Akto for Government

What middleBrick covers

Black-box scanning with read-only methods under one minute
12 OWASP API Top 10 (2023) coverage categories
OpenAPI 3.0/3.1 and Swagger 2.0 parsing with $ref resolution
Authenticated scanning with domain verification gate
Continuous monitoring with diff detection and webhook alerts
Multiple output formats and CI/CD integration options

Black-box API Security Scanning

This scanner performs black-box testing against public-facing endpoints. It requires no agents, SDKs, or code access and supports any language, framework, or cloud environment. The scan completes in under a minute using read-only methods, including GET and HEAD requests, with text-only POST probes for LLM exposure. The approach limits risk by avoiding destructive payloads while still surfacing misconfigurations and common attack vectors.

Detection Scope and OWASP Mapping

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023), including Authentication bypass, BOLA and BFLA, Property Authorization, Input Validation, Data Exposure, and LLM / AI Security. Detection of sensitive data patterns covers email, context-aware SSN, Luhn-validated card numbers, and multiple API key formats such as AWS, Stripe, GitHub, and Slack. Findings are mapped directly to OWASP API Top 10 controls, providing clear reference for security reviews.

OpenAPI Analysis and Authenticated Scanning

It parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, cross-referencing spec definitions against runtime behavior to identify undefined security schemes, deprecated operations, and missing pagination. Authenticated scanning supports Bearer, API key, Basic auth, and Cookie methods, gated by domain verification through DNS TXT records or HTTP well-known files. Only a limited set of headers is forwarded to reduce noise and preserve safe probe behavior.

Continuous Monitoring and Integration Options

Pro tier features scheduled rescans at intervals of six hours, daily, weekly, or monthly, with diff detection across scans to highlight new findings, resolved issues, and score drift. Alerts include rate-limited email notifications and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures. Integration options provide a web dashboard for trend tracking, a CLI via an npm package, a GitHub Action for CI/CD gating, and an MCP server for AI coding assistants.

Limitations and Scope Boundaries

The scanner does not fix, patch, block, or remediate findings; it reports with remediation guidance. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside the scope. Business logic vulnerabilities, blind SSRF, and high-stakes audit requirements fall outside automated detection and necessitate human review. The tool is designed for discovery, not certification.

Frequently Asked Questions

Does the scanner perform intrusive testing such as SQL injection?

No. The scanner only uses read-only methods and avoids intrusive payloads like SQL injection or command injection, which are outside its scope.

How are scan results mapped to compliance frameworks?

Findings map directly to OWASP API Top 10 controls and support audit evidence for SOC 2 Type II and PCI-DSS 4.0. Other regulations are addressed through alignment language only.

Can authenticated scans be configured with custom headers?

Authenticated scans allow Bearer, API key, Basic auth, and Cookie methods. Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers.

What happens to scan data after cancellation?

Customer scan data is deletable on demand and purged within 30 days of cancellation. Data is never sold and is not used for model training.