APIsec for Mid-market companies

For mid-market organizations, APIsec provides a self-service scanner that fits between basic developer tools and formal penetration tests. You submit a URL and receive a risk score from A to F with prioritized findings within under a minute. The scanner operates as a black-box solution, requiring no agents, SDKs, or code access, and works across any language, framework, or cloud environment using read-only methods.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023), covering authentication bypasses, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID probing, BFLA and privilege escalation attempts, and property over-exposure. It also detects input validation issues like CORS wildcards, rate-limiting indicators, data exposure including PII and API key patterns, encryption misconfigurations, SSRF indicators, and LLM-specific adversarial probes across multiple tiers.

These findings map directly to controls covered in PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, the results help you prepare for audit evidence collection and align with security controls described in relevant standards.

Authenticated scanning is available from the Starter tier and above, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through a DNS TXT record or an HTTP well-known file to ensure only domain owners can scan with credentials. The scanner forwards a restricted allowlist of headers, including Authorization, X-API-Key, Cookie, and X-Custom-*, and respects read-only methods to avoid destructive operations.

The Web Dashboard centralizes scan management, report viewing, score trend tracking, and downloadable compliance PDFs. The CLI allows on-demand scans with JSON or text output using a command such as middlebrick scan <url>. The GitHub Action integrates into CI/CD pipelines and can fail builds when scores drop below a defined threshold. The MCP Server enables scanning from AI coding assistants. Pro tier adds scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans, email alerts at a rate-limited frequency, and HMAC-SHA256 signed webhooks with auto-disable after consecutive failures.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, cross-referencing spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. Customer scan data is deletable on demand and purged within 30 days of cancellation. Data is never sold and is not used for model training.