Migrating from 42Crunch to middleBrick for FedRAMP moderate prep

middleBrick maps findings directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Each detected misconfiguration is linked to specific control assertions you can reference in audit artifacts. For other regulations, the scanner helps you prepare for review by surfacing findings relevant to controls described in frameworks such as HIPAA, GDPR, ISO 27001, NIST, and related standards without asserting compliance.

The scanner performs black-box analysis using only read-only methods (GET and HEAD) plus text-only POST for LLM probes. It authenticates with Bearer tokens, API keys, Basic auth, or cookies after domain verification. Analysis covers 12 categories aligned to OWASP API Top 10, including authentication bypass, BOLA, BFLA, property authorization, input validation, rate limiting, data exposure, encryption, SSRF, inventory issues, unsafe consumption, and LLM/AI security. OpenAPI specs in versions 2.0, 3.0, and 3.1 are parsed with recursive $ref resolution, and findings are cross-referenced against the spec to identify undefined security schemes or deprecated operations.

Authenticated scanning (Starter tier and above) requires domain ownership verification through DNS TXT records or an HTTP well-known file. Only a limited allowlist of headers is forwarded, including Authorization, X-API-Key, Cookie, and X-Custom-*. The scanner uses read-only methods and blocks destructive payloads, private IPs, localhost, and cloud metadata endpoints at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training.

LLM and AI security is assessed through 18 adversarial probes across three scan tiers: Quick, Standard, and Deep. These probes test system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration attempts, cost exploitation, encoding bypasses such as base64 and ROT13, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction. The depth you select determines how thoroughly the endpoint is probed for prompt-injection and model-compromise risks.

For FedRAMP moderate prep, begin with the free tier to establish baseline scan coverage using the CLI (middlebrick scan <url>) and export JSON results. Move to the Web Dashboard for trend tracking, branded compliance PDFs, and alert configuration. Use the GitHub Action as a CI/CD gate that fails the build when the score drops below your threshold, and integrate the MCP Server with AI coding assistants. Pro tier adds scheduled rescans, diff detection, email alerts, signed webhooks, and compliance reports to streamline continuous monitoring without requiring intrusive testing.