API Security Testing via Postman 
¶
Run safe, passive security tests on your Postman collections to detect authentication gaps, data leaks, and design-level flaws. No attack payloads, no traffic replay, no production risk—tests typically complete in about 2–3 minutes.
When to use¶
-
You store and test your APIs in Postman and want to check them for security issues.
-
You want to ask in natural language (e.g., "test my collection") and get immediate results with recommendations directly in Postman's AI mode—no separate tools or workflows.
What it finds¶
API Security Testing looks for issues such as:
-
API key and secret leaks
-
Missing or weak authentication
-
Over-permissive endpoints
-
Schema violations and drift
-
Sensitive data exposure
-
Basic BOLA / BOPLA indicators
Findings are summarized with explanations and remediation guidance, designed for developers rather than security specialists. For the full list of issue types that can be detected (including those found by ASTP), see Vulnerability types.
API Security Testing via Postman vs Schema-Based Testing¶
Wallarm also offers Schema-Based Testing, which runs dynamic security tests against your application as a Docker container, typically in CI/CD. Both products take a Postman collection as input; choose based on how you work and how deep you need to go:
| API Security Testing via Postman | Schema-Based Testing | |
|---|---|---|
| Use when | You want a quick, conversational check inside Postman — ask in natural language and get results in the Agent chat in a few minutes. | You want automated, comprehensive DAST embedded in CI/CD; you already have functional tests in Postman and want them to drive security tests. |
| How it runs | Passive, design-level analysis; no attack payloads, no traffic replay. | Dynamic testing as a Docker container: replays the collection, then generates and validates targeted security tests against the application. |
| Depth | Auth gaps, data leaks, over-permissive endpoints, schema issues, basic BOLA/BOPLA — summarized for developers. | OWASP API Top 10, business logic, access control, input validation (injections, RCE, etc.), and traffic-observable misconfigurations. |
| Where | Inside Postman (Agent Mode); results in chat and in Wallarm Cloud. | Docker container runs in your pipeline or locally; results in Wallarm Console (Test runs, Security Issues). |
In short: use API Security Testing via Postman for fast, in-Postman checks with minimal setup; use Schema-Based Testing when you need full DAST and pipeline integration.
Access via Postman¶
You can access API Security Testing via Rogue MCP Server Detection (Wallarm's MCP server), which is easily accessible via Postman. Security checks run conversationally inside Postman Agent Mode—no separate tools, proxies, or extra configuration. Scenario:
-
In Postman, you add the Rogue MCP Server Detection server to your Workspace.
-
With Postman's AI Agent, you ask in natural language to test your collection (e.g., "Please, test the collection for security issues with Wallarm.").
-
The Agent runs the tests (about 2–3 minutes) and responds with a report covering:
- What security issues were found in your APIs
- How to fix them
-
Test results are also sent to Wallarm Cloud.
To get started, proceed to Setup.
Bonus: Rogue MCP Inspection (free)¶
The same Rogue MCP Server Detection MCP server also runs Rogue MCP Inspection — an audit of every MCP server installed locally on your machine, surfacing supply-chain risks, excessive privileges, and unrestricted system access. This feature is free and does not require a WALLARM_API_TOKEN or a paid subscription; only API Security Testing on Postman collections (described above) does.
To run Rogue MCP Inspection, see Setup → Run Rogue MCP Inspection.