APIsec for Pre-seed startups

Pre-seed products move fast and often expose public endpoints early in development. middleBrick provides a black-box scan that requires no agents, SDKs, or code access. Submit a URL and receive a risk score from A to F with prioritized findings in under a minute, using read-only methods such as GET and HEAD plus text-only POST for LLM probes. This approach suits teams that need quick feedback without changing deployment pipelines or exposing internal infrastructure.

The scanner covers 12 security categories aligned to the OWASP API Top 10 (2023), including authentication bypass, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation probes, and sensitive data exposure including PII patterns and API key formats for AWS, Stripe, GitHub, and Slack. It also detects issues in input validation, rate limiting, encryption, SSRF indicators, inventory management, unsafe consumption surfaces, and LLM/AI security through 18 adversarial probes across Quick, Standard, and Deep tiers. Findings map directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 controls, helping you prepare for audit evidence and security reviews.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions with recursive $ref resolution. It cross-references spec definitions against runtime behavior to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. This comparison surfaces gaps between declared design and actual behavior, enabling teams to validate interface contracts without access to source code.

For Starter tiers and above, authenticated scanning supports Bearer, API key, Basic auth, and Cookie credentials. Domain verification via DNS TXT record or an HTTP well-known file ensures only the domain owner can scan with credentials, and a strict header allowlist forwards only Authorization, X-API-Key, Cookie, and X-Custom-* headers. The scanner follows a strict read-only posture, never sending destructive payloads, blocking private IPs, localhost, and cloud metadata endpoints, and it provides remediation guidance rather than attempting to fix or block issues.

Results are accessible through a web dashboard with trend tracking and downloadable compliance PDFs, via a CLI using middlebrick scan <url> with JSON or text output, through a GitHub Action that can fail builds when scores drop below a threshold, and via an MCP server for AI coding assistants. Pro tier adds scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures. An API client enables custom integrations for teams with existing security workflows.