Apigee for Series B/C companies

This scanner is a self-service API security assessment platform. Submit a URL and receive a risk score graded A through F with prioritized findings. It operates as a black-box scanner without agents, SDKs, or code access, supporting any language, framework, or cloud. Read-only methods (GET and HEAD) are used by default, with text-only POST allowed for LLM probes. Scan completion typically occurs in under a minute.

The scanner evaluates 12 security categories aligned to the OWASP API Top 10 (2023). It detects authentication bypasses, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential and adjacent ID probing, BFLA and privilege escalation through admin endpoint discovery, and property over-exposure including mass-assignment surfaces. Input validation checks include CORS wildcard usage and dangerous HTTP methods. Rate limiting is assessed via header detection and oversized response analysis. Data exposure coverage includes PII patterns, valid credit card numbers, API key formats, and error leakage. Encryption checks validate HTTPS redirects, HSTS, and cookie flags. SSRF probes target URL-accepting inputs and internal IP resolution. Inventory management identifies missing versioning and legacy paths. LLM security includes 18 adversarial probes across Quick, Standard, and Deep tiers. Unsafe consumption surfaces such as third-party URLs and webhooks are also evaluated.

For compliance, findings map directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, the scanner helps you prepare for and aligns with security controls described in relevant standards, supporting audit evidence without asserting certification or compliance guarantees.

Authenticated scanning is available from the Starter tier and above, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification requires a DNS TXT record or an HTTP well-known file to ensure only the domain owner can scan with credentials. The scanner forwards a restricted header allowlist including Authorization, X-API-Key, Cookie, and X-Custom-* headers. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Scan data is deletable on demand and purged within 30 days of cancellation. The scanner does not perform intrusive payloads such as active SQL or command injection, and it does not attempt to fix, patch, or remediate findings.

The Web Dashboard centralizes scans, reports, and score trend tracking, with branded compliance PDF downloads. The CLI, published as an npm package, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action enables CI/CD gating, failing builds when the score drops below a defined threshold. An MCP Server allows scanning from AI coding assistants like Claude and Cursor. Programmatic access is available via an API client for custom integrations.

Pro tier adds continuous monitoring with configurable intervals of every 6 hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved findings, and score drift. Email alerts are rate-limited to one per hour per API. HMAC-SHA256 signed webhooks disable automatically after 5 consecutive failures. Enterprise tier provides unlimited APIs, custom rules, SSO, audit logs, an SLA, and dedicated support.

The scanner does not detect business logic vulnerabilities, which require domain-specific human expertise. Blind SSRF and out-of-band infrastructure are out of scope. It does not replace a human pentester for high-stakes audits. While OpenAPI 3.0, 3.1, and Swagger 2.0 are parsed with recursive $ref resolution, and spec definitions are cross-referenced against runtime results for issues like undefined security schemes or deprecated operations, the tool identifies findings and provides remediation guidance rather than delivering fixes.