42Crunch for Seed-stage startups

Seed-stage startups move fast and operate with limited security headcount. The platform is a self-service API security scanner that you can run without installing agents or providing code access. Submit a public or internal API URL and receive a risk score from A to F with prioritized findings within about a minute. Because it is a black-box scanner, it works with any language, framework, or cloud stack and does not require SDKs or build changes.

The scanner maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It detects 12 security categories that align with these standards and covers common misconfigurations relevant to audits.

• Authentication issues such as JWT misconfigurations including alg=none, weak shared secrets, expired tokens, and missing claims.
• Authorization flaws like BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, and BFLA through admin endpoint probing and role leakage.
• Property over-exposure, sensitive data patterns including email, Luhn-validated card numbers, context-aware SSN, and API key formats for AWS, Stripe, GitHub, and Slack.
• Input validation gaps such as CORS wildcard usage with credentials, dangerous HTTP methods, and debug endpoints.
• Rate limiting absence, oversized responses, and unpaginated arrays that risk resource consumption.
• Encryption weaknesses including missing HTTPS redirects, absent HSTS, and mixed content.
• SSRF indicators like URL-accepting parameters that reference internal IPs and active bypass probes.
• Inventory risks such as missing versioning and legacy path patterns that enable server fingerprinting.
• Unsafe consumption surfaces including excessive third-party URLs and webhook callbacks.
• LLM and AI security probes covering system prompt extraction, instruction override, jailbreaks, data exfiltration attempts, and token smuggling across multiple scan tiers.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution and cross-references spec definitions against runtime findings. This highlights undefined security schemes, sensitive fields, deprecated operations, and missing pagination that may affect your API contract.

For authenticated scans on the Starter plan and above, you can add Bearer tokens, API keys, Basic auth, and cookies. Domain verification is required so only your domain owner can scan with credentials. The scanner forwards a strict allowlist of headers including Authorization, X-API-Key, Cookie, and X-Custom-* to minimize credential exposure.

The Web Dashboard centralizes scans, report viewing, score trend tracking, and downloadable compliance PDFs. The CLI via the middlebrick npm package supports middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD and fail the build when the score drops below your chosen threshold.

With Pro tier, continuous monitoring runs on a schedule of every 6 hours, daily, weekly, or monthly. It provides diff detection across scans to surface new findings, resolved issues, and score drift. You receive rate-limited email alerts and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures. The MCP Server lets you scan from AI coding assistants such as Claude and Cursor.

The scanner does not fix, patch, block, or remediate issues; it detects and provides remediation guidance. It does not execute active SQL injection or command injection tests, which require intrusive payloads outside its scope. Business logic vulnerabilities are not detected because they demand domain context only a human can provide.

Blind SSRF is out of scope due to the lack of out-of-band infrastructure. Destructive payloads are never sent, private IPs and localhost are blocked at multiple layers, and customer scan data is deletable on demand and purged within 30 days of cancellation. Data is never sold or used for model training.