for BOLA by:
- Creating resources as one user
- Attempting to access, modify, or delete them as another user
- Reporting authorization failures where access succeeds
This testing pattern catches IDOR vulnerabilities that manual testing often overlooks.
Native GraphQL Support
Unlike scanners that bolt GraphQL support onto HTTP-focused engines, Escape understands GraphQL natively:
- Introspects schemas to discover all queries and mutations
- Generates type-aware test payloads
- Tests nested resolver authorization
- Identifies batching attacks and query complexity issues
- Detects information disclosure through introspection
AI-Powered Request Generation
Escape uses generative AI to create realistic test payloads that are more likely to trigger edge cases.
The AI considers:
- Field types and constraints from the API schema
- Observed response patterns
- Common implementation mistakes
- Context from previous successful probes
Complex Authentication Handling
Modern APIs use OAuth, JWT, multi-factor flows, and custom authentication schemes.
Escape handles:
- OAuth 2.0 authorization code and client credentials flows
- JWT token refresh and rotation
- Multi-step authentication sequences
- Session management and cookie handling
- API key and bearer token authentication
How to Use Escape
Getting Started
Sign up for Escape and create your first project:
# Install the Escape CLI
npm install -g @escape.tech/cli
# Authenticate
escape auth login
# Create a project
escape project create --name "My API" --type graphql
Configuring API Discovery
Provide your API schema or let Escape discover it:
# escape.yaml configuration
project: my-api
target: https://api.example.com/graphql
discovery:
mode: schema # or 'crawl' for REST APIs
schema_url: https://api.example.com/graphql/schema.json
authentication:
type: oauth2
client_id: ${ESCAPE_CLIENT_ID}
client_secret: ${ESCAPE_CLIENT_SECRET}
token_url: https://auth.example.com/oauth/token
scopes:
- read
- write
users:
- name: admin
role: administrator
- name: user
role: standard
Running Scans
Execute a security scan against your API:
# Run a scan with the default configuration
escape scan run --config escape.yaml
# Run specific test categories
escape scan run --config escape.yaml --tests bola,injection,auth
# Watch scan progress
escape scan status --watch
CI/CD Integration
Add Escape to your deployment pipeline:
# GitHub Actions
name: API Security
on:
push:
branches: [main]
pull_request:
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Deploy to staging
run: ./deploy-staging.sh
- name: Run Escape scan
uses: escape-technologies/action@v1
with:
api_key: ${{ secrets.ESCAPE_API_KEY }}
application_id: ${{ secrets.ESCAPE_APP_ID }}
fail_on: HIGH
- name: Upload results
uses: actions/upload-artifact@v4
with:
name: escape-report
path: escape-report.json
GitLab CI integration:
escape-scan:
stage: test
image: node:18
script:
- npm install -g @escape.tech/cli
- escape auth login --api-key $ESCAPE_API_KEY
- escape scan run --application-id $ESCAPE_APP_ID --wait
- escape report download --format sarif --output gl-sast-report.json
artifacts:
reports:
sast: gl-sast-report.json
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
Integrations
Escape integrates with security and development tools:
# Export to Jira
escape integrations configure jira \
--url https://company.atlassian.net \
--project SECURITY
# Send to Slack
escape integrations configure slack \
--webhook-url $SLACK_WEBHOOK \
--channel #security-alerts
# Push to Datadog
escape integrations configure datadog \
--api-key $DATADOG_API_KEY
When to Use Escape
Escape is purpose-built for organizations developing APIs and single-page applications.
Its strength lies in detecting business logic vulnerabilities that traditional DAST tools cannot find.
Consider Escape when you need:
- BOLA/IDOR detection that goes beyond injection testing
- Native GraphQL security testing with schema awareness
- Business logic testing that probes authorization boundaries
- AI-powered request generation for better coverage
- Modern API authentication handling (OAuth, JWT)
- Fast CI/CD integration for API-first development
Escape is particularly valuable for teams building microservices architectures where each service exposes APIs that require individual security testing.
The platform’s focus on API-specific vulnerabilities fills gaps left by traditional web application scanners.
Organizations with primarily traditional web applications (server-rendered HTML) may find broader DAST tools more appropriate, though Escape can complement those tools for API endpoints.