Akto for Enterprise organizations

middleBrick is a self-service API security scanner designed for enterprise evaluation of external attack surface. You submit a target URL and receive a risk score from A to F along with prioritized findings. The scanner operates as a black-box solution with no agents, no SDKs, and no access to your code or infrastructure. It supports any language, framework, or cloud environment. Scans complete in under one minute using read-only methods (GET and HEAD) and text-only POST for LLM probes.

The scanner evaluates 12 security categories aligned to the OWASP API Top 10 (2023). Detection capabilities include authentication bypass and JWT misconfigurations, Broken Object Level Authorization and IDOR, Broken Function Level Authorization and privilege escalation attempts, exposure of internal properties and mass-assignment surfaces, input validation issues such as CORS wildcard usage and dangerous HTTP methods, rate limiting and resource consumption indicators, data exposure including PII patterns and API key formats, encryption and header misconfigurations, SSRF indicators involving internal IP probing, inventory management issues like missing versioning, unsafe consumption surfaces including webhook exposure, and LLM / AI Security probes across multiple tiers.

middleBrick maps findings directly to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other regulations, it helps you prepare for and aligns with security controls described in relevant frameworks, supporting audit evidence without asserting certification or compliance guarantees.

Authenticated scanning is available from the Starter tier upward, supporting Bearer tokens, API keys, Basic authentication, and cookies. Domain verification is enforced through DNS TXT records or HTTP well-known files to ensure only domain owners can scan with credentials. The scanner forwards a restricted allowlist of headers including Authorization, X-API-Key, Cookie, and X-Custom-* headers.

Safety is maintained through read-only methods only; destructive payloads are never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation. It is never sold and is not used for model training.

Deployment options include a Web Dashboard for scanning, report review, score trend tracking, and downloadable branded compliance PDFs. The CLI, distributed as an npm package, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is provided for CI/CD gating, failing the build when the score drops below a defined threshold. An MCP Server enables scanning from AI coding assistants like Claude and Cursor. A programmatic API client supports custom integrations.

Continuous monitoring in the Pro tier offers scheduled rescans at intervals of six hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved findings, and score drift. Alerts are rate-limited to one email per hour per API. HMAC-SHA256 signed webhooks are included with automatic disabling after five consecutive failures.

middleBrick does not fix, patch, block, or remediate issues; it detects and reports findings with remediation guidance. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside its scope. Business logic vulnerabilities cannot be detected automatically and require human expertise aligned with your domain. Blind SSRF is out of scope due to the absence of out-of-band infrastructure, and the tool does not replace a human pentester for high-stakes audits.