42Crunch for Platform engineers

middleBrick is a self-service API security scanner that operates as a black-box tool. You submit a URL and receive a risk score from A to F with prioritized findings. The scanner uses only read-only methods such as GET and HEAD, and text-only POST where necessary for LLM probes. Scan completion typically occurs in under a minute, and no agents, SDKs, or code access are required. Because it does not rely on language-specific instrumentation, it works with any framework or cloud environment.

The scanner covers 12 security categories aligned to the OWASP API Top 10 (2023). Findings include issues in authentication, broken object level authorization, broken function level authorization, property authorization, input validation, rate limiting and resource consumption, data exposure, encryption, server-side request forgery, inventory management, unsafe consumption, and LLM/AI security. For compliance reporting, middleBrick maps findings directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, it helps you prepare for and supports audit evidence relevant to security controls described in regulations such as HIPAA, GDPR, ISO 27001, NIST, CCPA, and others.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime behavior to identify undefined security schemes, sensitive field exposure, deprecated operations, and missing pagination. Authenticated scanning is available from the Starter tier upward, supporting Bearer tokens, API keys, Basic authentication, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file so that only the domain owner can run authenticated scans. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.

With Pro tier, you can schedule rescans every 6 hours, daily, weekly, or monthly. The system detects diffs between scans, highlighting new findings, resolved issues, and score drift. Alerts are rate-limited to one email per hour per API and can be sent via email, Slack, or Teams. HMAC-SHA256 signed webhooks are supported, with auto-disable after 5 consecutive failures. The tool integrates into existing workflows through a web dashboard, a CLI (middlebrick scan <url>), a GitHub Action that fails the build when the score drops below a threshold, an MCP server for AI coding assistants, and a programmable API for custom integrations.

middleBrick follows a read-only safety posture and never sends destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data can be deleted on demand and is purged within 30 days of cancellation. The tool does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, does not detect business logic vulnerabilities, and does not perform blind SSRF testing. It is not a replacement for a human pentester in high-stakes audits.