Skip to main content

March

· 10 min read

NG Production Release Update - APIsec_cloud_7.3.1.0 ( March 03, 2026 )

AI-Powered Business Flow Analysis from API Documentation

Understanding how endpoints within an API work together to support real business actions is challenging, especially across large specifications. Security teams have the docs, but translating them into user workflows takes time and deep domain knowledge.

AI-powered Business Flow Analysis automatically analyzes your API documentation to identify and visualize the logical flows behind real application behavior. This enables teams to see how endpoints connect to support real-world actions, not just review them in isolation.

Automatically Discover How Your Endpoints Work Together

  1. Instead of reviewing endpoints one by one, the platform now analyzes your API specification to automatically derive business-level workflows.

  2. Each flow clearly shows the sequence of API calls required to complete a real user action.

This helps answer common questions teams face during onboarding or testing:

  • Which endpoints are part of the login flow?
  • What sequence of calls creates a new resource?
  • Which endpoint returns identifiers used by the next call in the sequence?

The platform automatically connects these steps so teams can quickly understand the business logic behind the API design.

On-Demand AI Analysis

Business flow analysis is initiated on demand to ensure efficient use of resources. Users can start the analysis by clicking "Start AI Analysis" in the Business Flows tab. Once initiated, the platform analyzes the API specification and derives the underlying business workflows. Depending on the API's size and complexity, the analysis may take a few minutes to complete. This approach allows teams to run the analysis only when needed, while still benefiting from automated insights into their application's business logic.

Why This Matters

Security risks often occur not within a single API endpoint, but within the sequence of actions across multiple endpoints. By automatically identifying these flows, teams gain a clearer understanding of how their APIs support real business operations, making it easier to analyze, test, and secure them.

Coming Next: The Foundation for Business Logic Security Testing

This capability is the baseline for an expanding set of business domain-aware test categories. Future releases will build on these discovered flows to test for security flaws at the business logic level — going beyond infrastructure vulnerabilities and individual endpoint checks to identify weaknesses in how your API behaves as a complete, working application.

Automatically Generated BOLA Attack Scenarios

Identifying the right endpoints, users, and attack scenarios for BOLA testing usually requires deep knowledge of an application's business logic. The platform now eliminates that barrier by automatically generating BOLA attack scenarios based on your discovered API structure and business flows.

Test Real-World Authorization Risks Without Manual Setup

BOLA remains one of the most critical and common API vulnerabilities, yet testing it has historically required deep familiarity with how an API manages user-owned resources. The platform removes that barrier by analyzing API behavior and automatically recommending ready-to-use scenarios. For example:

  • User A (Owner) creates a resource.
  • User B (Attacker) attempts to access, modify, or delete that resource.

These simulated attacker attempts help determine whether the API correctly enforces authorization boundaries between users.

Guided Scenario Selection

The interface presents recommended scenarios grouped by resource type. Users can easily:

  • Review the recommended attack scenarios.
  • Select which scenarios to import into the BOLA configuration.

This makes it easy to quickly enable meaningful authorization testing without manually constructing attack sequences.

Why This Matters

BOLA remains one of the most common and critical API vulnerabilities. Detecting it often requires simulating how different users interact with the same resource across multiple endpoints.

With automatic scenario creation, teams can start testing these risks immediately, even if they are unfamiliar with the API's internal design.

Coming Next:

Future enhancements will further streamline the experience by automatically enabling scenarios that pass Dry Run validation, surfacing missing configuration details when validation fails, and providing clearer guidance to complete setup — moving teams from manual configuration toward intelligent, guided authorization testing.

Improved MuleSoft API Integration for Complete API Discovery

Organizations using MuleSoft often organize their APIs across multiple files and asset types. This could previously result in applications being onboarded with missing or incomplete endpoints, limiting security teams' ability to test with confidence. This release improves the MuleSoft integration to ensure APIs registered through the MuleSoft Exchange are imported completely and accurately.

More Reliable Endpoint Discovery

  • APIs onboarded through MuleSoft now include all endpoints defined in the specification.
  • Fragmented specifications are automatically resolved.
  • Applications are less likely to appear with missing or incomplete endpoints.

This ensures security scans cover the entire API surface, giving teams a more reliable inventory of their APIs

Flexible Specification Selection for Reload

When reloading API specifications from MuleSoft, users can now choose their preferred asset type, OAS or RAML, both for on-demand reloads and scheduled auto-reloads.

This flexibility helps teams capture additional resources when APIs are distributed across multiple specification files.

Why This Matters

Incomplete API imports can lead to missing endpoints and reduced security coverage. By improving how MuleSoft specifications are detected and processed, this update ensures teams can onboard APIs with greater accuracy and confidence, enabling more complete security testing.

UI/UX Improvements

This release introduces a standardized UI theme that will serve as the design baseline across the platform. The update focuses on improving visual clarity and consistency while reducing overly bright or distracting colors. Key improvements include:

  • Standardized theme to establish a consistent design foundation across the product
  • Improved table styling for better readability and structure
  • Refined badge designs to provide clearer status indicators
  • Updated tab styling for more intuitive navigation
  • Enhanced sidebar layout for improved usability and visual clarity

Issue Fixes and Improvements

This release also includes several fixes to improve API onboarding reliability, parameter handling, and scan execution stability.

Improved Handling of Array Objects in Request Bodies

When APIs contained arrays of objects in request examples, the platform previously generated parameters only for the first object in the array. This could lead to incomplete parameter coverage during testing. The platform now preserves all objects within JSON arrays and applies variable placeholders to each object individually, ensuring more accurate parameter generation for complex request bodies.

Resolved Instance Creation Failures Caused by Spec Parsing

In some cases, creating an application instance or re-importing a specification would fail due to parsing issues in the API specification. These parsing issues have been addressed, ensuring that applications and instances can now be created reliably from valid OpenAPI specifications.

Improved API Registration for Invalid or Large Parameters

Certain APIs failed to register due to issues in the OpenAPI specification, such as missing parameter names or excessively large parameter identifiers. The platform now sanitizes these specifications during import by skipping variable creation for parameters without names and limiting the number of variables created in a single batch to prevent exceeding item size limits and excessive attribute growth.

Improved Endpoint Readiness Evaluation During Dry Run

When multiple Dry Run iterations were executed for an endpoint, the platform could incorrectly mark the endpoint as not ready for testing if an earlier iteration returned an error—even when a later request succeeded. The readiness evaluation logic has been improved to review all Dry Run responses and prioritize successful responses (HTTP 2xx) when determining the final readiness status.

Improved Stability for GraphQL Scan Execution

Some GraphQL scans failed due to a missing Dry Run context during test execution. The scanning service now consistently injects the required Dry Run context during scan execution, preventing errors and allowing scans to complete successfully.

Resolved False Positive Access Errors After User Deletion

Previously, if a user who marked a vulnerability as a false positive was deleted from the tenant, the platform could not retrieve the associated user information, causing errors when viewing or revoking the false positive. The platform now displays "Deleted User" in the Marked By field when the original user account no longer exists.

Improved Azure APIM Connection Error Handling

Testing Azure API Management connections previously returned a generic error when incorrect credentials were provided. The platform now surfaces clearer error responses when the Client ID does not exist in the specified Azure tenant or when permissions are misconfigured, helping users quickly identify and correct configuration issues

NG Hotfix Release Update - APIsec_cloud_7.3.1.1 ( March 06, 2026 )

A hotfix was released today to address two areas impacting scan accuracy and API compatibility. Improvements to the Injection category reduce false positives by refining how response latency is analyzed during injection detection. In addition, the platform now supports request bodies for GET and DELETE endpoints, enabling accurate testing for APIs that require this pattern. These updates improve scan reliability and ensure broader compatibility with API implementations.

Improved Injection Detection Accuracy

  • Improved Baseline Latency Analysis: Baseline latency is now evaluated separately for successful and unsuccessful responses rather than averaging all responses together. This improves injection-detection accuracy, particularly for APIs where successful responses naturally take longer than error responses.

  • Better Handling of High-Latency Applications: Applications with naturally high response times often generate false positives. For APIs with baseline latency above 3 seconds, detections are now triggered only when test responses exceed the baseline latency by approximately 6.9–8 seconds, helping reduce noise in slower environments.

  • Refined Handling of Abnormally High Latency: Previously, any test response that took longer than 7 seconds could trigger injection detection. Extremely long responses caused by parsing complexity could incorrectly trigger detections. The platform now requires latency increases to remain within a defined range to qualify for injection detection, reducing false positives. Extremely high latency scenarios will be evaluated under a dedicated detection category.

  • Removal of Error-Based Injection Detections: Server errors returned during injection tests previously triggered low-severity detections. Based on further analysis, these signals are now removed from injection testing and will be evaluated under a separate category focused on malformed input handling.

Support for Request Body in GET and DELETE Endpoints

Some APIs require a request body for GET or DELETE endpoints, which is uncommon but supported in certain implementations. Previously, these requests could fail during testing because the request body was not transmitted correctly.

The platform now supports request bodies for GET and DELETE endpoints, ensuring APIs using this pattern can be tested accurately and behave consistently with tools like Postman. This improvement allows these endpoints to be validated successfully during security scans.