TL;DR: REST security testing is built around a set of structural assumptions: fixed endpoints, predictable HTTP methods, consistent response shapes. GraphQL violates most of them. This post explains which specific assumptions break, and why that gap matters for teams running security tests against APIs that include GraphQL endpoints. The problem this post is addressing Most security testing tools and practices were designed for REST APIs. The mental model is well-established: each endpoint exposes a specific resource, the HTTP verb signals the operation, and the server enforces access control per route. You test each endpoint, check what authentication is required, verify that the method restrictions hold, and confirm the response does not leak unintended data. GraphQL does not work that way. And when teams apply REST-oriented testing logic to a GraphQL endpoint, the test passes on conditions that would never survive a real attacker.…