Akto as a API security dashboard

A dashboard for API security organizes findings across multiple services and environments into a unified view. middleBrick provides a web dashboard that aggregates risk scores ranging from A to F, prioritized findings, and trend data across scans. You can download branded compliance PDFs for audit artifacts and configure email alerts that are rate limited to one per hour per API.

The scanner performs black-box testing against public endpoints without requiring agents, SDKs, or code access. It supports any language, framework, or cloud target. Only read-only methods are used, including GET and HEAD, with text-only POST for LLM probes. Scan completion typically occurs in under a minute. The tool maps findings to OWASP API Top 10 (2023) and surfaces issues relevant to SOC 2 Type II and PCI-DSS 4.0 controls.

The scanner detects issues across twelve categories, including authentication bypass, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID probing, BFLA and privilege escalation attempts, data exposure including PII patterns and API key formats, and SSRF probes against URL-accepting parameters. It also covers LLM security through adversarial probes for system prompt extraction, jailbreak techniques, and token smuggling. The tool does not perform active SQL injection or command injection testing, does not fix or remediate findings, and does not detect business logic vulnerabilities, which require domain-specific human review.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, cross-referencing spec definitions against runtime observations to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, Bearer tokens, API keys, Basic auth, and cookies are supported after domain verification via DNS TXT records or HTTP well-known files. Only specific headers are forwarded: Authorization, X-API-Key, Cookie, and X-Custom-*.

Pro tier features scheduled rescans at intervals of six hours, daily, weekly, or monthly, with diff detection to highlight new findings, resolved findings, and score drift. Alerts are delivered via email, Slack, or Teams, and HMAC-SHA256 signed webhooks disable automatically after five consecutive failures. The CLI supports commands such as middlebrick scan <url> with JSON or text output. The GitHub Action can gate CI/CD, failing the build when the score drops below a set threshold. An MCP server enables scanning from AI coding assistants, and a dedicated API client supports custom integrations.