APIsec for AppSec engineers

middleBrick is a self-service API security scanner designed for AppSec and engineering workflows. You submit a target URL and receive a risk score from A to F along with prioritized findings. The scanner operates in black-box mode without agents, SDKs, or code access, supporting any language, framework, or cloud environment. Scan duration is under one minute and is limited to read-only methods, including GET and HEAD, with text-only POST used for LLM probes.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023) and maps findings to PCI-DSS 4.0 and SOC 2 Type II. Detection capabilities include authentication bypass and JWT misconfigurations, broken object level authorization and IDOR, broken function level authorization and privilege escalation, property authorization and field over-exposure, input validation such as CORS wildcard usage and dangerous HTTP methods, rate limiting and resource consumption indicators, data exposure including PII patterns and API key formats, encryption and HTTPS misconfigurations, SSRF indicators in URL-accepting parameters, inventory issues like missing versioning, unsafe consumption surfaces, and LLM/AI security probes across multiple tiers.

For other frameworks, the tool helps you prepare for audits and aligns with security controls described in HIPAA, GDPR, ISO 27001, NIST, CCPA, NIS2, DORA, FedRAMP, DPDP, APPI, PDPA, PIPEDA, PIPA, UK DPA, LGPD, SOX, GLBA, FERPA. middleBrick surfaces findings relevant to these frameworks but does not certify or guarantee compliance.

Authenticated scanning is available from the Starter tier onward, supporting Bearer, API key, Basic auth, and Cookie methods. Domain verification is required, allowing only the domain owner to scan with credentials. The scanner forwards a strict header allowlist including Authorization, X-API-Key, Cookie, and X-Custom-* headers.

Safety is enforced through read-only methods only, with destructive payloads never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand, purged within 30 days of cancellation, and is never sold or used for model training.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime findings to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Integration options include a Web Dashboard for scanning, viewing reports, and tracking score trends with downloadable branded compliance PDFs. The CLI npm package supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action provides CI/CD gating, failing the build when the score drops below a set threshold. An MCP server enables scanning from AI coding assistants, and a programmatic API supports custom integrations.

Pro tier subscriptions enable scheduled rescans at intervals of 6 hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved findings, and score drift across scans. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks auto-disable after 5 consecutive failures.

Free tier provides 3 scans per month and CLI access. Starter at 99 dollars per month supports 15 APIs, monthly scans, dashboard access, email alerts, and the MCP server. Pro at 499 dollars per month supports 100 APIs with additional APIs billed at 7 dollars each, continuous monitoring, GitHub Action gates, CI/CD integration, Slack and Teams alerts, compliance reports, and signed webhooks. Enterprise at 2000 dollars per month offers unlimited APIs, custom rules, SSO, audit logs, SLA, and dedicated support.

middleBrick does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside scope. The tool does not detect business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, or replace a human pentester for high-stakes audits.

Results should be interpreted by security professionals familiar with their environment. The scanner supports audit evidence collection and helps prepare for assessments, but it is not an auditor and cannot validate controls independently.