Alternatives to 42Crunch in IoT / OT

When assessing APIs in industrial environments, the focus is on what the scanner validates rather than what it promises. This tool performs black-box scanning against public endpoints using read-only methods. It maps findings to three specific frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other regulations, the approach is one of alignment, helping you prepare for or support audit evidence without claiming certification.

The scanner covers 12 categories aligned to OWASP API Top 10, relevant to common IoT and OT API risks. Authentication checks multi-method bypass and JWT misconfigurations, including alg=none and expired tokens. BOLA and IDOR testing probes sequential ID enumeration and adjacent endpoints where devices or sensors expose predictable identifiers. Property Authorization focuses on over-exposed internal fields and mass-assignment surfaces common in device management APIs. Input Validation checks for CORS wildcard usage and dangerous HTTP methods that may appear in legacy equipment. SSRF testing targets URL-accepting parameters and body fields, with active probes for internal IP ranges typical in plant networks. LLM / AI Security includes 18 adversarial probes across Quick, Standard, and Deep tiers, relevant when devices expose AI-assisted interfaces.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime behavior to highlight undefined security schemes, sensitive field exposure, deprecated operations, and missing pagination strategies often seen in constrained device APIs. This approach supports evidence collection for audits without requiring code access or SDK integration. The analysis is limited to what the spec describes and what the live endpoint returns.

Authenticated scanning is available from the Starter tier and above, supporting Bearer, API key, Basic auth, and Cookie credentials. A domain verification gate ensures only the domain owner can scan with credentials, using DNS TXT records or an HTTP well-known file. Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* to reduce exposure. The scanner follows a strict read-only posture; destructive payloads are never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers to prevent unsafe probing.

The Web Dashboard centralizes scan results, score trends, and branded compliance PDFs. The CLI, distributed as an npm package, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD, failing the build when the score drops below a chosen threshold. The MCP Server enables scanning from AI coding assistants. For ongoing risk management, the Pro tier offers scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection and rate-limited email alerts. HMAC-SHA256 signed webhooks provide automated feedback, with auto-disable after 5 consecutive failures.