Skip to content

Schema-Based Testing

Wallarm's Schema-Based Testing is a dynamic application security testing (DAST) solution that enables "shift-left" security. It takes a Postman collection โ€” your existing functional tests โ€” as a blueprint for security tests and runs them as a Docker container that fits into CI/CD pipelines next to functional tests, smoke tests, and other security testing.

Schema-Based Testing - test runs

Use Schema-Based Testing Setup to get from a fresh subscription to your first test run.

AI-driven engine

Schema-Based Testing is built on an AI-driven scanning engine that goes beyond signature-based scanners:

  • The engine analyzes the application context derived from the Postman collection, generates vulnerability hypotheses, builds attack chains, and validates each finding with an executable proof-of-exploit test before reporting it.

  • This approach detects multi-step issues such as broken object level authorization (BOLA), broken function level authorization (BFLA), business logic abuse, and mass assignment โ€” vulnerabilities that traditional payload-based DAST tools struggle to catch.

  • Confirmed findings include a generated description, the test script that reproduces the issue, and the exploitation log captured during the run, so each result is reproducible by the development team.

Scan modes

Schema-Based Testing organizes its work into two scan modes that you enable independently in a test policy:

Scan mode Purpose
Passive Scan Inspects the HTTP traffic captured by replaying the Postman collection, without sending additional payloads. Detects exposure of sensitive data, missing security headers, insecure cookies, debug output, and similar issues observable in normal responses.
Active Scan Generates and sends targeted attack requests built from collection context, then validates each finding with an exploit test. Detects business logic, access control, injection, and other multi-step vulnerabilities.

Each scan mode is powered by one or more strategies โ€” reusable scanning recipes, each targeting one vulnerability class. Wallarm ships a default catalog of Active and Passive strategies, and you can add custom ones.

Capabilities

  • Deep, dynamic analysis of API endpoints based on the supplied Postman collection.

  • Detection of vulnerabilities listed in the OWASP API Security Top 10 and the OWASP Top 10, plus security misconfigurations exposed through the application's HTTP traffic.

  • Visualization of found issues in the Wallarm Console's Security Issues section, with the originating test run as the source.

  • Lightweight execution via a Docker container, with run progress and aggregated results streamed back to Wallarm Cloud.

Schema-Based Testing vs API Security Testing via Postman

Wallarm also offers API Security Testing via Postman โ€” a lighter solution that runs inside Postman Agent Mode with no Docker or CI/CD. Both products take a Postman collection as input; choose based on how you work and how deep you need to go:

Schema-Based Testing API Security Testing via Postman
Use when You want automated, comprehensive DAST embedded in CI/CD; you already have functional tests in Postman and want them to drive security tests. You want a quick, conversational check inside Postman โ€” ask in natural language and get results in the Agent chat in a few minutes.
How it runs Dynamic testing as a Docker container: replays the collection, then generates and validates targeted security tests against the application. Passive, design-level analysis; no attack payloads, no traffic replay.
Depth OWASP API Top 10, business logic, access control, input validation (injections, RCE, etc.), and traffic-observable misconfigurations. Auth gaps, data leaks, over-permissive endpoints, schema issues, basic BOLA/BOPLA โ€” summarized for developers.
Where Docker container runs in your pipeline or locally; results in Wallarm Console (Test runs, Security Issues). Inside Postman (Agent Mode); results in chat and in Wallarm Cloud.

In short: use Schema-Based Testing when you need full DAST and pipeline integration; use API Security Testing via Postman for fast, in-Postman checks with minimal setup.

Where to go next

  • Setup โ€” activate the subscription, create your first policy, and run a scan.

  • Strategies โ€” catalog of default strategies and how to manage custom ones.

  • Docker reference โ€” full Docker command, environment variables, CI/CD options, reports, mTLS.

  • Exploring test run results โ€” how to read the Test runs page, run details, and the resulting security issues.