Levo API Security Platform Updates July 2025

Last quarter, we introduced Levo’s Model Context Protocol (MCP) Server: a programmable API layer that exposes real-time security context to developers, LLM agents, and internal tools. 

But exposing data isn’t enough. For an MCP Server to drive real outcomes, it must be built on top of a technically robust foundation. 

That’s why Levo’s MCP Server is powered by our strongest primitives: deep runtime API visibility, sensitive data trace-linking, and context-aware security testing. 

What it exposes is not just metadata but a live, evolving map of your API behaviors, access risks, and remediation pathways.

This quarter’s updates continue to strengthen that foundation. We’ve expanded test coverage for low-traffic and imported APIs, improved Windows instrumentation, and refined our authorization testing logic all designed to ensure that your Security Posture remains strong.

Security Testing for API Endpoints with Low Traffic

Levo now discovers and security tests even low-traffic, rarely used API endpoints, before they become silent entry points for data breaches and compliance failures.

Traffic volume isn't a reliable proxy for risk. 

Attackers actively exploit zombie and shadow APIs often from staging, QA, or internal services that evade detection due to minimal usage. 

These endpoints bypass access control, monitoring, and governance efforts and thus expose sensitive data more easily. 

Levo’s latest release extends automated discovery and pre-production security testing to cover up to 85% of your full API footprint. 

As even if an API endpoint may only have 1–2 traces in its entire lifetime, Levo can now discover and security test them.

With agent-based, agentless, log-based, and code-level instrumentation, Levo discovers 100–250x more endpoints than what customers were initially aware of even in low-traffic environments, without requiring code changes.

The result? 

Broader coverage, stronger security posture, and fewer fire drills in production.

Check it out: 

Customizable PCAP Sensor 

Levo’s PCAP Sensor Now Offers Custom Resource Allocation For Greater Performance Efficiency at Enterprise Scale

You can now specify memory usage as a percentage of available system RAM and CPU rather than a hard-coded fixed value.

Levo has always been engineered for efficiency. 

Unlike vendors who spike your cloud bills by an additional $500k annually, we use less than 1/10th of the computing resources of our competitors. 

Less than 1% of your data in our SaaS, and even offer you the flexibility of no sensitive data ever leaving your environment.

But today’s enterprise environments aren’t uniform. 

One team may run 2GB staging clusters; another, 100GB production machines. 

That’s why we’ve added customizable memory allocation to our PCAP Sensor letting you define usage as a percentage of system resources, not a fixed value.

This isn’t just a tuning option. 

It’s an extension of Levo’s core promise: API Security that’s performant, cost-aware, and adaptable without compromising coverage or capabilities.

This same customization will soon be extended to our eBPF Sensor so every deployment gets the same efficiency, no matter the agent.

Check it out: 

Improved BFLA Testing

Levo Now Tests for BFLA Without Requiring Privileged Users Upfront!

Privilege escalation flaws are among the most dangerous—and notoriously difficult to test manually, given the sheer complexity of roles, scopes, and configurations across applications and endpoints.

Levo makes API Authorization Testing effortless by automating role-matching and privilege evaluation across your entire API surface.

With this release, we’ve made it even smarter: Levo now dynamically matches available user profiles to the role requirements of each privileged endpoint.

So even if your default user lacks elevated privileges, we still test for vertical access bypasses.

Security teams now get broader test coverage across more endpoints, roles, and services without added configuration complexity.

Check it out:

Improved BOLA Testing

Levo Now Tests for BOLA Even Without Multiple User Credentials, Making Authorization Testing More Accessible Than Ever!

BOLA (Broken Object Level Authorization) remains the most exploited API vulnerability today. 

Yet most platforms could not simulate conditions that uncover it due to their inability to manage multiple user credentials.

Traditionally, Levo validated BOLA with the most accurate method possible: comparing two full user sessions each with their own credentials and victim’s object IDs to confirm unauthorized data access.

But we know not every team can or wants to expose multiple user accounts for testing.

With this release, Levo can now emulate BOLA scenarios even with a single user’s credentials by leveraging multiple parameter profiles to attempt unauthorized access.

While this won’t produce the same confidence as our original test flow, it still flags high-risk authorization gaps across your APIs.

It’s another step in our mission to make deep, automated API Security Testing accessible.

Check it out:

Debugging Test Failure 

Debug API Test Failures Faster with Real-Time Logs in Levo’s UI!

No more waiting on backend checks or guesswork. 

Levo now surfaces real-time logs for each API security test so your teams can instantly identify what went wrong and why.

Whether it’s a config mismatch, an infrastructure change, or a missed edge case in our runner, logs are now visible directly in the product.

Another step toward making Levo’s security automation not just powerful, but transparent and developer-friendly.

Check it out: 

API Discovery through HAR Files

Levo Now Discovers APIs from HAR Files!

Live traffic is great. 

But what if you need visibility into isolated, low-traffic, or sensor-restricted environments?

With this release, you can now upload HAR (HTTP Archive) files: recorded traffic logs from browser sessions and Levo will extract every API endpoint they touch.

This makes it easy to build API inventories even in disconnected or early-stage environments where deploying sensors isn’t feasible.

It’s another step toward total API visibility now possible through live agents, existing infra, and even static traffic logs.

Check it out:

API Endpoint Reachability 

Levo Now Flags Externally Reachable API Endpoints So You Can Prioritize What’s Most at Risk

Just because an API is internal doesn’t make it secure. But external endpoints? They’re under attack constantly.

In fact, 98% of all API attacks target externally exposed endpoints making them a top priority for security teams.

With this release, Levo now checks every discovered API for truly external reachability and flags it automatically.

So you can instantly identify which APIs are exposed to the public internet and need stricter access controls, rate limits, and monitoring.

It’s built into our Discovery Module and helps teams not just find APIs, but triage real-world risk before attackers do.

Check it out:

Save Target URLs

Save Test Targets Once, Reuse Them Instantly.

Running API security tests across multiple environments often means re-entering the same application URL over and over.

Not anymore.

With this release, Levo lets you save target URLs whether it’s for staging, QA, or production and select them from a dropdown in future test runs.

No more copy-pasting, no more retyping. 

Just faster setup, fewer errors, and better testing velocity across your SDLC environments.

Check it out:

Featured Applications 

Prioritize What Matters: Manually Feature Your Most Critical Applications

Enterprise networks often contain hundreds of applications but not all are equally important.

With Levo’s new Featured Applications capability, you can now manually mark your highest-priority applications, ensuring they’re always surfaced at the top of your view.

Whether it’s a payment gateway, customer portal, or compliance-critical system. This feature lets your team focus where it matters most, without sifting through low-risk or deprecated apps.

Check it out: 

Updated CORS Testing 

Smarter CORS Risk Evaluation, Now Tuned to Browser Enforcement Realities

Not all misconfigurations are actual threats. 

When Access-Control-Allow-Origin doesn't reflect a malicious domain, modern browsers block the request and strip secrets making the scenario unexploitable in practice.

Levo now incorporates this browser-aware logic into our vulnerability classification. 

Our testing ensures CORS issues are only flagged as high when truly exploitable.

The result: sharper prioritization, reduced noise, and stronger signal-to-action for your security team. 

Check it out: 

UI Refresh

Track Progress, Surface Urgency: Vulnerability Insights at a Glance

Levo now surfaces total vulnerabilities, resolved issues, and new findings from the last 7 days, right at the top of our Homepage Dashboard.

By highlighting recent alerts and closed cases in real time, we ensure security teams don’t miss what matters, or waste time hunting for context.

Levo powered AppSec programs guarantee clarity, momentum, and outcome-driven remediation.

API Instrumentation on Windows Machines 

Levo Now Supports API Instrumentation for Windows Servers via IIS Filter

Windows workloads, especially .NET applications hosted on IIS are no longer blind spots in your API security posture.

With this release, Levo introduces a custom-built IIS Filter that passively instruments API traffic, including encrypted HTTPS, directly from Windows-based environments.

Previously, Levo’s instrumentation relied on eBPF (Linux-only) or PCAP (limited HTTPS support), making deep API visibility on Windows difficult or incomplete.

Now, enterprise teams can observe, test, and secure Windows-hosted APIs without code changes or manual traffic replay extending full API coverage across hybrid stacks.

It’s another step towards universal coverage, minimal overhead, and deep runtime intelligence.

Check it out:

PII added in traces

Levo Now Surfaces Exactly What PII Was Exposed, Right Inside Each Trace.

Knowing a vulnerability exists isn’t enough. 

Security teams need to know what was exposed, where it appeared, and why it matters, especially when sensitive data like email addresses, phone numbers, or account IDs are involved.

With this update, Levo now enriches every Vulnerability ticket with detailed test case metadata. 

That includes the exact trace and the specific field highlighted inline where sensitive data was detected.

Gain complete and accurate visibility into your crown jewels made possible with our existing trace-linking capabilities. 

Burp Suite Plugin for API Instrumentation

BurpSuite Plugin Now Supports Environment-Specific API Discovery

Levo’s BurpSuite integration used for agentless API Instrumentation can now route captured APIs to the correct environment and application within your Levo workspace.

Earlier, all APIs discovered via BurpSuite were mapped to a default staging environment, leading to misclassification and cluttered dashboards.

With this release, users can specify whether the traffic belongs to staging, QA, or production—ensuring each discovered API is tagged, routed, and governed in its rightful context.

The result: cleaner inventories, more accurate visibility, and better alignment with your actual deployment topology.

Another step toward precise, multi-environment API governance.

Check it out:

Security Testing for Imported Endpoints

Manual Parameterization Now Supported for Imported APIs!

Testing imported APIs just got drastically easier.

Whether you import OpenAPI specs, Swagger files, Postman collections, HAR files, Levo now allows you to manually define parameter values, unlocking real test payload generation for every API, regardless of how it was discovered.

Previously, traffic instrumentation was the only way to feed live parameter values. But now, even APIs we’ve never seen in runtime can be tested with precision.

This means full testing coverage without being blocked by missing traffic.
From documentation-first to legacy APIs, every endpoint is now in scope.

Another step toward Levo’s core promise: API Security Testing that is comprehensive, automated, scalable, and unblocked by discovery limitations.

Check it out:

Boring SSL Support for eBPF Sensor

Levo’s eBPF Sensor Now Supports BoringSSL—Expanding Coverage Across all Encrypted API Traffic

BoringSSL is a widely used, Google-maintained SSL/TLS library implemented across many modern applications—especially in performance-optimized and cloud-native environments.

With this release, Levo’s eBPF Sensor can now decrypt and inspect traffic secured using BoringSSL, just like it already does with OpenSSL and other standard libraries.

That means more encrypted traffic is now visible, more APIs are testable, and more vulnerabilities are detectable without requiring any changes to your code or environment.

Check it out: 

Separate GraphQL Operations

Levo Now Detects GraphQL Operations Separately, Because One Endpoint Doesn’t Mean One Risk

GraphQL may expose just a single endpoint—but behind it lie dozens of unique operations: queries, mutations, and subscriptions, each with different access patterns, parameters, and risks.

Until now, most tools treat all GraphQL traffic as a single API, masking visibility and limiting granular security analysis.

With this release, Levo detects and distinguishes each GraphQL operation individually. Ensuring security teams have visibility into how every mutation, query, or subscription behaves, what data it touches, and where risks may lie.

Because true API coverage means more than checking a box. It means understanding the unique behaviors of each protocol, and securing them with precision.

Check it out: 

Views Filter in Applications Tab

Create Saved Views in the Applications Tab. 

So You See What Matters, First. 

Managing hundreds of applications across departments, environments, or business units? 

Levo now lets you group them into custom views based on any saved filter.

Whether it’s separating internal vs. external apps, staging vs. production, or prioritizing Finance over HR, your workspace now reflects your org structure.

It’s complete control over how you organize, monitor, and prioritize your API landscape.

Check it out: 

Curious about how these features could transform your API Security initiatives?

Book a demo through this link!