API Security · In-Network Agent

Pentest-grade findings.
Not a byte leaves your network.

middleBrick scores your APIs for security risk and hands you a reproducible proof-of-concept your team can replay — while the raw traffic never leaves your perimeter.

No credentials Result in <60s Open-source agent
The trade-off nobody mentions

Every other scanner asks you to open the truck.

To find a flaw, they route your live requests and responses — customer names, tokens, card numbers — through their cloud to inspect them. Now a third party has seen your data. If they get breached, so do you. And for a bank, a fintech, a hospital, that single fact ends the conversation.

  • Your raw traffic leaves your perimeter
  • Data-residency & compliance blockers
  • Latency from round-tripping every request
How it works

We measure the shape, not the content.

The trick that makes military-grade privacy fast enough to run inline: we never open the truck. We measure the silhouette.

  1. 01

    A request passes through

    The agent sits inline in your network. Every request and response flows through it — and stays inside your perimeter.

  2. 02

    We measure its shape — not its contents

    Instead of reading the payload, the agent takes an exact geometric signature of the request. Card numbers, tokens, names — none of it is stored or transmitted. Only the shape remains.

  3. 03

    We match it against known-attack shapes

    That signature is compared against the shapes of thousands of known attacks — BOLA, injection, auth bypass. Attacks have telltale geometry. Safe traffic doesn't.

  4. 04

    Verdict in under a millisecond

    Dangerous shapes are flagged instantly; safe ones pass untouched. What reaches our cloud is an abstract signature — never the request. Impossible to reconstruct your data from it.

The proof

A report your team can replay.

Not a wall of CVE IDs. Every finding comes with the exact request that triggered it, why it matters, and how to close it — the way a pentester would write it up.

CRITICAL CWE-639

Broken Object Level Authorization

GET /api/orders/{id} returns any user's order when the object ID is changed. No ownership check on the resource.

Reproduce
$ curl -H "Authorization: Bearer $TOKEN" \
     https://api.acme.io/orders/1042
→ 200 OK  // order belongs to another tenant
Fix

Scope the query to the authenticated principal — verify the order's owner before returning it.

The console

Every scan, endpoint, and finding — in one place.

Score trend, findings over time, category coverage, and a live table of every endpoint you monitor.

middlebrick.com/dashboard
middleBrick dashboard showing score trend, findings breakdown, security coverage radar, and scan results table
The agent · Blackglass

The black mirror for your API.

Blackglass installs inside your network and holds up the attacker's view of your own surface — without a single raw byte ever leaving. For APIs behind a firewall, in a VPC, or under data-residency rules, it's the only way to get a real assessment without exposing anything.

  • Inside your perimeter. The scan runs where your API lives.
  • Only signatures leave. Abstract, signed metadata — never payloads.
  • Open source. Read every line of what runs on your side.
  • Cryptographically signed. Tamper-evident releases & reports.
Install
$ curl -fsSL middlebrick.com/install | sh
$ blackglass scan https://api.internal
Coverage

One scan. The whole attack surface.

OWASP API Top 10 core

BOLA/IDOR, BFLA, mass assignment, SSRF

LLM & AI Security 18 probes

Prompt injection, jailbreaks, data leakage

Web3 / JSON-RPC infra

Ethereum, Solana, Cosmos node exposure

DeFi app

Price-oracle integrity, application logic

Business Logic chains

Auth chains, race conditions, workflow abuse

Compliance 20+

PCI, SOC 2, CTPAT & 20+ frameworks

Every detection rule is validated against public vulnerable-API benchmarks and survives a multi-stage adversarial pipeline before it ever touches a real scan.

Fits your workflow

Scan from wherever you already work.

Same engine, five ways in — no new dashboard to babysit.

Web Dashboard Score, findings & trends in one console
CLI Scan from your terminal or scripts
GitHub Action Pass/fail security gate in CI/CD
MCP Server Native in Claude & Cursor
REST API Wire scans into anything
Pricing

Priced like software. Worth a pentest.

A one-off manual pentest runs $15k–$30k. This runs continuously, for a fraction — and the data never leaves your network.

Free

For a first look.

$0
Start scanning
  • Public API scanning
  • Security score + grade
  • All channels: CLI, GitHub Action, MCP
  • Monthly scheduled scan
Pro

For teams shipping APIs.

$99/mo
Go Pro
  • Everything in Free
  • Authenticated scanning
  • Weekly scheduled scans
  • Compliance PDF reports
  • Email alerts
Enterprise

Pentest-grade, nothing leaves your perimeter.

$2,000/mo
Talk to us
  • Everything in Scale
  • Isolated tenancy
  • SSO / SAML · MFA
  • Custom roles & audit
  • Priority support
Enterprise add-on

Red-Team SKU

Turn on offensive testing: reproducible proof-of-concept exploits for authorization flaws, race conditions, and multi-step business-logic attacks — with a three-key safety gate. Output that reads like a pentest engagement.

Find the exploitable bug in your API —
before they do.

A real answer about your security posture in under a minute. A signed report in under a day. Not a single byte out of your network.

No credentials · Read-only by default · Open-source agent