Akto for Platform engineers

Akto is a self-service API security scanner that accepts a target URL and returns a risk score with prioritized findings. The scan is black-box, requiring no agents, SDKs, or code access, and completes in under a minute using read-only methods such as GET and HEAD, with text-only POST for LLM probes. This workflow suits platform engineers who need to validate API surfaces across multiple services without changing deployment pipelines.

The scanner covers 12 categories aligned to OWASP API Top 10 (2023) and maps findings to PCI-DSS 4.0 and SOC 2 Type II. Detection includes authentication bypasses and JWT misconfigurations, BOLA and IDOR via sequential and adjacent ID probing, BFLA and privilege escalation attempts, property over-exposure, input validation issues such as CORS wildcard usage, rate-limiting characteristics, data exposure including PII and API key formats, encryption misconfigurations, SSRF indicators, inventory issues like missing versioning, unsafe consumption surfaces, and LLM/AI security probes across multiple tiers.

OpenAPI analysis supports versions 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime findings to highlight undefined security schemes or deprecated operations. These capabilities help you prepare for audits and align with security controls described in major compliance frameworks.

Authenticated scanning is available from the Starter tier onward, supporting Bearer, API key, Basic auth, and Cookie credentials. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only domain owners can scan with credentials. A strict header allowlist passes only Authorization, X-API-Key, Cookie, and X-Custom-* headers.

Safety is inherent in the design: only read-only methods are used, destructive payloads are never sent, and private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training.

The platform integrates into existing tooling with multiple delivery options. The web dashboard centralizes scans, report viewing, score trend tracking, and branded compliance PDF downloads. The CLI via the middlebrick npm package supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD, failing the build when the score drops below a defined threshold. An MCP server enables scanning from AI coding assistants, and a programmatic API supports custom integrations.

For ongoing risk management, the Pro tier offers scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans to surface new or resolved findings, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures.

midleBrick is a scanner and does not fix, patch, block, or remediate findings; it provides detection and contextual remediation guidance. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside its scope. Business logic vulnerabilities require human domain expertise, and blind SSRF is out of scope due to the lack of out-of-band infrastructure.

The tool does not replace a human pentester for high-stakes audits. These limitations support realistic risk expectations and help you integrate the scanner effectively within a broader security program.