Skip to content

Supported Targets

What Escape scans. Every target type below is tested by at least one of ASM, DAST, or AI Pentesting.

APIs

  • REST: OpenAPI 3.x, Swagger 2, Postman collections, or inferred from live traffic. See REST API DAST.
  • GraphQL: SDL or introspection-based discovery, queries, mutations, and subscriptions. See GraphQL API DAST.
  • gRPC: proto files, request/response inspection, metadata-based auth.
  • SOAP: WSDL import, SOAP envelope fuzzing.

Web Applications

  • Single-page apps (SPA): React, Vue, Angular, Svelte, and similar; agentic crawling + browser-driven DAST.
  • Server-rendered apps: Rails, Django, Spring, Next.js (SSR), and similar.
  • Progressive web apps (PWA): full service-worker and manifest support.

See WebApp DAST.

AI and LLM Surfaces

  • LLM-backed APIs: chat completions, RAG endpoints, function-calling surfaces. OWASP LLM Top 10 coverage. See LLM Security.
  • AI applications: agentic apps that wrap an LLM with tools and state.
  • MCP servers: Model Context Protocol servers exposed over HTTP or stdio.

Infrastructure and Discovery

  • Domains and subdomains: owned DNS, inferred from certificates and routing, and monitored for drift.
  • CIDR ranges: private IPv4 blocks scanned through Private Locations.
  • Ports and services: TCP port scanning with service fingerprinting. See Network Scanning.
  • Cloud accounts: AWS, GCP, Azure inventory through the ASM Integrations.

Not Supported Today

  • Mobile binaries (iOS, Android): we scan the APIs they talk to, not the binary. SAST for mobile is out of scope.
  • Native desktop apps: same. We test the backend surface, not the client.
  • Kernel or firmware: out of scope.

If your stack isn't listed and you think it should be, write to support@escape.tech.