Probely is a dynamic application security testing (DAST) platform built for modern development workflows.

The Portugal-based company focuses on API security testing, CI/CD integration, and reducing false positives, making it accessible for both security teams and developers who need actionable results without expert interpretation.

What is Probely?

Probely performs automated security testing of web applications and APIs by simulating real attacks against running applications.

Unlike static analysis tools that examine source code, Probely tests applications the same way an attacker would: by sending carefully crafted requests and analyzing responses to identify vulnerabilities.

The platform emphasizes developer experience, providing findings with clear remediation guidance that developers can act on without deep security expertise.

Integration with development tools means security testing happens automatically as part of existing workflows rather than as a separate, disconnected process.

Probely supports both external targets accessible over the internet and internal applications behind firewalls through its agent-based scanning capability.

This flexibility allows organizations to test applications throughout the development lifecycle regardless of where they are hosted.

Key Features

API Security Testing

Probely offers dedicated scanning capabilities for APIs, supporting both REST and GraphQL endpoints.

The scanner can import API definitions from OpenAPI (Swagger) specifications, Postman collections, or HAR files to understand the API structure and test all documented endpoints.

For GraphQL APIs, Probely performs introspection to discover the schema and generates tests based on the available queries, mutations, and types.

This automated discovery ensures comprehensive coverage even as APIs evolve.

API testing includes:

Authentication testing (OAuth, API keys, JWT)
Authorization bypass detection
Input validation testing across all parameters
Rate limiting and denial of service checks
Sensitive data exposure detection

Agent-Based Internal Scanning

For applications that are not exposed to the internet, Probely provides a lightweight agent that runs within your infrastructure.

The agent establishes an outbound connection to Probely’s cloud platform, allowing scans to target internal applications without opening inbound firewall ports.

This approach is particularly valuable for:

Staging environments that mirror production
Development environments for early testing
Internal applications and services
Applications running in private cloud environments

Low False Positive Technology

False positives waste developer time and erode trust in security tools.

Probely employs multiple techniques to minimize false positives:

Evidence-based verification: Findings include proof of exploitation where possible
Contextual analysis: Understanding application behavior to distinguish real issues from false alarms
Machine learning models: Trained on millions of scan results to improve accuracy
Active verification: Re-testing findings to confirm exploitability

Compliance Reporting

Probely generates reports aligned with compliance frameworks including PCI DSS, OWASP Top 10, and ISO 27001.

These reports help demonstrate security posture to auditors, customers, and stakeholders without manual mapping of findings to compliance requirements.

How to Use Probely

Getting Started

Probely is a cloud-based platform requiring no installation.

After creating an account, you add targets by specifying URLs for web applications or uploading API specifications.

# Example target configuration via API
POST /targets
{
  "name": "Production API",
  "site": {
    "url": "https://api.example.com",
    "api_schema_url": "https://api.example.com/openapi.json"
  },
  "scan_profile": "normal"
}

Scan Profiles

Probely offers configurable scan profiles to balance thoroughness and speed:

Lightning: Quick checks for critical vulnerabilities (5-10 minutes)
Normal: Comprehensive scan suitable for most applications
Safe: Avoids tests that might modify data or cause service disruption
Full: Maximum coverage including slower, more intrusive tests

API Usage

# Trigger a scan via API
curl -X POST "https://api.probely.com/targets/{target_id}/scan/" \
  -H "Authorization: JWT ${PROBELY_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{"scan_profile": "normal"}'

# Check scan status
curl "https://api.probely.com/targets/{target_id}/scans/{scan_id}/" \
  -H "Authorization: JWT ${PROBELY_TOKEN}"

# List findings
curl "https://api.probely.com/targets/{target_id}/findings/" \
  -H "Authorization: JWT ${PROBELY_TOKEN}"

Integration

GitHub Actions

name: Security Scan
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  probely-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Deploy to staging
        run: |
          # Your deployment steps here
          echo "Deploying to staging..."

      - name: Run Probely Scan
        uses: probely/probely-github-action@v1
        with:
          target-id: ${{ secrets.PROBELY_TARGET_ID }}
          api-key: ${{ secrets.PROBELY_API_KEY }}
          scan-profile: normal
          fail-on-finding-severity: high

      - name: Wait for scan completion
        run: |
          # The action waits for completion by default
          echo "Scan completed"

GitLab CI

stages:
  - deploy
  - security

variables:
  PROBELY_TARGET_ID: $PROBELY_TARGET_ID
  PROBELY_API_KEY: $PROBELY_API_KEY

deploy-staging:
  stage: deploy
  script:
    - echo "Deploying to staging environment"
    # Deployment commands here

probely-scan:
  stage: security
  image: curlimages/curl:latest
  needs: [deploy-staging]
  script:
    - |
      # Start scan
      SCAN_RESPONSE=$(curl -s -X POST \
        "https://api.probely.com/targets/${PROBELY_TARGET_ID}/scan/" \
        -H "Authorization: JWT ${PROBELY_API_KEY}" \
        -H "Content-Type: application/json" \
        -d '{"scan_profile": "normal"}')

      SCAN_ID=$(echo $SCAN_RESPONSE | jq -r '.id')
      echo "Started scan: $SCAN_ID"

      # Wait for completion
      while true; do
        STATUS=$(curl -s \
          "https://api.probely.com/targets/${PROBELY_TARGET_ID}/scans/${SCAN_ID}/" \
          -H "Authorization: JWT ${PROBELY_API_KEY}" \
          | jq -r '.status')

        if [ "$STATUS" = "completed" ]; then
          echo "Scan completed"
          break
        elif [ "$STATUS" = "failed" ]; then
          echo "Scan failed"
          exit 1
        fi

        sleep 30
      done

      # Check for high severity findings
      FINDINGS=$(curl -s \
        "https://api.probely.com/targets/${PROBELY_TARGET_ID}/findings/?severity=30" \
        -H "Authorization: JWT ${PROBELY_API_KEY}")

      HIGH_COUNT=$(echo $FINDINGS | jq '.count')
      if [ "$HIGH_COUNT" -gt 0 ]; then
        echo "Found $HIGH_COUNT high severity issues"
        exit 1
      fi
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == "main"

Jenkins Pipeline

pipeline {
    agent any

    environment {
        PROBELY_API_KEY = credentials('probely-api-key')
        PROBELY_TARGET_ID = credentials('probely-target-id')
    }

    stages {
        stage('Deploy') {
            steps {
                echo 'Deploying to staging...'
                // Deployment steps
            }
        }

        stage('Security Scan') {
            steps {
                script {
                    // Start scan
                    def scanResponse = httpRequest(
                        url: "https://api.probely.com/targets/${PROBELY_TARGET_ID}/scan/",
                        httpMode: 'POST',
                        customHeaders: [[name: 'Authorization', value: "JWT ${PROBELY_API_KEY}"]],
                        contentType: 'APPLICATION_JSON',
                        requestBody: '{"scan_profile": "normal"}'
                    )

                    def scan = readJSON(text: scanResponse.content)
                    def scanId = scan.id

                    // Wait for completion
                    def status = 'started'
                    while (status != 'completed' && status != 'failed') {
                        sleep(time: 30, unit: 'SECONDS')

                        def statusResponse = httpRequest(
                            url: "https://api.probely.com/targets/${PROBELY_TARGET_ID}/scans/${scanId}/",
                            customHeaders: [[name: 'Authorization', value: "JWT ${PROBELY_API_KEY}"]]
                        )

                        def statusJson = readJSON(text: statusResponse.content)
                        status = statusJson.status
                    }

                    if (status == 'failed') {
                        error('Probely scan failed')
                    }
                }
            }
        }
    }
}

Jira Integration

Probely can automatically create Jira tickets for new findings:

{
  "integration_type": "jira",
  "config": {
    "server_url": "https://yourcompany.atlassian.net",
    "project_key": "SEC",
    "issue_type": "Bug",
    "priority_mapping": {
      "high": "High",
      "medium": "Medium",
      "low": "Low"
    }
  }
}

When to Use Probely

Probely is well-suited for:

Development teams integrating security into CI/CD who want automated scanning without workflow disruption
Organizations with significant API footprints that need dedicated REST and GraphQL security testing
Companies with internal applications that benefit from agent-based scanning behind firewalls
Teams seeking low false positives who want actionable results without manual triage

Probely may not be ideal for organizations requiring deep authenticated crawling of complex multi-step workflows (where tools like Burp Suite excel), teams needing on-premises deployment, or large enterprises requiring extensive customization of scan behavior.

For comprehensive application security, consider pairing Probely with SAST tools to cover both runtime vulnerabilities and source code issues.

Note: Acquired by Snyk in November 2024. Now integrated as Snyk DAST.