Astra for Mid-market companies

Organizations balancing growth and risk management need a scanner that is simple to adopt yet precise in findings. This tool is a self-service API security scanner that accepts a URL and returns a risk score from A to F with prioritized findings. It operates as a black-box scanner, requiring no agents, no code access, and no SDK integration. Scans complete in under a minute using read-only methods (GET and HEAD) plus text-only POST for LLM probes, making it suitable for environments where intrusive testing is not acceptable.

The scanner evaluates 12 security categories aligned to the OWASP API Top 10 (2023). It detects authentication bypass and JWT misconfigurations such as alg=none, HS256, expired tokens, missing claims, and sensitive data in claims. It identifies Broken Object Level Authorization (BOLA) and Insecure Direct Object Reference (IDOR) via sequential ID enumeration and active adjacent-ID probing. BFLA and privilege escalation risks are surfaced through admin endpoint probing and role/permission field leakage. Property authorization over-exposure and internal field leakage are flagged, along with mass-assignment surfaces. Input validation checks include CORS wildcard usage with and without credentials and dangerous HTTP methods. Detection of rate limiting and resource abuse includes rate-limit header analysis, oversized responses, and unpaginated arrays. Sensitive data exposure covers PII patterns, API key formats, and error/stack-trace leakage. Encryption checks validate HTTPS redirects, HSTS, and cookie flags. SSRF probes target URL-accepting parameters and internal IP-bypass attempts. Inventory management issues include missing versioning and legacy path patterns. The tool also performs LLM / AI Security testing with adversarial probes for jailbreaks, data exfiltration, and prompt injection. Each finding maps to OWASP API Top 10 (2023) and helps you prepare for SOC 2 Type II and PCI-DSS 4.0 by surfacing findings relevant to their control frameworks.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime behavior to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, supported methods include Bearer, API key, Basic auth, and Cookie. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can submit credentials. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*, reducing noise and potential side effects. These capabilities allow teams to validate security schemes defined in their OpenAPI contracts and detect deviations before deployment.

The Web Dashboard centralizes scan management, report viewing, score trend tracking, and branded compliance PDF downloads. The CLI npm package supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is available to act as a CI/CD gate, failing the build when the score drops below a defined threshold. An MCP Server enables scanning from AI coding assistants like Claude and Cursor. For ongoing risk management, Pro tier provides scheduled rescans every 6 hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved findings, and score drift across scans. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks can be configured with auto-disable after five consecutive failures. These integrations help you align with internal workflows while maintaining a clear security posture.

The scanner follows a strict read-only posture and never sends destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation. It is not designed to fix, patch, or block issues; it detects and reports with remediation guidance. Active SQL injection and command injection tests are out of scope, as are blind SSRF tests that rely on out-of-band infrastructure. Business logic vulnerabilities require human expertise and are not detected automatically. Teams should treat this as one component of a broader security strategy and not rely on it as a sole assurance mechanism.