42Crunch as a API security scanner

middleBrick operates as a black-box API security scanner. You submit a target endpoint and receive a risk score from A to F along with prioritized findings. The scanner uses read-only methods such as GET and HEAD, and text-only POST for LLM probes, without requiring agents, SDKs, or code access. This approach supports any language, framework, or cloud environment and typically completes a scan in under one minute.

Because the scanner is non-intrusive, it does not execute destructive payloads. It maps findings to OWASP API Top 10 (2023) and supports audit evidence collection for security reviews. The black-box model means it does not replace a human pentester for high-stakes audits or detect business logic vulnerabilities that require domain context.

The scanner covers 12 security categories aligned to OWASP API Top 10 (2023). Detection capabilities include authentication bypass attempts, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID probing, BFLA through admin endpoint discovery, and data exposure patterns like email and card numbers. It also identifies unsafe third-party URLs, SSRF indicators in URL and body fields, and LLM-specific adversarial probes across Quick, Standard, and Deep tiers.

The tool does not perform active SQL injection or command injection testing, which require intrusive payloads outside its scope. It does not detect blind SSRF due to the absence of out-of-band infrastructure, and it cannot validate controls for regulations such as HIPAA, GDPR, ISO 27001, NIST, or CCPA. These are alignment uses only, and the tool does not claim certification or compliance guarantees.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime behavior to surface undefined security schemes, sensitive fields, deprecated operations, and missing pagination. This helps identify discrepancies between declared and actual API behavior.

Authenticated scanning is available from the Starter tier and above, supporting Bearer, API key, Basic auth, and Cookie methods. Domain verification through DNS TXT records or HTTP well-known files ensures only the domain owner can scan with credentials. A strict header allowlist is enforced, permitting only Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The Web Dashboard provides centralized scan management, score trend tracking, and branded compliance PDF downloads. The CLI, distributed as an npm package, enables local scans with JSON or text output using a simple command format. A GitHub Action is available for CI/CD gating, failing builds when the score drops below a configured threshold.

An MCP Server allows scanning from AI coding assistants such as Claude and Cursor, and a programmable API supports custom integrations. Continuous monitoring in the Pro tier includes scheduled rescans, diff detection across scans, email alerts rate-limited to one per hour, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures.

Free tier offers three scans per month with CLI access. Starter at 99 dollars per month supports 15 APIs, monthly scans, dashboard access, email alerts, and the MCP Server. Pro at 499 dollars per month covers 100 APIs with additional API pricing, continuous monitoring, GitHub Action gates, CI/CD integration, Slack and Teams alerts, compliance reports, and signed webhooks. Enterprise at 2000 dollars per month provides unlimited APIs, custom rules, SSO, audit logs, SLA, and dedicated support.

Scan data is read-only and deletable on demand, with customer data purged within 30 days of cancellation. The platform does not sell data and does not use scan data for model training. These privacy and safety controls are designed to align with organizational risk policies while clearly stating what the scanner does not do, such as remediation or active exploitation.