Apigee for Mid-market companies

Apigee positions itself as an API management layer that can include security monitoring, but from a mid-market perspective the focus is on cost, complexity, and time-to-value. middleBrick is a self-service API security scanner that requires no agents, SDKs, or code access. You submit an API URL and receive a risk score from A to F with prioritized findings in under a minute, using only read-only methods.

The scanner evaluates 12 security categories aligned to the OWASP API Top 10 (2023), including Authentication bypass, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID probing, BFLA and privilege escalation attempts, Property Authorization over-exposure, Input Validation issues like CORS wildcard usage, Rate Limiting and oversized responses, Data Exposure including PII and API key formats, Encryption misconfigurations, SSRF probes against URL-accepting parameters, Inventory Management issues like missing versioning, and LLM/AI Security through 18 adversarial probes across Quick, Standard, and Deep tiers.

middleBrick maps findings to three specific frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other regulations, the tool helps you prepare for audit evidence and aligns with security controls described in HIPAA, GDPR, ISO 27001, NIST, CCPA, and similar frameworks without asserting certification or compliance guarantees.

Authenticated scanning is available from the Starter tier upward, supporting Bearer tokens, API keys, Basic auth, and Cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can scan with credentials. The scanner forwards a restricted set of headers, including Authorization, X-API-Key, Cookie, and X-Custom-*.

Scan data is deletable on demand and purged within 30 days of cancellation. Customer data is never sold and is not used for model training. Destructive payloads are never sent, private IPs and cloud metadata endpoints are blocked at multiple layers, and the tool explicitly does not perform active SQL injection, command injection, or blind SSRF testing.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Integration options include a Web Dashboard for scanning and tracking score trends with downloadable branded compliance PDFs, a CLI via the middlebrick npm package using middlebrick scan <url> with JSON or text output, a GitHub Action for CI/CD gating that fails the build when the score drops below a threshold, an MCP Server for AI coding assistants such as Claude and Cursor, and a programmatic API for custom integrations.

The Free tier offers 3 scans per month with CLI access. The Starter tier at 99 dollars per month supports 15 APIs, monthly scans, dashboard access, email alerts, and the MCP Server. The Pro tier at 499 dollars per month covers 100 APIs with continuous monitoring, GitHub Action gates, CI/CD integration, Slack and Teams alerts, compliance reports, and signed webhooks. Enterprise at 2000 dollars per month adds unlimited APIs, custom rules, SSO, audit logs, SLA, and dedicated support.

Continuous Monitoring in Pro tier provides scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans, email alerts rate-limited to 1 per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures.

The tool does not fix, patch, block, or remediate findings; it detects and reports with remediation guidance. It does not detect business logic vulnerabilities, which require domain understanding, nor does it replace a human pentester for high-stakes audits.