42Crunch for Enterprise organizations

FortyTwoCrunch positions itself as a self-service API security scanner intended for enterprise evaluation. You submit a target URL and receive a risk score from A to F along with prioritized findings. The scanner operates as a black-box solution, requiring no agents, SDKs, or access to source code. It supports any language, framework, or cloud environment. Scan duration remains under one minute, exercising read-only methods such as GET and HEAD, with text-only POST used for LLM probes. This approach is designed to minimize operational impact while providing repeatable security signals.

The scanner evaluates API surfaces across 12 categories aligned to the OWASP API Top 10 (2023). Detection capabilities include authentication bypass and JWT misconfigurations such as alg=none, weak algorithms, expired tokens, missing claims, and sensitive data in claims. It checks security headers and WWW-Authenticate compliance, probes for BOLA and IDOR via sequential and adjacent ID enumeration, and tests for BFLA and privilege escalation through admin endpoint discovery and role leakage. Additional coverage spans property authorization over-exposure, input validation issues like CORS wildcards and dangerous HTTP methods, rate limiting and resource consumption signals, and data exposure patterns including emails, Luhn-validated card numbers, context-aware SSN patterns, API key formats, and error or stack-trace leakage. Encryption checks verify HTTPS redirects, HSTS presence, and cookie flags. The tool also probes SSRF via URL-accepting parameters and internal IP detection, identifies missing versioning and legacy paths, surfaces unsafe consumption vectors such as third-party webhooks, and executes 18 LLM security probes across Quick, Standard, and Deep scan tiers. The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 files with recursive $ref resolution, cross-referencing spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Authenticated scanning is available from the Starter tier upward, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can submit credentials. Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers to reduce exposure. The scanner enforces a read-only posture, never sending destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data can be deleted on demand and is purged within 30 days of cancellation. The design explicitly avoids claims of certification or compliance, positioning the output as evidence to support audits rather than as an audit outcome.

Integration options include a Web Dashboard for scanning, report viewing, score trend tracking, and downloadable branded compliance PDFs. The CLI, distributed as an npm package, enables commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is available for CI/CD gating, failing builds when scores drop below a defined threshold. An MCP Server allows scanning from AI coding assistants like Claude and Cursor. Programmatic access to the API supports custom integrations. For ongoing risk management, the Pro tier provides scheduled rescans at intervals of six hours, daily, weekly, or monthly. It also performs diff detection between scans to surface new findings, resolved findings, and score drift, with email alerts rate-limited to one per hour per API and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures.

The Free tier offers three scans per month and CLI access. The Starter tier at 99 dollars per month supports 15 APIs, monthly scans, dashboard access, email alerts, and the MCP Server. The Pro tier at 499 dollars per month covers 100 APIs, with additional APIs billed at 7 dollars each, and adds continuous monitoring, GitHub Action gates, CI/CD integration, Slack and Teams alerts, compliance reports, and signed webhooks. Enterprise tiers are typically priced at 2000 dollars or more per month, providing unlimited APIs, custom rules, SSO, audit logs, SLA-backed support, and dedicated resources. These tiers are designed to reduce operational overhead as API portfolios scale, while providing evidence for security reviews mapped to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023).