Burp Suite for Pre-seed startups

middleBrick is a black-box API security scanner that submits a URL and returns a risk score from A to F with prioritized findings. It supports read-only methods (GET and HEAD) and text-only POST for LLM probes, completing a scan in under a minute. The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution and cross-references spec definitions against runtime behavior to surface undefined security schemes, deprecated operations, and missing pagination.

The scanner detects issues across 12 categories aligned to the OWASP API Top 10 (2023). It identifies authentication bypasses and JWT misconfigurations such as alg=none, HS256, expired tokens, missing claims, and sensitive data in claims. It probes for BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, and checks for BFLA and privilege escalation through admin endpoint probing and role/permission field leakage. Additional categories include Property Authorization over-exposure, Input Validation issues like CORS wildcards and dangerous HTTP methods, Rate Limiting and Resource Consumption signals, and Data Exposure patterns including emails, Luhn-validated card numbers, context-aware SSNs, API key formats, and error/stack-trace leakage. The scanner also assesses encryption hygiene, SSRF indicators, Inventory Management deficiencies, unsafe consumption surfaces, and LLM/AI Security through 18 adversarial probes across Quick, Standard, and Deep tiers.

Authenticated scanning is available from the Starter tier and above, supporting Bearer, API key, Basic auth, and Cookie credentials. Domain verification is enforced through a DNS TXT record or an HTTP well-known file to ensure only the domain owner can scan with credentials. The scanner uses a strict header allowlist including Authorization, X-API-Key, Cookie, and X-Custom-* headers. All operations are read-only; destructive payloads are never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers, and customer data is deletable on demand and purged within 30 days of cancellation.

The Web Dashboard centralizes scans, reports, and score trends, enabling branded compliance PDF downloads. The CLI via the middlebrick npm package supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD, failing the build when the score drops below a defined threshold. The MCP Server enables scanning from AI coding assistants like Claude and Cursor. For ongoing risk management, the Pro tier provides scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans, email alerts rate-limited to 1 per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures.

Free tier offers 3 scans per month with CLI access. Starter at 99 dollars per month supports 15 APIs, monthly scans, dashboard access, email alerts, and the MCP Server. Pro at 499 dollars per month covers 100 APIs with options for additional APIs at 7 dollars each, continuous monitoring, GitHub Action gates, CI/CD integration, Slack and Teams alerts, compliance reports, and signed webhooks. Enterprise at 2000 dollars per month provides unlimited APIs, custom rules, SSO, audit logs, SLA, and dedicated support. The scanner maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023), and for other frameworks it helps you prepare for and supports audit evidence without asserting certification or compliance guarantees.