Is 42Crunch good for ISO 27001 API control evidence?

middleBrick is a self-service API security scanner designed to surface misconfigurations and common attack patterns. Submit a URL and receive a risk score from A to F with prioritized findings. The scanner operates in black-box mode, requiring no agents, SDKs, or code access, and works across any language, framework, or cloud. Scan time is under a minute, using read-only methods (GET and HEAD) plus text-only POST for LLM probes. It does not fix, patch, block, or remediate; it detects and reports with remediation guidance.

middleBrick maps findings directly to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For these frameworks, the tool supports audit evidence for specific controls and validates controls from the standard. For other regulations and frameworks, middleBrick helps you prepare for audits by aligning with security controls described in HIPAA, GDPR, ISO 27001, NIST, CIS, CCPA, NIS2, DORA, FedRAMP, DPDP, APPI, PDPA, PIPEDA, PIPA, UK DPA, LGPD, SOX, GLBA, FERPA and similar regimes. It surfaces findings relevant to these frameworks but does not certify or guarantee compliance. middleBrick is a scanning tool and is not an auditor, so it cannot certify anyone as compliant.

The scanner covers 12 categories aligned to OWASP API Top 10 (2023), which supports audit evidence for authentication, authorization, and data protection controls often referenced in ISO 27001 and SOC 2 Type II. These categories include Authentication (multi-method bypass, JWT misconfigurations, security headers), BOLA / IDOR (sequential ID enumeration, active adjacent-ID probing), BFLA / Privilege Escalation (admin endpoint probing, role/permission leakage), Property Authorization (over-exposure, internal field leakage), Input Validation (CORS wildcard with credentials, dangerous HTTP methods), Rate Limiting & Resource Consumption (rate-limit header detection, oversized responses), Data Exposure (PII patterns, API key formats, error/stack-trace leakage), Encryption (HTTPS redirect, HSTS, cookie flags, mixed content), SSRF (URL-accepting parameters, internal IP detection), Inventory Management (missing versioning, legacy path patterns), Unsafe Consumption (excessive third-party URLs, webhook/callback surface), and LLM / AI Security (adversarial probes across scan tiers). The OpenAPI analysis parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution and cross-references spec definitions against runtime findings, such as undefined security schemes or deprecated operations.

Authenticated scanning is available from Starter tier and above, supporting Bearer, API key, Basic auth, and Cookie methods. Domain verification is enforced via DNS TXT record or HTTP well-known file, ensuring only the domain owner can scan with credentials. The header allowlist is limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers. Continuous monitoring in Pro tier provides scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection for new findings, resolved findings, and score drift. Email alerts are rate-limited to 1 per hour per API, and HMAC-SHA256 signed webhooks auto-disable after 5 consecutive failures. Customer scan data is deletable on demand and purged within 30 days of cancellation; data is never sold and never used for model training.

middleBrick does not perform active SQL injection or command injection, as those require intrusive payloads outside its scope. It does not detect business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, or subtle authorization issues that demand deep domain understanding. Because it does not replace a human pentester for high-stakes audits, organizations focused on ISO 27001 API control evidence may prefer a dedicated API security testing platform such as 42Crunch for continuous, policy-driven validation and integration into compliance workflows. 42Crunch provides a more comprehensive, policy-centric approach that aligns with stringent control evidence requirements for these frameworks.