APIsec for Seed-stage startups

Seed-stage products often rely on a small number of public and partner APIs while moving quickly between deployments. middleBrick is a self-service API security scanner designed for this context: submit a URL and receive a risk score from A to F with prioritized findings in under a minute. It performs black-box testing using only read-only methods, which means no agents, no code access, and no SDK integration are required. The scanner works across any language, framework, or cloud target, and it maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023).

The scanner covers 12 security categories aligned to OWASP API Top 10 (2023), providing broad coverage without executing destructive payloads. It detects authentication bypasses and JWT misconfigurations such as alg=none, weak secret choices, expired tokens, and missing claims. It identifies BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, and BFLA through admin endpoint probing and privilege escalation indicators. Additional categories include Property Authorization over-exposure, Input Validation issues like CORS wildcards and dangerous HTTP methods, Rate Limiting anomalies, Data Exposure patterns including PII and API key leakage, Encryption misconfigurations, SSRF indicators, Inventory Management gaps, unsafe third-party consumption surfaces, and LLM/AI Security adversarial probes across tiered scan depths.

OpenAPI specifications in versions 3.0, 3.1, and Swagger 2.0 are parsed with recursive $ref resolution, and findings are cross-referenced against the spec to surface undefined security schemes, sensitive fields, deprecated operations, and missing pagination. Because the scanner does not perform active SQL injection or command injection, these checks remain non-intrusive and focused on detection rather than exploitation.

Authenticated scanning is available from the Starter tier onward, supporting Bearer tokens, API keys, Basic auth, and cookies. Access is gated by domain verification using DNS TXT records or an HTTP well-known file, ensuring only the domain owner can scan with credentials. Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers to reduce noise. The scanner enforces a read-only posture: destructive payloads are never sent, private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers, and customer scan data can be deleted on demand and purged within 30 days of cancellation.

The Web Dashboard centralizes scans, report viewing, score trend tracking, and branded compliance PDF downloads. The CLI, published as an npm package, enables commands such as middlebrick scan <url> with JSON or text output for scripting. A GitHub Action can gate CI/CD, failing the build when the score drops below a set threshold. An MCP Server allows scanning from AI coding assistants like Claude and Cursor, and a programmable API supports custom integrations. Pro tier adds scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans, email alerts rate-limited to one per hour per API, HMAC-SHA256 signed webhooks with auto-disable after five consecutive failures, and Slack or Teams notifications.

middleBrick helps you prepare for compliance activities by surfacing findings relevant to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, it aligns with security controls described in and supports audit evidence for reviews, but it does not certify or guarantee compliance with HIPAA, GDPR, ISO 27001, NIST, CIS, CCPA, NIS2, DORA, FedRAMP, DPDP, APPI, PDPA, PIPEDA, PIPA, UK DPA, LGPD, SOX, GLBA, FERPA, or similar regulations. The scanner does not fix, patch, block, or remediate issues, nor does it replace a human pentester for high-stakes audits. Business logic vulnerabilities and blind SSRF requiring out-of-band infrastructure are out of scope, and the tool is not designed for active exploitation.