Astra for Series A startups

As a Series A startup, your engineering team needs a security signal without the overhead of managing agents, SDKs, or code instrumentation. This scanner operates as a black-box solution: you submit an API endpoint URL and receive a risk score with prioritized findings within a minute. It supports any language, framework, or cloud stack, and requires no runtime integrations. The approach is read-only, using GET and HEAD methods plus text-only POST for LLM probes, ensuring no destructive payloads are ever sent.

The scanner maps findings to three widely referenced frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Coverage includes authentication bypasses, JWT misconfigurations such as alg=none or expired tokens, sensitive data exposure in claims, and security header misconfigurations. It detects BOLA and BFLA patterns, including sequential ID enumeration and admin endpoint probing, while highlighting over-exposed properties and mass-assignment surfaces. Input validation checks cover CORS wildcard usage, dangerous HTTP methods, and debug endpoints. Additional checks address rate-limiting headers, PII patterns (including Luhn-validated card numbers and context-aware SSN), exposed API key formats, HTTPS and HSTS misconfigurations, SSRF indicators in URL-accepting parameters, and inventory issues such as missing versioning. LLM security testing includes system prompt extraction, instruction override, and jailbreak probes aligned to current threat models.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, cross-referencing spec definitions against runtime behavior. This highlights undefined security schemes, deprecated operations, missing pagination, and sensitive fields that are not reflected in the specification. For authenticated scans, supported methods include Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced via DNS TXT records or an HTTP well-known file, ensuring only the domain owner can submit credentials. A strict header allowlist is applied, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers to limit exposure.

The Web Dashboard centralizes scan management, report viewing, score trend tracking, and branded compliance PDF downloads. The CLI, available as an npm package, enables local execution with middlebrick scan <url> and supports JSON or text output. A GitHub Action provides CI/CD gating, failing the build when the score drops below a defined threshold. An MCP Server allows scans from AI coding assistants such as Claude and Cursor. Programmatic access is available via an API client for custom integrations, and the Pro tier adds scheduled rescans, diff detection across runs, email alerts rate-limited to one per hour per API, HMAC-SHA256 signed webhooks with auto-disable after five consecutive failures, and Slack or Teams notifications.

Scan data is deletable on demand and purged within 30 days of cancellation. Customer data is never sold or used for model training. The scanner employs multiple layers to block private IPs, localhost, and cloud metadata endpoints. It does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. Active SQL injection or command injection testing is outside scope, as these require intrusive payloads. Business logic vulnerabilities require human expertise tied to your domain, and blind SSRF is not detectable without out-of-band infrastructure. The tool does not replace a human pentester for high-stakes audits.