42Crunch as a API security dashboard

A dashboard for API security should present risk in a way that drives action rather than noise. The dashboard shows a risk score across a letter grade scale and prioritizes findings so that teams can address the most critical issues first. It supports scan management, trend tracking over time, and export of reports for compliance consumption.

The scanner operates as a black-box tool that requires no agents, SDKs, or runtime instrumentation. It issues read-only requests such as GET and HEAD, with text-only POST for LLM probes, completing most scans in under a minute. The tool maps findings to OWASP API Top 10 (2023) and supports OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime behavior to highlight undefined security schemes or deprecated operations.

Authenticated scanning is available starting at the entry tier that supports Bearer, API key, Basic auth, and Cookie credentials. Domain verification is enforced through DNS TXT records or an HTTP well-known file so that only the domain owner can scan with credentials. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.

The scanner enforces a read-only posture: destructive payloads are never sent, and private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data can be deleted on demand and is purged within 30 days of cancellation.

The Web Dashboard centralizes scan results, score trends, and report downloads. The CLI enables on-demand scanning from a terminal with structured JSON or text output. A GitHub Action can gate CI/CD, failing the build when the score drops below a defined threshold. An MCP server allows scanning from AI coding assistants, and a programmable API supports custom integrations.

Pro tier adds scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection to surface new findings, resolved findings, and score drift. Email alerts are rate-limited to one per hour per API, and webhooks are HMAC-SHA256 signed with auto-disable after five consecutive failures.

The dashboard does not fix, patch, block, or remediate findings; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, does not detect business logic vulnerabilities, and does not replace a human pentester for high-stakes audits.

The tool helps you prepare for controls aligned with security practices described in PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, it surfaces findings relevant to audit evidence and supports alignment with security controls described in those standards.