Migrating from 42Crunch to middleBrick for DORA ICT risk evidence

If your team uses 42Crunch, you are used to scheduled scans, a ruleset tuned to their platform, and a dashboard that presents findings in their native taxonomy. Migrating to middleBrick changes the evidence format and the controls you can reference when reporting on DORA ICT risk. middleBrick is a black-box scanner that requires no agents or SDKs and runs read-only checks in under a minute. It maps findings directly to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II, which helps you prepare audit evidence aligned with those frameworks rather than proprietary categories.

DORA ICT risk reporting often requires proof that access controls are tested and that authentication is not trivially bypassed. middleBrick covers requirements of these frameworks by checking authentication bypass methods, JWT misconfigurations such as alg=none or HS256, expired tokens, missing claims, and sensitive data in claims. It also validates security headers and WWW-Authenticate compliance. For authenticated scans, Bearer tokens, API keys, Basic auth, and cookies are supported, and domain verification is enforced so only the domain owner can submit credentials. Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* to reduce noise in your evidence set.

To support audit evidence for DORA and related frameworks, middleBrick surfaces findings in categories aligned with OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II. Detection categories include Authentication, BOLA and IDOR, BFLA and privilege escalation, property authorization, input validation, rate limiting and resource consumption, data exposure, encryption, SSRF, inventory management, unsafe consumption, and LLM/AI security. With Pro tier or higher, you can enable continuous monitoring with scheduled rescans every 6 hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved findings, and score drift, and email alerts are rate-limited to one per hour per API. HMAC-SHA256 signed webhooks deliver scan results to your systems, with auto-disable after five consecutive failures to prevent alert storms.

middleBrick is a scanning tool and does not fix, patch, block, or remediate issues. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside its scope. Business logic vulnerabilities are not detected, because they require domain-specific understanding. Blind SSRF is out of scope due to the absence of out-of-band infrastructure probes. The scanner does not replace a human pentester for high-stakes audits, and it does not certify or guarantee compliance with HIPAA, GDPR, ISO 27001, NIST, CIS, CCPA, NIS2, DORA, FedRAMP, DPDP, APPI, PDPA, PIPEDA, PIPA, UK DPA, LGPD, SOX, GLBA, FERPA, or any other regulation. Use its findings as inputs for your risk assessment and remediation planning rather than as compliance attestations.

Plan your migration by inventorying the APIs you scan with 42Crunch and confirming that each is reachable via read-only methods. With middleBrick, you can start with the free tier for three scans per month and CLI access using middlebrick scan <url>, or move to the Web Dashboard for scan management, trend tracking, and downloadable compliance PDFs. For CI/CD integration, the GitHub Action fails builds when the score drops below a chosen threshold. The MCP server enables scanning from AI coding assistants, and the API client supports custom integrations. These outputs give you structured evidence that can be mapped to DORA ICT risk indicators while avoiding any reliance on internal infrastructure details or proprietary engine terminology.