Migrating from 42Crunch to middleBrick for New endpoint auto-discovery scan

Try middleBrick free

What middleBrick covers

  • Black-box scanning with no agents or code access
  • Risk scoring A–F with prioritized findings
  • Coverage aligned to OWASP API Top 10 (2023)
  • Scan results mapped to PCI-DSS 4.0 and SOC 2
  • CLI, web dashboard, and CI/CD integrations
  • Continuous monitoring with diff detection

Current endpoint discovery limitations in 42Crunch

42Crunch relies on predefined API specifications to guide its scans. If your team does not maintain an up to date OpenAPI document, or if runtime endpoints diverge from the spec, 42Crunch will not automatically discover new paths. You must manually update the spec or use external tooling to surface undocumented routes before scanning. This process can delay coverage for newly deployed services and requires coordination between developers and security operations.

How middleBrick handles new endpoint auto-discovery

middleBrick is a black-box scanner that does not require a spec to begin coverage. By submitting a target URL, the scanner probes the surface using read-only methods (GET and HEAD) plus text-only POST for LLM probes, and it identifies reachable endpoints within a minute. Because it operates without agents or SDK integration, it works across any language, framework, or cloud. You do not need to generate or maintain an OpenAPI file to start finding security issues on new routes.

Mapping findings to compliance frameworks

middleBrick maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For each detected issue, the scanner provides a risk score from A to F and prioritized remediation guidance aligned with these specific standards. For other regulations, middleBrick helps you prepare for audits and supports audit evidence collection, but it does not claim certification or compliance guarantees.

Developer experience and workflow integration

Teams can integrate middleBrick into existing workflows without rebuilding pipelines. The CLI supports middlebrick scan <url> with JSON or text output for scripting. A GitHub Action can fail the build when the score drops below your chosen threshold, while the MCP server enables scanning directly from AI coding assistants. The web dashboard centralizes reports, score trends, and downloadable compliance PDFs, reducing context switching for security and engineering teams.

Limitations and ongoing monitoring considerations

middleBrick does not perform active SQL injection or command injection, as those tests require intrusive payloads outside its scope. It also does not detect business logic vulnerabilities, blind SSRF, or guarantee exhaustive coverage of authentication bypasses; these areas often require human expertise and domain context. For continuous assurance, Pro tier scheduled rescans track diffs across runs, surfacing new findings, resolved items, and score drift, with email and webhook alerts configured to respect rate limits.

See how middleBrick compares See all use cases

Frequently Asked Questions

Do I need to maintain an OpenAPI document to use middleBrick?
No. middleBrick uses black-box probing, so you can start scanning without a spec. Providing an OpenAPI file is optional and can help correlate runtime behavior with design expectations.
Can middleBrick automatically fix the issues it finds?
No. The scanner detects and reports issues with remediation guidance. It does not patch, block, or alter your infrastructure.
How often should I run scans in production?
Use the Pro tier for scheduled rescans every 6 hours, daily, weekly, or monthly, depending on deployment velocity. Diff detection highlights new endpoints and security regressions over time.
Does middleBrick support authenticated scanning for protected APIs?
Yes. Supported methods include Bearer tokens, API keys, Basic auth, and cookies. Domain verification ensures only the domain owner can submit credentials for scanning.
What happens to my scan data after I cancel?
Customer data is deletable on demand and purged within 30 days of cancellation. It is never sold and is not used for model training.

Related Pages

Tool abuse audit — API securityTool abuse audit: what to check, how to automate it, and how middleBrick covers it.Vendor risk assessment — API securityVendor risk assessment: what to check, how to automate it, and how middleBrick covers it.Webhook receiver hardening — API securityWebhook receiver hardening: what to check, how to automate it, and how middleBrick covers it.Migrate from Detectify to middleBrickWhat changes when you move from Detectify to middleBrick, and how to not lose anything in transit.Migrate from Noname Security to middleBrickWhat changes when you move from Noname Security to middleBrick, and how to not lose anything in transit.Migrate from Salt Security to middleBrickWhat changes when you move from Salt Security to middleBrick, and how to not lose anything in transit.