42Crunch for Series A startups

At Series A, engineering teams need security that does not require large specialist staff or intrusive instrumentation. This scanner is a self-service API security scanner that you submit a URL to, and it returns a risk score from A to F with prioritized findings. It operates as a black-box scanner, meaning it does not require agents, SDKs, or access to your source code. The scan completes in under a minute using read-only methods plus text-only POST for LLM probes, which keeps testing non-disruptive in production-like environments.

The scanner covers 12 categories aligned to the OWASP API Top 10 (2023). It detects authentication issues such as multi-method bypass and JWT misconfigurations, including alg=none, HS256 usage, expired tokens, missing claims, and sensitive data in claims. It identifies BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, and BFLA and privilege escalation through admin endpoint probing and role/permission field leakage. Additional categories include Property Authorization over-exposure, Input Validation issues such as CORS wildcard usage and dangerous HTTP methods, Rate Limiting and Resource Consumption signals, and Data Exposure patterns like emails, Luhn-validated cards, context-aware SSNs, and API key formats for AWS, Stripe, GitHub, and Slack. It also covers Encryption misconfigurations, SSRF indicators, Inventory Management gaps, Unsafe Consumption surfaces, and LLM / AI Security through 18 adversarial probes across Quick, Standard, and Deep tiers, including system prompt extraction, instruction override, jailbreak techniques, data exfiltration attempts, and token smuggling.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, then cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scanning, supported methods include Bearer, API key, Basic auth, and Cookie. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only domain owners can scan with credentials. The scanner is conservative in its network behavior: it only sends read-only methods and forwards a strict allowlist of headers, including Authorization, X-API-Key, Cookie, and X-Custom-* headers.

Use the Web Dashboard to manage scans, review reports, track score trends, and download branded compliance PDFs. The CLI, distributed as an npm package named middlebrick, runs commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is available to act as a CI/CD gate, failing the build when the score drops below a defined threshold. An MCP Server enables scanning from AI coding assistants like Claude and Cursor, and a programmatic API client supports custom integrations. Continuous monitoring in higher tiers provides scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans with email alerts limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures.

It is important to understand what the scanner does not do. It does not fix, patch, block, or remediate findings; it only detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside the scope. It does not detect business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, or replace a human pentester for high-stakes audits. For compliance, findings map directly to frameworks such as PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, the scanner helps you prepare for and supports audit evidence, aligning with security controls described in relevant standards without claiming certification or guaranteed compliance.