42Crunch for Series B/C companies

At this growth stage, your API surface is expanding quickly and the cost of a breach is material. middleBrick is a self-service API security scanner designed to integrate into existing workflows without requiring code changes or agents. You submit a URL and receive a risk score from A to F with prioritized findings. The scanner operates in read-only mode using GET and HEAD methods, and text-only POST for LLM probes, completing most scans in under a minute.

middleBrick maps findings directly to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It detects issues across 12 categories aligned to OWASP API Top 10, including authentication bypass, JWT misconfigurations such as alg=none and expired tokens, BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation through admin endpoint probing, and data exposure including PII patterns, Luhn-validated card numbers, and API key formats for AWS, Stripe, GitHub, and Slack. Input validation covers CORS wildcard usage with and without credentials, dangerous HTTP methods, and debug endpoints. Server-side request forgery detection includes URL-accepting parameters, internal IP probes, and IP-bypass attempts. The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution and cross-references spec definitions against runtime findings to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Authenticated scanning is available from the Starter tier and above, supporting Bearer, API key, Basic auth, and Cookie methods. Domain verification is enforced through a DNS TXT record or an HTTP well-known file, ensuring only the domain owner can scan with credentials. The scanner forwards a strict header allowlist limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers. Safety is maintained through read-only methods only, with destructive payloads never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at three layers. Customer scan data is deletable on demand and purged within 30 days of cancellation; data is never sold and never used for model training.

The Web Dashboard provides a central location to view scans, track score trends, download branded compliance PDFs, and manage findings. The CLI, distributed as an npm package named middlebrick, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is available to act as a CI/CD gate, failing the build when the score drops below a defined threshold. The MCP Server enables scanning from AI coding assistants including Claude and Cursor. For ongoing risk management, the Pro tier offers scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans to surface new and resolved findings, email alerts rate-limited to 1 per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures.

The scanner includes LLM / AI Security coverage with 18 adversarial probes across Quick, Standard, and Deep tiers. These probes test system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, base64 and ROT13 encoding bypass, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool-abuse, nested instruction injection, and PII extraction. It is important to note that the scanner does not fix, patch, or block issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection, which fall outside its scope. Business logic vulnerabilities require human domain expertise, and the scanner does not detect blind SSRF relying on out-of-band infrastructure.