APIsec as a API security scanner

APIsec is a self-service API security scanner designed for external assessment without requiring code access or agents. Submit a URL to receive a risk score from A to F and a prioritized list of findings. The scanner operates in black-box mode, using only read-only methods such as GET and HEAD, with text-only POST reserved for LLM probes. Scan completion typically occurs in under a minute, making it suitable for frequent checks across many endpoints.

APIsec maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Detection covers 12 categories aligned to OWASP API Top 10, including Authentication bypass and JWT misconfigurations such as alg=none, expired tokens, and sensitive data in claims. Additional coverage includes BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, BFLA and privilege escalation through admin endpoint probing, and Property Authorization issues like over-exposure of internal fields.

The scanner also detects Input Validation issues such as CORS wildcards with credentials, dangerous HTTP methods, and debug endpoints; Rate Limiting and Resource Consumption through header detection and oversized responses; and Data Exposure patterns including email, Luhn-validated card numbers, context-aware SSNs, and API key formats for AWS, Stripe, GitHub, and Slack. Encryption checks validate HTTPS redirects, HSTS, and cookie flags. SSRF probes target URL-accepting parameters and body fields with internal IP detection. Inventory Management identifies missing versioning and legacy paths, while Unsafe Consumption surfaces excessive third-party URLs and webhook exposure. For AI workflows, 18 adversarial probes across Quick, Standard, and Deep tiers test LLM security, including system prompt extraction, instruction override, jailbreak techniques, data exfiltration, token smuggling, and indirect prompt injection.

APIsec parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime behavior to identify undefined security schemes, sensitive field exposure, deprecated operations, and missing pagination. This helps highlight gaps between declared design and actual implementation.

Authenticated scanning, available from Starter tier and above, supports Bearer, API key, Basic auth, and Cookie methods. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring that only the domain owner can scan with credentials. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-* to reduce noise and limit exposure.

The Web Dashboard provides a centralized view for scans, report downloads, score trend tracking, and branded compliance PDFs. The CLI, distributed as an npm package named middlebrick, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is available for CI/CD gating, failing builds when the score drops below a defined threshold. The MCP Server enables scanning from AI coding assistants including Claude and Cursor, and a dedicated API client supports custom integrations.

Continuous Monitoring in Pro tier enables scheduled rescans every six hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved findings, and score drift between scans. Alerts are rate-limited to one email per hour per API, and webhooks are HMAC-SHA256 signed, with auto-disable after five consecutive failures.

Pricing includes a Free tier with 3 monthly scans and CLI access, Starter at 99 dollars per month for 15 APIs with dashboard and email alerts, Pro at 499 dollars per month for 100 APIs with continuous monitoring and CI/CD integration, and Enterprise at 2000 dollars per month for unlimited APIs, custom rules, SSO, and audit logs.

APIsec maintains a read-only posture, and destructive payloads are never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation; data is never sold or used for model training.

The scanner does not fix, patch, block, or remediate issues; it detects and provides remediation guidance. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside its scope. Business logic vulnerabilities are not detected, as they require domain context best understood by human experts. Blind SSRF is out of scope due to the lack of out-of-band infrastructure, and the tool does not replace a human pentester for high-stakes audits.

APIsec returns a risk score and prioritized findings, helping you compare the security posture of multiple APIs over time.

The scanner detects issues aligned to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023), supporting audit evidence for related controls.

Authenticated scans require domain verification to ensure that only the owner of a domain can assess their APIs with credentials.

Continuous Monitoring in Pro tier provides scheduled rescans and diff detection to track new findings, resolved findings, and score drift.

Scan data is retained only as long as needed, with customer data deletable on demand and purged within 30 days of cancellation.