Alternatives to Apigee in IoT / OT

In IoT and OT environments, APIs are often the bridge between constrained devices and enterprise systems. These interfaces can expose operational data, configuration controls, and sensitive telemetry. This tool is a black-box API security scanner that analyzes endpoints without requiring code access or agents. It submits read-only requests and text-only POST probes to surface risks across the API surface.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023) and maps findings to PCI-DSS 4.0 and SOC 2 Type II controls. Detection coverage includes authentication bypasses, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID probing, BFLA and privilege escalation attempts, over-exposed properties, input validation issues like CORS wildcard misconfigurations, rate-limit header inconsistencies, data exposure including Luhn-validated card patterns and API key formats, encryption issues such as missing HSTS, SSRF indicators involving internal IP probes, and inventory management gaps like missing versioning. For LLM-facing endpoints, the scanner runs 18 adversarial probes across Quick, Standard, and Deep tiers, including system prompt extraction, instruction override, jailbreak patterns, data exfiltration attempts, and token smuggling.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents and resolves recursive $ref references. It cross-references the specification against runtime behavior to identify undefined security schemes, sensitive fields in responses, deprecated operations, and missing pagination. This helps highlight discrepancies between documented contracts and actual behavior in IoT management APIs and OT service interfaces.

Authenticated scanning supports Bearer tokens, API keys, Basic auth, and cookies. A domain verification gate, such as a DNS TXT record or an HTTP well-known file, ensures only the domain owner can submit credentials. The scanner forwards a restricted allowlist of headers including Authorization, X-API-Key, Cookie, and X-Custom-* headers. Read-only methods are enforced, and destructive payloads are never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data can be deleted on demand and is purged within 30 days of cancellation.

The Web Dashboard provides scan management, report viewing, score trend tracking, and downloadable compliance PDFs. The CLI, available as an npm package, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD, failing builds when scores drop below a defined threshold. The MCP Server enables scanning from AI coding assistants. The Pro tier adds scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection for new or resolved findings, email alerts at a rate-limited frequency, HMAC-SHA256 signed webhooks, and Slack or Teams notifications. Enterprise tiers support unlimited APIs, custom rules, SSO, audit logs, SLAs, and dedicated support.