Akto for CTOs

What middleBrick covers

Black-box scanning without agents or code access
Risk scoring with prioritized findings
OpenAPI 3.x and Swagger 2.0 parsing with ref resolution
Authenticated scanning with header allowlist
Continuous monitoring with diff detection
Programmatic access via API and CLI

Scope and methodology

The scanner is a black-box solution that submits read-only requests to an API endpoint and analyzes responses. It supports GET and HEAD methods, with text-only POST used only for LLM probe checks. Scan completion typically occurs in under one minute, and no agents, SDKs, or code access are required.

Detection coverage aligned to standards

Findings map to OWASP API Top 10 (2023), and the tool also aligns with security controls described in PCI-DSS 4.0 and SOC 2 Type II. Detection categories include authentication bypass, broken object level authorization, broken function level authorization, property authorization, input validation issues, rate limiting and resource consumption, data exposure, encryption misconfigurations, SSRF indicators, inventory management problems, unsafe consumption surfaces, and LLM/AI security probes across tiered scan depths.

OpenAPI analysis and authenticated scanning

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, cross-referencing spec definitions against runtime behavior to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination. Authenticated scanning supports Bearer, API key, Basic auth, and Cookie methods. Domain verification is required, allowing only the domain owner to scan with credentials, and a strict header allowlist is enforced.

Continuous monitoring and integrations

Pro tier features scheduled rescans at intervals of six hours, daily, weekly, or monthly, with diff detection to highlight new findings, resolved findings, and score drift. Alerts include email notifications rate-limited to one per hour per API and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures. Integration options include a web dashboard for reporting and trend tracking, a CLI via an npm package, a GitHub Action for CI/CD gating, an MCP server for AI coding assistants, and a programmable API for custom workflows.

Limitations and posture

The scanner does not fix, patch, block, or remediate findings; it provides detection and guidance. It does not perform active SQL injection or command injection testing, does not detect business logic vulnerabilities, does not detect blind SSRF, and does not replace a human pentester for high-stakes audits. Customer scan data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training.

Frequently Asked Questions

How does authenticated scanning work?

Authenticated scanning uses Bearer, API key, Basic auth, or Cookie credentials after domain verification. Only specific headers are forwarded, and the domain owner must prove control through DNS TXT records or a well-known file.

What compliance mappings are provided?

Findings map directly to OWASP API Top 10 (2023), and the tool aligns with security controls described in PCI-DSS 4.0 and SOC 2 Type II. Other frameworks are supported through alignment wording only.

Can scan results be integrated into existing workflows?

Yes. The tool provides a web dashboard, CLI, GitHub Action, MCP server, and an API client to integrate results into CI/CD pipelines and custom tooling.

Is sensitive scan data retained long-term?

No. Scan data is deletable on demand and is purged within 30 days of account cancellation. It is not sold and is not used for model training.