Introducing Escape rules

Zero Maintenance, scalable
API security rules

Write custom security tests that do not require any maintenance,
adapt to each newly discovered API, and each new version of your existing APIs.
Header imageArrow

Powerful, yet simple to use


What makes Escape rules different?

Zero maintenance

Escape rules adapt to the evolution of your existing APIs and to your new APIs without the need to maintain them. Including adapting to database fixtures in development environment.

Easy to write

Escape rules are based on the YAML syntax. They are designed to be easy to write by security engineers, developers and site reliability engineers.

Capitalize on your pentests

Escape rules are powerful. Most of what an API pentest or a bug bounty program can find can be quickly implemented as an Escape rule for easy detection at scale, including the detection of business logic flaws.


Scanning an API with Escape rules takes minutes using the Escape platform.


At Escape we value open-source collaboration. If you're like us, consider sharing your templates with others to help them in running custom API security tests.

Usable in all environments

Escape rules can be run in production, preproduction, development environments as well as directly in the CI/CD to shift security left.

New to custom security tests?

Join our upcoming workshop. We'll show some concrete examples of Escape rules and guide you on how to get started.

Everything you need to know about Escape rules.

Frequently asked questions

How can I run a custom test with Escape?
All you have to do is log into your Escape account, go to "Custom test" tab and create a new check in yaml or json format. Don't hesitate to check our documentation how to set it up.
Can I contribute to the test database?
Yes, you can contribute to database available on the dedicated GitHub repository and view others' templates. Escape rules database will be entirely open-source. We also have a dedicated Slack community where you can ask any Escape rules' related questions! 
How is it different from Nuclei?
One of the core pain points in custom test implementation with Nuclei is the maintenance of each test, to follow along the attack surface changes, whether they are pure API specification changes, or new APIs that extend your organization’s attack surface. With Escape rules, you build generic API security tests and Escape adapts them to each newly discovered API and each new version of your existing APIs.
How is it different from bChecks?
While bChecks and Escape custom tests are pretty similar on the surface, bChecks uses a more verbose language, less structured like the YAML operators (detectors/transformations) that Escape uses. The biggest difference is also in the feedback-driven exploration engine and the scalar inference system that is built into Escape, helping you cover all the routes with confidence and abstractions of data manipulated, and easily available through Custom Tests.
Can I test it for free?
Yes, you can sign up on the platform for free to try all our features, including Escape rules.
What kind of APIs can I test with it?
You can implement Escape rules with GraphQL and REST APIs.
Does it support GraphQL?
Yes, you can write custom security tests for GraphQL APIs.

Can't find the answer you're looking for?

Reach out to our team!
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.