APIsec for CTOs

This scanner is a self-service API security assessment tool designed for integration into existing engineering workflows. You submit a target URL and receive a risk score from A to F along with prioritized findings. The scan is black-box, requiring no agents, SDKs, or access to source code, and completes in under a minute. It uses read-only methods, including GET and HEAD, with text-only POST for LLM probes, making it suitable for environments where intrusive testing is restricted.

The scanner evaluates APIs against 12 security categories aligned to the OWASP API Top 10 (2023). It maps findings to controls defined in PCI-DSS 4.0 and SOC 2 Type II for audit evidence purposes. Detection areas include authentication bypass and JWT misconfigurations, broken object level authorization, privilege escalation, property over-exposure, input validation issues such as CORS misconfigurations and dangerous HTTP methods, rate limiting characteristics, data exposure including PII and API key patterns, encryption hygiene, SSRF indicators, inventory and versioning issues, unsafe consumption surfaces, and LLM/AI security probes across multiple tiers.

OpenAPI specifications in versions 3.0, 3.1, and Swagger 2.0 are parsed with recursive $ref resolution. The scanner cross-references spec definitions against runtime behavior, highlighting undefined security schemes, sensitive field exposure, deprecated operations, and missing pagination. These capabilities help you prepare for compliance reviews and support audit evidence collection.

Authenticated scanning is available from the Starter tier and above, supporting Bearer tokens, API keys, Basic authentication, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can submit credentials. A strict header allowlist is applied, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The scanner operates with a strict safety posture. It uses read-only methods exclusively and never sends destructive payloads. Private IP addresses, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation. It is designed as a scanning tool and does not fix, patch, block, or remediate findings, nor does it perform intrusive injection tests or detect business logic vulnerabilities.

Results are accessible through the Web Dashboard, where scans can be managed, trends tracked, and branded compliance PDFs downloaded. The CLI, published as an npm package, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is available to act as a CI/CD gate, failing builds when scores drop below a defined threshold. An MCP Server enables scanning from AI coding assistants, and a programmable API client supports custom integrations.

Continuous monitoring is offered in the Pro tier, including scheduled rescans at intervals of six hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved items, and score drift. Alerts are rate-limited to one email per hour per API, and webhooks are HMAC-SHA256 signed, with auto-disable after five consecutive failures.

The Free tier provides three scans per month and CLI access. The Starter tier at 99 dollars per month supports 15 APIs, monthly scans, dashboard access, email alerts, and the MCP Server. The Pro tier at 499 dollars per month covers 100 APIs, with additional APIs billed at 7 dollars each, and adds continuous monitoring, GitHub Action gates, CI/CD integration, Slack and Teams alerts, compliance reports, and signed webhooks. Enterprise tiers start at 2000 dollars per month and include unlimited APIs, custom rules, SSO, audit logs, SLA guarantees, and dedicated support.

Findings and guidance are aligned with PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, the scanner aligns with security controls described in relevant standards and supports audit evidence collection. Note that middleBrick is a scanning tool and cannot certify systems or replace human pentesters for high-stakes audits.