Is 42Crunch good for Cyber insurance renewal evidence?

Try middleBrick free

What middleBrick covers

  • Black-box API scanning with risk score A–F and prioritized findings
  • Supports read-only GET/HEAD and text-only POST for LLM probes
  • Maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10
  • Covers authentication, IDOR, privilege escalation, and data exposure
  • Includes LLM/AI Security adversarial probes across scan tiers
  • Provides dashboard, CLI, GitHub Action, and API integrations

Purpose and scope of scanning for insurance evidence

Cyber insurance renewal evidence requires repeatable, objective data about an API surface rather than a pass/fail checkbox. The tool is a black-box API security scanner that submits a URL and returns a risk score from A to F along with prioritized findings. Because it operates without agents, SDKs, or code access, it can be used on any technology stack without requiring build or deployment changes. Scan time is under one minute for read-only methods (GET and HEAD) and text-only POST for LLM probes, which supports frequent reassessment across a portfolio of APIs.

Mapping findings to compliance frameworks

The scanner maps findings directly to three specific frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). These mappings provide structured evidence that can be referenced in insurance renewal documentation. For other regulations, the product supports audit evidence by aligning with security controls described in frameworks such as HIPAA, GDPR, ISO 27001, NIST, CCPA, NIS2, DORA, FedRAMP, DPDP, APPI, PDPA, PIPEDA, PIPA, UK DPA, LGPD, SOX, GLBA, FERPA through alignment language only, without claiming certification or compliance guarantees.

Detection coverage relevant to insurance assessments

The tool detects issues across 12 categories derived from the OWASP API Top 10, which are relevant to common insurance loss scenarios. Key areas include:

  • Authentication bypass, JWT misconfigurations such as alg=none or expired tokens, and missing claims.
  • BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing.
  • BFLA and privilege escalation through admin endpoint probing and role/permission leakage.
  • Data exposure including PII patterns (email, Luhn-validated card numbers, context-aware SSN), API key formats (AWS, Stripe, GitHub, Slack), and error or stack-trace leakage.
  • Input validation issues like CORS wildcard usage, dangerous HTTP methods, and debug endpoints.
  • LLM/AI Security with 18 adversarial probes across Quick, Standard, and Deep tiers, covering system prompt extraction, instruction override, jailbreaks, data exfiltration, and token smuggling.

Scanning methods and limitations important for underwriters

Because the scanner uses only read-only methods (GET and HEAD) plus text-only POST for LLM probes, it does not perform active SQL injection or command injection, which require intrusive payloads outside its scope. It also does not detect business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, or fully replace a human pentester for high-stakes audits. These limitations are important for underwriters to understand the boundaries of evidence produced.

The scanner includes safety measures such as blocking private IPs, localhost, and cloud metadata endpoints at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training.

Authentication, authorized scanning, and integration options

Authenticated scanning is available from the Starter tier and above, supporting Bearer, API key, Basic auth, and Cookie methods. Domain verification is enforced through DNS TXT records or an HTTP well-known file so that only the domain owner can scan with credentials. The tool follows a strict header allowlist, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers.

Integration options include a Web Dashboard for managing scans and viewing reports with score trends and downloadable compliance PDFs, a CLI via the middlebrick npm package using middlebrick scan <url> with JSON or text output, a GitHub Action for CI/CD gating that fails builds below a score threshold, an MCP Server for AI coding assistants, and a programmatic API client for custom integrations.

See how middleBrick compares See all use cases

Frequently Asked Questions

Can the scanner provide evidence suitable for cyber insurance renewal?
Yes, it supplies a risk score and prioritized findings that can support renewal evidence, but it does not certify compliance or replace an audit.
Does the tool perform intrusive tests like SQL injection?
No, it avoids intrusive payloads. It focuses on read-only methods and relies on the organization to conduct separate tests for injection vulnerabilities.
How does the tool align with frameworks like PCI-DSS and SOC 2?
It maps findings directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, it aligns with described controls without claiming certification.
Is authenticated scanning available, and what credentials are supported?
Yes, from Starter tier onward it supports Bearer, API key, Basic auth, and Cookie. Domain verification is required to ensure only the domain owner can scan with credentials.
What happens to scan data after cancellation?
Customer data can be deleted on demand and is purged within 30 days of cancellation. It is never sold or used for model training.

Related Pages

Is Detectify worth it in 2026?Honest take on whether Detectify earns its price tag for API security.Is Noname Security worth it in 2026?Honest take on whether Noname Security earns its price tag for API security.Is Salt Security worth it in 2026?Honest take on whether Salt Security earns its price tag for API security.Wallarm for CI/CD security gateDoes Wallarm fit a CI/CD security gate workflow?Wallarm for M&A due diligence auditDoes Wallarm fit a M&A due diligence audit workflow?Wallarm for Pre-production staging scanDoes Wallarm fit a Pre-production staging scan workflow?