APIs, or application programming interfaces, are set protocols that allow for two computers or computer programs to communicate with one another. During this communication process, however, there are vulnerabilities present. Rest Assured “VentiAPI”, by Fall 2025 Master of Information and Cybersecurity grads Karl-Johan Westhoff, Bleu Strong, Jenny Garcia, and Tyler Heslop, helps organizations find and fix vulnerabilities in their web APIs by explaining what the vulnerability is, why it matters, and how to resolve it, in language appropriate for the reader. The team created three different views of the same scan results for security analysts who want full technical depth, developers who need to know which code to change, and business owners who need to understand the risk without the jargon.
The project was awarded the Fall 2025 Lily L. Chang Capstone Award, which recognizes the semester's top project.
We interviewed the team to learn more —
What inspired your project?
Karl: It was Jenny who came up with the idea to look at APIs, which tend to live a somewhat hidden life inside many modern applications. As we began researching API usage and breach statistics, we were inspired by the disparity between the growing API threat landscape and the tools available to combat it. APIs account for 71% of web traffic and 62% of bug bounty payouts. It’s clear they’re a critical space in security. Many organizations rely heavily on APIs without fully understanding the risks they introduce, especially when security responsibility is fragmented across teams. That realization became the foundation for VentiAPI.
Jenny: The idea was inspired by my work in the Cybersecurity Clinic working with the non-profit environment. It helped me understand that there is a need for cost efficient tools that small and mid-size businesses (SMBs) can use to protect themselves. But that wasn’t enough. My teammates noted that even though there are free tools available, they are often too technical for an SMB to use effectively. A tool isn’t helpful if you can’t understand the alert. This inspired the explainability focus of our project. It brings the ‘brains of an expert’ to the hands of the SMB, ensuring they have expert support without the complexity. And thus, VentiAPI came to life.
What was the timeline or process like from concept to final project?
Bleu: The project evolved iteratively. We began with research and problem definition, focusing on real-world API breach data and common pain points in existing security tooling. From there, we moved into architectural design, mapping out how API discovery, scanning, validation, and reporting could be integrated into a single workflow.
As the project progressed, we refined the scope based on feasibility and impact, implementing a core scanning engine first, then layering in machine learning–assisted analysis, reporting logic, and enterprise-oriented features such as CI/CD integration and compliance-focused outputs. Each phase built on the last, resulting in a cohesive end-to-end solution rather than a collection of disconnected features.
How did you work as a team? How did you work together as members of an online degree program?
Tyler: We approached this like a modern distributed team. We divided responsibilities based on individual strengths. We split up the research, technical design, and implementation, using shared docs and video calls to stay aligned on the big picture.
Honestly, the online format forced a discipline that was actually an advantage. Because you can’t rely on hallway conversations to fix misunderstandings and catch up, everything important had to be written down. In many ways, this helped keep things timeboxed and focused, though I would have loved to walk down Telegraph Ave. with the team.
“Across the curriculum, the emphasis on critical thinking, threat modeling, and real-world application directly shaped how we approached both the technical and human sides of VentiAPI.”
How did your I School curriculum help prepare you for this project?
Karl: Knowing where to find credible statistics and research sources was essential. Courses like Cyber 200: Beyond the Code and Cyber 252: Security Operations provided a strong foundation in understanding how technical vulnerabilities intersect with organizational risk and decision-making. Additionally, Cyber 284: Web Application Security Assessment made common API security risks and best practices feel familiar and actionable rather than abstract.
Across the curriculum, the emphasis on critical thinking, threat modeling, and real-world application directly shaped how we approached both the technical and human sides of VentiAPI.
Do you have any future plans for the project?
Bleu: Yes. Plans include machine learning components to improve vulnerability finding accuracy, enhancing predictive risk scoring, and further integrating VentiAPI into CI/CD pipelines. We also see potential for expanding reporting to better support regulatory compliance and executive level risk communication. While the tool is fully functional today, we designed it to be flexible. As APIs evolve, this tool is ready to scale with them.
How could this project make an impact, or, who will it serve?
Jenny: VentiAPI is designed to serve organizations of all sizes, from small businesses that lack dedicated security teams to large enterprises managing complex API ecosystems. By translating security findings into language appropriate for developers, business owners, and security analysts alike, the project reduces friction between teams and accelerates remediation. Ultimately, this can lead to fewer breaches, better protection of customer data, and more informed security decision-making.
Anything else you’d like to share?
Tyler: We built VentiAPI around the idea that security is rarely just a technical problem; it’s a coordination problem. The person who discovers a vulnerability, the person who owns the business risk, and the person who fixes the code are frequently different people with different priorities and levels of technical understanding. We didn’t want to build something that just flags vulnerabilities. Modern, effective security tools should support all three perspectives, not just detect problems. A good tool has to bridge that gap.
