April 2026 product update

This month, we introduce four powerful new features that take your API security testing workflows to the next level. Our April release is our most substantial yet, expanding the boundaries of what’s possible inside the Equixly platform.

We’ve been listening closely to customer feedback, and this update reflects our commitment to solving real security challenges — from discovering unknown attack surfaces to integrating smoothly with the tools you already use daily.

Here’s what’s new in Equixly’s April 2026 product update:

• Discovery: Find and test endpoints without needing an API specification.
• DAST: Use dynamic application security testing for web apps, directly inside Equixly.
• Integrations: Take advantage of native connections to Jira, GitHub, and ServiceNow ITSM, with automated Workflows.
• MCP testing: Launch specialized security testing for MCP environments.

Discovery: Test without an API spec

One of the most common challenges organizations face is testing APIs that lack formal specifications. Internal services, legacy systems, and quickly developing APIs often don’t come with an OpenAPI document, creating a coverage gap.

Equixly’s Discovery feature closes this gap. Starting from just a base URL, Equixly will automatically crawl and identify reachable endpoints across your application.

But Discovery doesn’t stop there. Once the platform identifies endpoints, it will automatically generate API documentation for your organization, providing a structured, reusable artifact that you can immediately integrate into your security testing workflows.

Two key settings give you precise control over how Discovery operates:

• Space Link: Space Link allows you to connect private services to Equixly’s discovery engine seamlessly. Whether it’s a staging environment behind a VPN or an internal service mesh, Space Link ensures that no part of your architecture is out of reach. This setting is especially convenient for organizations running microservices or internal APIs that aren’t exposed to the public internet.
• Allowed Domains: Not every scan needs to be exhaustive. The Allowed Domains setting lets you restrict discovery to specific domains, keeping the process tightly scoped to whatever your team needs to focus on at any given moment. This is especially useful for large organizations with complex, multi-domain API landscapes that want to test a single segment of their infrastructure without the noise from the rest.

Together, these settings make Discovery a flexible capability that adapts to your network topology rather than forcing you to adapt to it.

DAST: Web application security testing, now inside Equixly

A major new addition to the platform is our Dynamic Application Security Testing (DAST) capability. Security teams have long had to juggle separate tools for API testing and web application testing. Equixly now brings both under one roof.

Using nothing more than a target URL, you can launch full vulnerability assessments against modern single-page applications (SPAs) and traditional server-rendered web applications, all within the same platform you already use for API security.

Equixly’s DAST engine is purpose-built for the realities of modern web architectures. It can:

• Automatically recognize dynamic URL paths, so parameterized routes are tested thoroughly rather than treated as duplicates.
• Analyze client-side JavaScript, uncovering logic and endpoints that only become visible once scripts have been parsed and executed.
• Engage with forms and interactive elements to simulate real user behavior and expose vulnerabilities that static analysis would miss.
• Assess the DOM to detect genuine API interactions triggered by user events, reducing false positives in your results.
• Capture asynchronous network requests, ensuring that background API calls made via fetch or XHR are not overlooked.
• Support SPA session context, maintaining authentication state across the scan so protected routes are fully exercised.

Used alongside Equixly’s existing API security testing capabilities, DAST gives your team a full picture of your application’s attack surface, from the API layer all the way up through the user interface.

Integrations: Connect Equixly to your existing ecosystem

Security findings only create value when they reach the right people at the right time. This month, we’ve introduced native integrations with three of the most widely used issue-tracking and IT service management platforms: Jira, GitHub, and ServiceNow ITSM.

These integrations allow Equixly to push vulnerability details — including severity, affected endpoints, and remediation guidance — directly into the tools your engineering and operations teams live in. No more manual exports, copy-pasting findings into tickets, or chasing developers across platforms. Issues flow automatically from Equixly into your existing incident and backlog management processes.

Alongside the integrations themselves, we’ve introduced Workflows. It is a flexible automation layer that lets you define triggers based on predefined conditions.

For example, you can configure a Workflow to automatically open a GitHub issue whenever a critical vulnerability is detected, or route a ServiceNow ticket to the right team based on the affected service.

Workflows are fully customizable and can be linked to any active integration, enabling end-to-end automation from scan to remediation without requiring custom scripting.

MCP Testing: Security for MCP environments

As MCP (Model Context Protocol) adoption grows, so does the need to rigorously assess the security of MCP-based services. This month, we’ve added dedicated MCP testing support to the Equixly platform.

MCP Testing operates similarly to other service-level tests within Equixly — you provide an MCP URL and configure the scan — but the underlying test logic is purpose-built for the unique characteristics and threat model of MCP environments. This is an essential addition for security teams operating in or supporting AI-adjacent infrastructure, where the stakes of a misconfigured or vulnerable service are especially high.

We’ll have more to share on the depth of MCP Testing’s capabilities in the weeks ahead as the feature continues to evolve.

Closing thoughts

Equixly’s April release marks a significant leap forward across four dimensions: coverage, depth, automation, and emerging technology. Whether you’re discovering undocumented APIs, scanning modern web applications, accelerating remediation through integrations, or securing MCP infrastructure, this update gives your team the capabilities to stay ahead of the always-changing threat landscape.

We’re just getting started. As always, we’ll keep building, keep listening, and keep pushing the boundaries of what an API and application security platform can do.

Edoardo Zatti

Technical Product Manager

With a master's degree in Theoretical Physics, Edoardo has established a robust analytical thinking and problem-solving foundation. During the final year of his studies, he taught an integration course at the university, refining his communication skills and kindling his passion for education. His academic journey took an exciting turn during his master's program as he ventured into the field of computer science through relevant courses. These courses sparked his interest in IT and led him to specialize in backend development, where he sharpened his skills through involvement in complex projects and practical experience in other Tech companies.

Zoran Gorgiev

Technical Content Specialist

Zoran is a technical content specialist with SEO mastery and practical cybersecurity and web technologies knowledge. He has rich international experience in content and product marketing, helping both small companies and large corporations implement effective content strategies and attain their marketing objectives. He applies his philosophical background to his writing to create intellectually stimulating content. Zoran is an avid learner who believes in continuous learning and never-ending skill polishing.