Bright Security for Pre-seed startups

For pre-seed startups, speed and clarity matter more than feature breadth. This scanner is a self-service tool that accepts a URL and returns a letter-grade risk score with prioritized findings in under a minute. It operates as a black-box scanner, requiring no agents, SDKs, or code access, and supports any language or framework. The tool limits requests to read-only methods and text-only POST for LLM probes, avoiding destructive testing while still surfacing common configuration and implementation issues.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023), including Authentication bypasses, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID probing, BFLA and privilege escalation attempts, and sensitive data exposure including PII, API key formats, and error leakage. It also checks input validation rules like CORS wildcard usage, rate-limiting indicators, encryption hygiene such as HSTS and cookie flags, SSRF indicators, and LLM-specific adversarial probes covering prompt extraction and jailbreak techniques.

These findings map directly to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other regulations, the scanner helps you prepare for audit evidence and aligns with security controls described in relevant guidelines, though it does not certify compliance.

Starting at the Starter tier, authenticated scanning supports Bearer tokens, API keys, Basic auth, and cookies. Before scanning with credentials, a domain verification gate ensures only the domain owner can run authenticated tests, using a DNS TXT record or an HTTP well-known file. The scanner forwards a restricted set of headers, including Authorization, X-API-Key, Cookie, and X-Custom-* headers, minimizing unnecessary data exposure while enabling deeper security checks.

The scanner integrates into existing workflows through multiple channels. The Web Dashboard centralizes scans, report viewing, score trend tracking, and downloadable compliance PDFs. The CLI via the middlebrick npm package supports single scans with JSON or text output. A GitHub Action can gate CI/CD pipelines, failing builds when scores drop below a set threshold. An MCP Server allows scanning from AI coding assistants such as Claude or Cursor.

Pro tier adds continuous monitoring with scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans to highlight new or resolved findings, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures. Enterprise tiers support unlimited APIs, custom rules, SSO, audit logs, SLAs, and dedicated support.

The scanner maintains a conservative safety posture by never sending destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training. The tool does not remediate, patch, or block issues; it reports findings with remediation guidance. It also does not test for blind SSRF via out-of-band channels or business logic flaws that require domain-specific human analysis.