Is 42Crunch good for DORA ICT risk evidence?

DORA ICT risk evidence requires verifiable artifacts that demonstrate how risks are identified, assessed, and monitored across the technology stack. middleBrick maps findings to OWASP API Top 10 (2023) and supports audit evidence for controls related to service availability and incident response, but it does not cover all DORA domains such as supplier risk or major incident reporting workflows. The scanner focuses on technical indicators like authentication bypass, data exposure, and input validation issues that can be correlated to specific ICT risk scenarios.

The scanner surfaces findings relevant to DORA categories that depend on API and web interface security. It detects authentication misconfigurations, broken access control, and data exposure that align with risk indicators used in supplier and security risk assessments. Enumeration patterns and sensitive data leakage support evidence for risk identification and treatment tracking, helping teams demonstrate due diligence.

• Authentication bypass and JWT misconfigurations that indicate weak access control.
• Data exposure through PII and API key patterns that highlight confidentiality risks.
• Input validation issues such as CORS wildcard usage and dangerous HTTP methods.
• Rate limiting and oversized responses that relate to availability risk indicators.
• SSRF and unsafe consumption patterns relevant to service integrity.

middleBrick is a scanning tool and does not replace the governance, supplier assessment, or major incident procedures required by DORA. It does not detect business logic vulnerabilities, blind SSRF, or supply chain risks that often require human domain context. Organizations must complement automated scans with manual reviews, contractual controls, and operational monitoring to build a complete risk evidence set.

Authenticated scans in Starter and higher tiers allow deeper coverage of endpoints that require Bearer, API key, Basic auth, or cookie-based access. Domain verification via DNS TXT record or HTTP well-known file ensures that only the domain owner can scan with credentials. Header allowlisting limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-* to reduce noise and scope creep.

middlebrick scan https://api.example.com --auth-type bearer --auth-value "token_value"

Pro tier continuous monitoring enables scheduled rescans every 6 hours, daily, weekly, or monthly to track risk trends across API changes. Diff detection highlights new findings, resolved findings, and score drift, which can be used as evidence of ongoing risk management. HMAC-SHA256 signed webhooks and email alerts help integrate scan outcomes into incident response and audit trails without exposing raw data to external systems.

For comprehensive DORA ICT risk evidence, consider a dedicated API security platform that includes business logic testing and supply chain analysis. An alternative that emphasizes intrusive testing and compliance mapping is a professional penetration test aligned with PCI-DSS 4.0 and SOC 2 Type II objectives, which can validate controls in environments where active exploitation is in scope.