Astra for IoT / OT

middleBrick is a black-box API security scanner designed to surface risks without requiring code access, agents, or SDKs. For IoT and OT environments, this approach minimizes deployment friction on constrained or legacy devices while still providing a structured assessment of exposed endpoints.

The scanner operates with read-only methods (GET and HEAD) and text-only POST for LLM probes, completing in under a minute per endpoint. This keeps interactions non-intrusive and avoids triggering safety shutdowns on sensitive equipment.

By focusing on observable behavior rather than internal implementation, the tool supports risk-based testing strategies where intrusive exploits are out of scope. The scanner identifies configuration issues and information leaks that commonly affect managed and unmanaged devices alike.

middleBrick maps findings to three core frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). This alignment helps you prepare for audits and validates controls relevant to API and service interfaces in IoT and OT contexts.

The tool detects authentication bypasses, JWT misconfigurations, and security header issues that can affect device identity and access control. BOLA and IDOR checks probe for predictable identifiers and unauthorized data access across endpoints.

Additional categories cover input validation, data exposure, SSRF indicators, and unsafe consumption patterns. For LLM-facing surfaces, the scanner runs 18 adversarial probes across three tiers to identify prompt-injection risks and data exfiltration paths.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references the spec against runtime behavior to highlight undefined security schemes, deprecated operations, and missing pagination that may affect monitoring.

This analysis is valuable in environments where device APIs are documented inconsistently or evolve without strict governance. The scanner surfaces deviations between declared contracts and actual responses, reducing the risk of misconfigured integrations.

By comparing defined schemas with observed traffic, the tool helps maintain an accurate inventory of API surfaces that may otherwise be overlooked in complex OT networks.

Authenticated scanning (Starter tier and above) supports Bearer tokens, API keys, Basic auth, and cookies. A domain verification gate ensures that only the domain owner can scan with credentials, using DNS TXT records or an HTTP well-known file.

The scanner forwards a restricted allowlist of headers, including Authorization, X-API-Key, Cookie, and X-Custom-* headers. This minimizes unintended side effects and respects device-specific routing or processing rules.

Safety mechanisms block private IPs, localhost, and cloud metadata endpoints at multiple layers. Scan data is deletable on demand and purged within 30 days of cancellation, aligning with responsible data handling practices.

Products include a Web Dashboard for scan management and trend tracking, a CLI via the middlebrick npm package, and a GitHub Action for CI/CD gating. An MCP Server enables scanning from AI-assisted coding tools, and Pro tier adds continuous monitoring with diff detection and scheduled rescans.

middleBrick is a scanning tool and does not fix, patch, or remediate findings. It does not perform active SQL injection or command injection tests, detect business logic flaws, or replace a human pentester for high-stakes audits.

The tool helps you prepare for security reviews and aligns with security controls described in PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It surfaces findings relevant to audit evidence but does not certify compliance or guarantee adherence to any regulatory framework.