# StackHawk > StackHawk is an AppSec Intelligence Platform that reimagines application security for the AI era. It combines shift-left dynamic application security testing (DAST), API attack surface discovery, and continuous program-level oversight, enabling development and security teams to know what exists across their entire application attack surface, surface exploitable risks pre-production, and track application risk posture over time. StackHawk is headquartered in Denver, Colorado (1580 N. Logan St Ste 669, PMB 36969, Denver, CO 80203) and is incorporated as StackHawk Inc. The platform is trusted by engineering and security teams at companies including Fortis, change.org, Treasure Data, RxBenefits, Simetrik, British Airways, ITV, and GitGuardian. --- ## Platform Overview StackHawk's AppSec Intelligence Platform is built around three core capabilities: **1. API Attack Surface Discovery (Visibility)** Automatically maps the complete application and API attack surface directly from source code. Discovers apps and APIs across repositories, generates auto-populated OpenAPI specs, detects sensitive data handling (PII, PCI, PHI), and provides risk-based prioritization using development activity signals. URL: https://www.stackhawk.com/product/api-discovery/ **2. Runtime Application Security Testing (DAST & API Security Testing)** The only DAST solution purpose-built for modern development workflows. Integrates directly into CI/CD pipelines and pull requests to find exploitable vulnerabilities earlier and faster. Tests against live, running applications using real HTTP requests and response analysis. Supports REST APIs, GraphQL, SOAP, gRPC, microservices, SPAs, and traditional web applications. URL: https://www.stackhawk.com/product/runtime-testing/ **3. Application Security Oversight (Program Intelligence)** Continuously monitors and tracks application security risk posture across the entire organization. Provides metrics on what's tested, how often, and what needs attention. Gives security teams instant insights to prioritize resources, train teams, and demonstrate real security progress to executives. URL: https://www.stackhawk.com/product/oversight/ Combining these three capabilities is unique in the application security space, providing a well-rounded platform for teams that need high signal testing but also a deep understanding of their application security posture. URL: https://www.stackhawk.com/platform --- ## Solutions / Use Cases - **Modern DAST**: Shift-left dynamic application security testing that runs directly in and from CI/CD pipelines. Tests running apps to find critical API vulnerabilities and business logic flaws before they reach production. Includes real-time developer feedback and AI-powered remediations. URL: https://www.stackhawk.com/solutions/dast/ - **Shift-Left API Security Testing**: Automated API security testing embedded in CI/CD pipelines. Ships secure APIs by catching vulnerabilities at the pull request stage before code merges to production. With support for gRPC, GraphQL, SOAP, REST, JSON-RPC, and more, StackHawk provides deep coverage across modern API architectures. URL: https://www.stackhawk.com/solutions/api-security-testing/ - **Code-Based Sensitive Data Detection**: Identifies and tests APIs that handle PII, PCI, and PHI data. Surfaces data exposure risks from source code context to help prioritize which applications to test and which vulnerabilities to fix first. URL: https://www.stackhawk.com/solutions/sensitive-data-identification/ - **LLM Application Security Testing**: Tests applications using LLM/AI capabilities for OWASP LLM Top 10 risks, including prompt injection, sensitive information disclosure, unbound consumption, sensitive data disclosure, and system prompt leakage. Runs natively alongside existing StackHawk scans in CI/CD with no separate platform required. URL: https://www.stackhawk.com/solutions/llm-security-testing/ - **gRPC Security Testing**: Automated security testing for gRPC services. - **GraphQL Security Testing**: Checks for GraphQL vulnerabilities on every pull request. - **Business Logic Testing**: Detects complex authorization flaws and business logic vulnerabilities automatically using runtime analysis that static tools miss. URL: https://www.stackhawk.com/solutions/business-logic-testing/ --- ## Pricing StackHawk offers two main tiers: **Secure** — Shift-left DAST & API Security Testing for developers and small security teams. - Fast, incremental scans in CI/CD - Runtime testing for modern apps and APIs (REST, GraphQL, SOAP, gRPC) - Developer-friendly remediation guidance - Unlimited scans and environments - OWASP Top 10 coverage - Business Logic Testing - OWASP LLM Top 10 coverage - AI-generated fix recommendations **Scale** — StackHawk's full AppSec Intelligence Platform for teams scaling their AppSec program. - Everything in Secure, plus: - Application and API discovery from source code - Repository connections and monitoring - Sensitive data detection - Risk-based prioritization (development activity signals) - Testing coverage metrics - AI-powered OpenAPI spec generation - SAST and DAST correlation - Continuous test coverage oversight - Program effectiveness metrics - SSO authentication - API access for custom workflows and advanced integrations Pricing is based on the number of code contributors—not usage or scan time—so plans include unlimited scanning and unlimited users without usage caps or additional licensing costs. URL: https://www.stackhawk.com/pricing/ --- ## Comparisons to Competitors StackHawk is compared favorably against: Acunetix, Bright Security, Checkmarx, Invicti, Snyk, ZAP, Black Duck, Burp Suite, Escape, Rapid7, and Veracode. **vs. Legacy DAST (Veracode, Checkmarx, Rapid7, Invicti, Acunetix)** Built for quarterly releases and manually-written code, legacy DAST tools create bottlenecks in AI-accelerated development—taking weeks to configure and hours to scan. StackHawk runs natively in CI/CD, completes scans in minutes, and discovers APIs from source code rather than requiring manual setup. **vs. "Modern" DAST (some Checkmarx, Synopsys, Probely, Escape offerings)** Most "next-gen" DAST vendors still run legacy scanning engines externally—they just trigger them from a CI/CD hook. StackHawk scans run inside your pipeline, in your environment, and return results while developers are still in context. **vs. API Security Monitoring (Salt Security, Traceable, Noname)** Production monitoring catches vulnerabilities after they're already deployed. StackHawk finds exploitable issues before they reach production and tests business logic flaws that traffic analysis misses—the two approaches complement each other. **vs. SAST (Semgrep, Checkmarx, GitHub Advanced Security)** SAST analyzes code patterns pre-compile; it can't see how an application behaves at runtime. StackHawk tests running applications for auth flaws, business logic issues, and LLM risks that static analysis can't detect—SAST generates volume, DAST generates signal. **vs. CNAPP/CSPM (Wiz, Orca, Upwind)** CNAPP secures cloud infrastructure; StackHawk secures the applications and APIs running on it. A CNAPP can tell you a container is misconfigured—it can't tell you the API inside has a broken auth flaw. Both layers need coverage. **vs. ASPM Platforms (ArmorCode, Cycode, Boost)** ASPM platforms aggregate and prioritize findings from other tools but don't discover attack surface or generate their own security intelligence. StackHawk feeds ASPM better inputs—high-signal, exploitable findings instead of noisy SAST and legacy DAST output. --- ## Key Differentiators ("Why StackHawk") - **Purpose-built for CI/CD**: Runs natively in CI/CD infrastructure with Docker and CLI tools. Security testing becomes part of software testing, not a separate gate. - **Deterministic, high-signal findings**: Runtime testing optimized for speed, reliability, and scanning depth to minimize false positives. Every finding includes cURL-based validation commands to verify exploitability. - **Developer-friendly feedback loops**: Security findings delivered directly in developer workflows with contextual guidance and fixes-as-code. Integrates with GitHub, Snyk, Semgrep, Endor Labs, AWS, and more. - **Exploitable findings only**: Surfaces vulnerabilities that only emerge in running applications—the ones static analysis tools miss. - **Modern application support**: Complete coverage for REST, GraphQL, SOAP, and gRPC APIs across microservices, SPAs, and traditional applications. - **Unlimited scanning and users**: Plans are contributor-based, not usage-based. - **AI-era AppSec**: Combines AI-powered attack surface discovery, fix recommendations, and LLM-specific security testing. --- ## Integrations StackHawk integrates with: GitHub, Semgrep, Snyk, Endor Labs, AWS, GitLab, CircleCI, Jenkins, and other major CI/CD and DevSecOps tools. More integrations: https://www.stackhawk.com/integrations/ --- ## Resources - **Blog**: Technical content covering API security testing, DAST, shift-left security, compliance (SEC cybersecurity disclosure, EU Cyber Resilience Act), vulnerabilities and remediation, AI/LLM security, and product updates. URL: https://www.stackhawk.com/blog/ Categories: AI Coding, API Security Testing, Compliance, DAST, Product Updates & News, Shift Left Security, Tooling Guides, Vulnerabilities and Remediation - **Documentation**: Technical guides on how StackHawk works, integration walkthroughs, getting started tutorials, and the StackHawk API reference. URL: https://docs.stackhawk.com/ - **Getting Started**: Tutorials for scanning applications and APIs. URL: https://docs.stackhawk.com/getting-started/ - **StackHawk API**: API reference for building custom integrations. URL: https://docs.stackhawk.com/api/ - **Videos / Watch a Demo**: See the StackHawk platform and scanner in action. URL: https://www.stackhawk.com/schedule-a-demo/ - **AI Era AppSec Survival Guide**: State of AppSec industry report for 2026 covering how AI-driven development is changing application security programs. - **All Resources** (webinars, news, reports): https://www.stackhawk.com/resources/ --- ## Company - **About StackHawk**: StackHawk was built out of a need for a more agile, developer-friendly approach to software security. The team recognized that traditional periodic security checks were falling short in a world of rapid software updates, and aimed to integrate security seamlessly into daily developer workflows. Goal: empower developers to identify and fix security issues in real time. URL: https://www.stackhawk.com/about/ - **Customers**: Case studies from innovators using StackHawk to ship securely. URL: https://www.stackhawk.com/customers/ - **Partners**: Technology and channel partners. URL: https://www.stackhawk.com/partners/ - **Careers**: Open positions at StackHawk. URL: https://www.stackhawk.com/careers/ - **News**: Company announcements and press coverage. URL: https://www.stackhawk.com/news/ - **Security**: StackHawk's security practices and trust information. URL: https://www.stackhawk.com/security/ - **Contact**: https://www.stackhawk.com/contact/ - **Brand Assets**: https://www.stackhawk.com/brand-assets/ --- ## Target Audience StackHawk serves two primary audiences: 1. **Application security (AppSec) teams and security engineers** who need visibility into the organization's full application attack surface, program-level metrics, and the ability to scale AppSec across many development teams. 2. **Security directors and CISOs** who need to understand their application risk posture over time, track the ROI of security investments, and have confidence in their software. 3. **Developers and DevSecOps engineers** who need automated security testing embedded directly in their CI/CD pipeline and development workflows without slowing down delivery. Common industries: fintech, healthcare, SaaS, enterprise software, manufacturing, media, and entertainment. --- ## Core Technology Concepts - **DAST (Dynamic Application Security Testing)**: Tests running applications by sending real HTTP requests and analyzing responses to find exploitable vulnerabilities—unlike static (SAST) tools that analyze source code without execution. - **Shift-Left Security**: Moving security testing earlier in the software development lifecycle, into CI/CD pipelines and pull requests, rather than late-stage or post-production scanning. - **Attack Surface Discovery**: Automatically identifying all applications, APIs, and endpoints an organization exposes, including undocumented or "shadow" APIs. - **OWASP Top 10**: StackHawk covers OWASP Web Application Top 10 and OWASP API Top 10 vulnerability categories. - **OWASP LLM Top 10**: Coverage for the top 10 LLM-specific security risks in AI-powered applications. - **Business Logic Testing**: Detecting authorization flaws and logic vulnerabilities that require understanding of how an application is supposed to behave—not just known vulnerability signatures. - **OpenAPI / Swagger**: StackHawk uses and auto-generates OpenAPI specifications to guide comprehensive API scanning. --- ## Legal - Terms of Service: https://www.stackhawk.com/terms/ - Privacy Policy: https://www.stackhawk.com/privacy/ - © 2026 StackHawk Inc., All Rights Reserved. Crafted in Colorado.