42Crunch for SREs

As an SRE, you need security insight that does not require access to application code or deployment artifacts. This scanner performs a black-box assessment by submitting requests to a reachable endpoint. It uses only read-only methods plus text-only POST for LLM probes, so it does not change state or introduce load that alters service behavior. Scan completion typically occurs in under a minute, providing rapid feedback without disrupting availability metrics.

The scanner evaluates 12 security categories aligned to the OWASP API Top 10 (2023) and maps findings to PCI-DSS 4.0 and SOC 2 Type II control references. Detection coverage includes authentication bypasses, broken object level authorization, excessive data exposure, injection surfaces, rate limiting behavior, and SSRF indicators. The OpenAPI parser reads OpenAPI 3.0, 3.1, and Swagger 2.0 definitions with recursive $ref resolution, cross-referencing the spec against runtime observations to highlight undefined security schemes or deprecated operations.

For endpoints that require authentication, the scanner supports bearer tokens, API keys, basic auth, and cookies at the Starter tier and above. Domain verification is enforced through a DNS TXT record or an HTTP well-known file, ensuring that only the domain owner can submit credentials. The scanner forwards a strict allowlist of headers, including Authorization, X-API-Key, Cookie, and X-Custom-* headers, preventing unintended data exposure during scans.

The scanner includes specific assessments for LLM/AI security, executing 18 adversarial probes across three scan tiers labeled Quick, Standard, and Deep. These probes target system prompt extraction, instruction override attempts, DAN and roleplay jailbreaks, data exfiltration paths, cost exploitation techniques, encoding bypass strategies, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction. Results highlight risky model behavior patterns without requiring access to training data or model internals.

Scan results are delivered through multiple channels to fit into existing SRE toolchains. The Web Dashboard provides a centralized view with risk grades from A to F, prioritized remediation guidance, and trend tracking over time. The CLI supports on-demand scans with JSON or text output for scripting, while the GitHub Action enforces CI/CD gates by failing builds when scores drop below a defined threshold. The MCP server enables scanning from AI coding assistants, and the Pro tier adds scheduled rescans, diff detection, email alerts, signed webhooks, and compliance report downloads.