# Marcus Delano, Senior DevSecOps Engineer at Fieldstone Labs — read of api-vulnerability-scanner-ai, June 9, 2026

> 9 years in platform and security engineering, currently the solo security-leaning person on a 160-person B2B SaaS company running ~80 microservices on EKS. Two kids under 6. I listen to security podcasts during my commute to the office on Tuesdays when I have to go in, otherwise I work from a converted garage in Raleigh.

---

## How I got here

Someone in a DevSecOps Slack I'm in dropped a link in #tools-and-resources with no commentary, just the URL. I had 10 minutes before standup so I clicked it. I wasn't searching for a new tool specifically, but we're mid-SOC 2 Type II prep and our current API security posture is honestly "we turned on AWS GuardDuty and hope for the best." So I was at least willing to read.

## What I clicked first

The headline was fine. "Catch API Vulnerabilities Before Attackers Do" is what every one of these says. But "Zero False Positives" in the feature list made me stop immediately. That phrase right there. Not "reduced false positives" or "dramatically fewer alerts." Zero. I've been doing this long enough to know that anyone who says zero false positives has either never shipped this tool to a real production environment, or they're tuning the detector so conservatively that you're also missing a ton of real stuff. That claim is either naive or dishonest, and I genuinely cannot tell which from this page.

## Where I paused

The FAQ answer about how it's different from traditional tools actually said something coherent: "We find logic flaws, not just missing headers." That's the first sentence on this whole page that sounds like it came from someone who has actually looked at an API vulnerability. Logic flaws in API design are the hard problem. Missing auth headers, exposed debug endpoints, those are table stakes. If this thing actually finds business-logic abuse vectors, like an endpoint that lets you iterate over other users' data because the author assumed you'd always query your own ID, that would be legitimately interesting. But there's zero detail on HOW it detects that. One sentence and we move on.

## What I distrusted

The honest disclosure section at the bottom is the most important text on the page, and it's buried after the pricing table. It says: "we don't have live customers on this idea yet." So this is not a product. This is a strategy package. The page is selling me a business plan for a thing that doesn't exist, dressed up to look like a product I could sign up for. The "Start Free Scan" button presumably goes to... what? A waitlist? A Calendly link? A checkout for a $99 "build kit"?

Also, the compliance automation copy reads like it was written by someone who has read about SOC 2 but hasn't actually sat in a SOC 2 audit. "Audit-ready reports generated in seconds, not weeks" assumes that the auditor cares about your automated report format, which they generally don't. They want your policies, your evidence collection, your vendor risk reviews. A scanner report is one small piece.

## What would convince me

If there were a single real customer case study, not a logo or a quote, but a named engineer at a real company saying "we had X endpoints, we ran this for 30 days, it found Y critical issues, here's what they were," I'd take this seriously. Not a sanitized "fintech company reduced alerts by 70%" blurb. An actual account.

More specifically on the zero-false-positives claim: show me a confusion matrix or a precision/recall figure from a real environment. Even a blog post about how the ML model was trained and what the false-negative tradeoff looks like. That's the kind of thing a security engineer actually reads.

## What I'd ask in an email reply

1. The page says "ML-powered detection engine trained on 100k+ real-world APIs" -- whose APIs? How were they collected, and did those API owners consent to their traffic being used for training?

2. For logic-flaw detection specifically: can you show me an example of a vulnerability type that a traditional scanner like Burp or a WAF would miss, and walk me through how your tool would have caught it?

3. This page says there are no live customers yet. So what exactly am I getting if I click "Start Free Scan" right now?

## Verdict: dismissive

Not because the problem isn't real or the idea is bad. API security is legitimately underbaked at most companies my size. But this page is selling the idea of a product, not the product itself, and it takes until the fine print at the bottom to tell me that. The "Zero False Positives" claim signals either marketing overreach or a fundamental misunderstanding of how detection systems work. Both make me less confident, not more.

---
*Memo by skeptic persona, generated 2026-06-09. Studio breaks own self-grading loop.*
