API Security Testing That Proves Authorization Is Broken — Not Just Suspects It

Your APIs are your largest attack surface, and authorization flaws are the hardest bugs to find with traditional scanners. Hadrian is now open source and available in the Praetorian Guard Platform. It tests your REST, GraphQL, and gRPC APIs for OWASP API Top 10 vulnerabilities using role-based authorization testing and a mutation testing pattern that proves exploitability — not just flags suspicion.

In its first run against OWASP crAPI, Hadrian found 3 critical BOLA vulnerabilities in under 60 seconds.

What Makes Hadrian Different

Most API security tools send malformed requests and check for error codes. Hadrian does something fundamentally harder: it tests whether one user can access another user's resources. It logs in as each role you define, executes every endpoint, and detects when authorization boundaries fail.

The mutation testing pattern is where Hadrian truly separates from other tools. It uses a three-phase approach: create a resource as a privileged user, attempt to modify or delete it as an unprivileged user, then verify whether the attack actually succeeded. This eliminates false positives from APIs that return 200 OK but silently ignore unauthorized requests. When Hadrian reports a finding, it has proof.

30 Built-In Templates Across Three Protocols

Hadrian ships with 30 security test templates — 8 for REST, 13 for GraphQL, and 9 for gRPC — covering the most critical API security risks:

• BOLA (API1) — Broken Object Level Authorization across all three protocols

• Broken Authentication (API2) — Token handling, session management, and auth bypass

• BOPLA (API3) — Broken Object Property Level Authorization — mass assignment and field-level access

• Unrestricted Resource Consumption (API4) — GraphQL query depth and complexity attacks

• BFLA (API5) — Broken Function Level Authorization with mutation testing proof

• Security Misconfiguration (API8) — CORS, verbose errors, introspection exposure

• Improper Inventory Management (API9) — Undocumented and deprecated endpoints

Every template is a YAML file you can customize, extend, or replace for your organization's specific API patterns.

Works With Vespasian

Don't have API documentation? Vespasian discovers the API surface from live traffic, generates OpenAPI specs, and hands them directly to Hadrian for security testing. Together they form a complete API security pipeline: discover endpoints → generate specs → test for authorization vulnerabilities. No documentation required from the client.

Claude Code Integration

Hadrian includes a Claude Code skill that auto-generates auth.yaml and roles.yaml from your API specification — no manual config writing needed. Point it at an OpenAPI spec, GraphQL SDL schema, or gRPC proto file, and it produces the configuration Hadrian needs to start testing immediately.

CI/CD Ready

Hadrian outputs JSON and Markdown reports and returns a non-zero exit code when vulnerabilities are found, making it suitable for CI/CD security gates. Adaptive rate limiting with reactive backoff on 429/503 responses keeps your pipelines reliable.

Open Source

Hadrian is fully open source at github.com/praetorian-inc/hadrian. Install with a single command:

go install github.com/praetorian-inc/hadrian/cmd/hadrian@latest

How It Fits Into Guard

Hadrian runs as a Guard Platform capability. Findings flow into your Guard dashboard as Risks alongside your other security data — complete with proof of exploitability from the mutation testing pattern. API authorization testing joins your attack surface management, vulnerability scanning, and penetration testing in a single unified view.

Documentation

https://docs.praetorian.com/en/articles/2293307-hadrian-api-security-testing