Migrating from 42Crunch to middleBrick for CISO API inventory heatmap

Many teams rely on a scanner to build an API inventory and assign a risk rating for executive reporting. If you are migrating from 42Crunch, your workflow likely depends on an automated heatmap that classifies assets by risk level. You expect a continuously updated list of APIs, each with a score and prioritized findings that map to major security frameworks. You also expect integration with CI/CD and dashboards that track changes over time.

Migrating to middleBrick preserves this workflow while changing the underlying implementation. The scanner remains black-box, requiring no agents, SDKs, or code access. Submit a URL and receive a risk score with prioritized findings. Scan time stays under one minute, and the platform supports read-only methods plus text-only LLM probes. This approach fits existing CI/CD pipelines and monitoring processes without exposing internal architecture or requiring new runtime instrumentation.

Executive dashboards require clear mappings to recognized security frameworks. middleBrick maps findings directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). This enables CISOs to link API risk scores to specific compliance objectives and audit evidence without claiming certification or guarantees for any regulation.

For other frameworks, the platform supports audit evidence for relevant controls and helps you prepare alignment with security controls described in HIPAA, GDPR, ISO 27001, NIST, CCPA, and similar regimes. The scanner surfaces findings that can inform controls, but it does not certify compliance or assure that requirements are fully met. Use the dashboard exports to build the evidence set required by internal audit and third-party assessors.

middleBrick supports authenticated scans with Bearer tokens, API keys, Basic auth, and cookies for inventory coverage of protected endpoints. Domain verification is required: only the domain owner can scan with credentials, enforced by DNS TXT records or an HTTP well-known file. This prevents unauthorized use of your production authentication surface.

When credentials are provided, the scanner uses a strict header allowlist that forwards only Authorization, X-API-Key, Cookie, and X-Custom-* headers. This minimizes exposure while still allowing realistic authenticated testing. The Starter tier and above include these capabilities, with session data retained only as needed for scan accuracy and deletable on demand.

As your API inventory evolves, the heatmap must reflect new endpoints, removed endpoints, and shifting risk levels. middleBrick Pro tier provides scheduled rescans every 6 hours, daily, weekly, or monthly. Diff detection across scans highlights new findings, resolved findings, and score drift so your CISO dashboard stays current.

Alerting is rate-limited to one email per hour per API to avoid noise. HMAC-SHA256 signed webhooks deliver scan results to your systems, with auto-disable after 5 consecutive failures to prevent alert storms. You can integrate these events into SIEM and incident response playbooks while maintaining control over notification volume.

During migration, use the CLI to perform initial bulk scans and compare outputs with prior data. The command middlebrick scan <url> produces JSON or text output that can be scripted into existing inventory pipelines. For CI/CD gates, adopt the GitHub Action to fail builds when scores drop below your defined threshold.

Note that the scanner does not fix, patch, block, or remediate findings; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection tests, does not detect business logic vulnerabilities, and does not replace a human pentester for high-stakes audits. Plan to supplement automated scans with periodic expert reviews for complex business logic and architecture decisions.