What does Bachao.AI do?

Bachao.AI is an AI-native cybersecurity platform built for Indian SMBs and SaaS startups. It automates Vulnerability Assessment and Penetration Testing (VAPT) and delivers DPDP Act 2023 compliance tooling, reducing audit timelines from weeks to days while keeping pricing accessible for founder-led teams across India.

How is Bachao.AI different from manual VAPT firms in India?

Traditional Indian VAPT firms quote two to eight lakh rupees and take three to six weeks per audit. Bachao.AI uses AI agents to discover assets, run authenticated scans, validate exploits, and produce CERT-In format reports within 72 hours at SMB-friendly pricing with continuous monitoring instead of one-shot tests.

Does Bachao.AI cover DPDP Act 2023 compliance?

Yes. Bachao.AI ships a DPDP readiness module covering data principal rights workflows, consent artifact storage, breach notification timers, data fiduciary obligations, and Significant Data Fiduciary controls. It maps your data inventory to Section 8 obligations and generates audit-ready evidence packs for the Data Protection Board of India.

What does VAPT cost in India with Bachao.AI?

Bachao.AI plans start at twenty-five thousand rupees per month for continuous VAPT across one web application, scaling to two lakh rupees per quarter for multi-asset SaaS stacks covering API, mobile, and cloud. Pricing is transparent with no per-vulnerability surcharges and unlimited rescans after remediation.

Are Bachao.AI reports accepted by Indian regulators?

Yes. Bachao.AI generates reports in the CERT-In-prescribed format covering OWASP Top 10, network, API, and mobile vulnerabilities with CVSS scores and remediation steps. Reports are accepted by Indian regulators, banks, and enterprise procurement teams. CERT-In empanelment-grade audits are available through our partner network when explicitly required.

What APIs does Bachao.AI expose for automated security scanning?

Bachao.AI exposes REST endpoints for booking VAPT scans, listing scans, fetching reports, RASP agent registration and event ingestion, and rule management. The Node.js RASP SDK ships as @bachao/rasp-node; all other operations are available via the REST API documented on this page.

How do I authenticate with the Bachao.AI API?

Dashboard-side calls use a session cookie from OTP login. RASP agents register with a setup token issued by the dashboard, then receive a permanent API key passed via the x-rasp-key header. Generate a setup token via POST /api/rasp/setup/generate-key.

Does Bachao.AI integrate with CI/CD pipelines?

Yes. Use the documented GitHub Actions workflow (also adaptable to GitLab CI and Bitbucket Pipelines) to call POST /api/scans/book on push or pull-request events. Reports are accessible via GET /api/reports/{id} once the scan completes, with severity scoring suitable for DevSecOps merge gates.

What webhook events does Bachao.AI emit?

Bachao.AI emits scan.completed events with scan ID, target URL, risk score, finding counts, and severity breakdown. Payloads are documented on this page. Delivery is retried with exponential backoff for transient 5xx responses.

What rate limits apply to the Bachao.AI API?

Scan booking is limited to 6 requests per hour per account. RASP event ingestion is limited to 60 batched requests per minute per agent, with heartbeats at 12 per minute. Dashboard reads are limited to 600 per minute per session. Throttled responses include a Retry-After header.

Bachao.AI API & SDK — Trigger VAPT Scans, Stream Findings, Automate DPDP Evidence

REST endpoints, runtime-protection SDKs, and CI/CD integrations for shipping faster without trading away security. Built for Indian SaaS startups, SMBs, and platform teams.

RASP SDK Quickstart

Install the Node.js SDK in 2 minutes

API Authentication

API keys, setup tokens, and auth flows

Webhook Reference

Event payloads and delivery

CI/CD Integration

GitHub Actions, GitLab CI, Bitbucket Pipelines

Quickstart: Trigger Your First VAPT Scan (cURL)

One curl call kicks off a full automated VAPT against a target you control.

Book a scan

curl -X POST https://www.bachao.ai/api/scans/book \
  -H "Cookie: bachao-session=YOUR_SESSION" \
  -H "Content-Type: application/json" \
  -d '{"scanUrl":"https://staging.example.com","scanType":"pentest"}'

# Response:
# { "success": true, "scanId": "clx...", "status": "queued" }

Your session cookie comes from the dashboard login. For unattended pipelines, generate a setup token (see API Authentication) and use it instead. The scan ID returned here is what you poll onGET /api/scansor receive via webhook when complete.

RASP SDK Quickstart

Add runtime protection to your Node.js app in under 2 minutes.

Install

npm install @bachao/rasp-node

Express

import express from "express";
import { bachaoRasp } from "@bachao/rasp-node";

const app = express();

app.use(bachaoRasp({
  apiKey: process.env.BACHAO_RASP_KEY!,
  appName: "my-api",
  mode: "monitor", // start in monitor mode, switch to "block" from dashboard
}));

app.listen(3000);

Fastify

import Fastify from "fastify";
import { bachaoRaspFastify } from "@bachao/rasp-node/fastify";

const app = Fastify();
app.register(bachaoRaspFastify, {
  apiKey: process.env.BACHAO_RASP_KEY!,
  appName: "my-api",
});

NestJS

import { Module } from "@nestjs/common";
import { BachaoRaspModule } from "@bachao/rasp-node/nestjs";

@Module({
  imports: [BachaoRaspModule.forRoot({
    apiKey: process.env.BACHAO_RASP_KEY!,
    appName: "my-api",
  })],
})
export class AppModule {}

API Authentication

How authentication works between the dashboard, SDK, and API.

Auth Flow

Dashboard generates a setup token via POST /api/rasp/setup/generate-key
SDK uses the setup token during agent registration
Agent receives a permanent API key (sent via x-rasp-key header)
All subsequent SDK → API calls use the x-rasp-key header
Dashboard calls use a session cookie (from OTP login)

Generate setup token from dashboard

# Generate setup token from dashboard
curl -X POST https://www.bachao.ai/api/rasp/setup/generate-key \
  -H "Cookie: bachao-session=YOUR_SESSION" \
  -H "Content-Type: application/json"

# Response:
# { "success": true, "setupToken": "eyJ..." }

API Endpoints Reference

All public API endpoints available for integration.

Method	Endpoint	Auth	Description
POST	/api/rasp/register	Setup token	Register new RASP agent
POST	/api/rasp/heartbeat	API key	Agent health check + rule sync
POST	/api/rasp/events	API key	Report security events (batch)
GET	/api/rasp/rules	API key	Fetch protection rules
POST	/api/rasp/rules	Session	Create protection rule
GET	/api/rasp/agents	Session	List registered agents
GET	/api/rasp/stats	Session	Dashboard statistics
POST	/api/scans/book	Session	Book a VAPT scan
GET	/api/scans	Session	List your scans
GET	/api/reports/{id}	Session	Fetch scan report

Webhook Reference

Receive real-time notifications when events occur in your account.

scan.completed event payload

{
  "event": "scan.completed",
  "scanId": "clx...",
  "scanUrl": "https://example.com",
  "scanType": "pentest",
  "riskScore": 72,
  "findingsCount": 23,
  "criticalCount": 2,
  "timestamp": "2026-03-23T10:00:00Z"
}

CI/CD Integration

Trigger security scans automatically from your deployment pipeline.

.github/workflows/security-scan.yml

# .github/workflows/security-scan.yml
name: Bachao.AI Security Scan
on: [push]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Trigger VAPT Scan
        run: |
          curl -X POST https://www.bachao.ai/api/scans/book \
            -H "Cookie: bachao-session=${{secrets.BACHAO_SESSION}}" \
            -H "Content-Type: application/json" \
            -d '{"scanUrl":"https://staging.example.com","scanType":"pentest"}'

SDKs & Libraries

Official client libraries and platform support.

@bachao/rasp-node

Node.js RASP SDK

npm

Java, Python, PHP

Server-side RASP agents

Coming Soon

REST API

Available for all products

Available

Rate Limits, Errors & Status Codes

What our APIs return, how we throttle, and what to do when something breaks.

Rate limits

/api/scans/book — 6 / hour / account
/api/rasp/events — 60 / minute / agent (batched)
/api/rasp/heartbeat — 12 / minute / agent
Dashboard reads — 600 / minute / session

When throttled you'll get a 429 with aRetry-After header in seconds.

Error shape

{
  "success": false,
  "error": "validation_failed",
  "message": "scanUrl must be a valid URL",
  "field": "scanUrl"
}

Status	Meaning	Action
200	OK	Success — response body is your data.
201	Created	Resource created (scan, agent, rule).
400	Bad request	Inspect error.field — fix payload, retry.
401	Unauthorized	Missing or expired session / API key.
403	Forbidden	Auth OK but role lacks permission.
404	Not found	Resource doesn't exist or isn't yours.
409	Conflict	Duplicate (e.g., agent already registered).
429	Rate limited	Honour Retry-After, back off, then retry.
5xx	Server error	Retry with exponential backoff. Page us if persistent.

Need help integrating?

Talk to our engineering team. We'll help you get set up in under 30 minutes.

Talk to Engineering

curl -X POST https://www.bachao.ai/api/scans/book \ -H "Cookie: bachao-session=YOUR_SESSION" \ -H "Content-Type: application/json" \ -d '{"scanUrl":"https://staging.example.com","scanType":"pentest"}' # Response: # { "success": true, "scanId": "clx...", "status": "queued" }

import express from "express"; import { bachaoRasp } from "@bachao/rasp-node"; const app = express(); app.use(bachaoRasp({ apiKey: process.env.BACHAO_RASP_KEY!, appName: "my-api", mode: "monitor", // start in monitor mode, switch to "block" from dashboard })); app.listen(3000);

import Fastify from "fastify"; import { bachaoRaspFastify } from "@bachao/rasp-node/fastify"; const app = Fastify(); app.register(bachaoRaspFastify, { apiKey: process.env.BACHAO_RASP_KEY!, appName: "my-api", });

import { Module } from "@nestjs/common"; import { BachaoRaspModule } from "@bachao/rasp-node/nestjs"; @Module({ imports: [BachaoRaspModule.forRoot({ apiKey: process.env.BACHAO_RASP_KEY!, appName: "my-api", })], }) export class AppModule {}

# Generate setup token from dashboard curl -X POST https://www.bachao.ai/api/rasp/setup/generate-key \ -H "Cookie: bachao-session=YOUR_SESSION" \ -H "Content-Type: application/json" # Response: # { "success": true, "setupToken": "eyJ..." }

Method

Endpoint

Auth

Description

POST

/api/rasp/register

Setup token

POST

/api/rasp/heartbeat

API key

Agent health check + rule sync

POST

/api/rasp/events

API key

Report security events (batch)

GET

/api/rasp/rules

API key

Fetch protection rules

POST

/api/rasp/rules

Session

Create protection rule

GET

/api/rasp/agents

Session

List registered agents

GET

/api/rasp/stats

Session

Dashboard statistics

POST

/api/scans/book

Session

Book a VAPT scan

GET

/api/scans

Session

List your scans

GET

/api/reports/{id}

Session

Fetch scan report

{ "event": "scan.completed", "scanId": "clx...", "scanUrl": "https://example.com", "scanType": "pentest", "riskScore": 72, "findingsCount": 23, "criticalCount": 2, "timestamp": "2026-03-23T10:00:00Z" }

# .github/workflows/security-scan.yml name: Bachao.AI Security Scan on: [push] jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Trigger VAPT Scan run: | curl -X POST https://www.bachao.ai/api/scans/book \ -H "Cookie: bachao-session=${{secrets.BACHAO_SESSION}}" \ -H "Content-Type: application/json" \ -d '{"scanUrl":"https://staging.example.com","scanType":"pentest"}'

Status

Meaning

Action

200

Success — response body is your data.

201

Created

Resource created (scan, agent, rule).

400

Bad request

Inspect error.field — fix payload, retry.

401

Unauthorized

Missing or expired session / API key.

403

Forbidden

Auth OK but role lacks permission.

404

Not found

Resource doesn't exist or isn't yours.

409

Conflict

Duplicate (e.g., agent already registered).

429

Rate limited

Honour Retry-After, back off, then retry.

5xx

Server error

Retry with exponential backoff. Page us if persistent.