42Crunch for AI feature pre-release gate

An AI feature pre-release gate requires confidence that external endpoints and internal API surfaces do not expose unsafe behaviors or sensitive data. This scanner provides a black-box assessment of APIs without requiring code access or SDK integration. It operates through read-only interactions such as GET and HEAD requests, with text-only POST support for LLM probe simulations. The goal is to reduce risk before features reach production, not to perform deep exploit validation.

The scanner maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It detects 12 security categories that are relevant to AI feature gates, including authentication bypass, broken object level authorization, excessive data exposure, and LLM-specific adversarial probes. For AI workflows, it focuses on input validation, SSRF surface, unsafe consumption patterns, and prompt-injection attempts across three scan tiers.

• Authentication issues such as JWT misconfigurations and security header problems.
• BOLA and BFLA risks including ID enumeration and privilege escalation paths.
• Data exposure via PII patterns, API keys, and error leakage.
• LLM/AI Security with 18 adversarial probes covering jailbreaks, data exfiltration attempts, and token smuggling.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents, resolving recursive $ref entries and cross-referencing the spec against runtime behavior. This helps identify undefined security schemes, deprecated operations, and missing pagination that could affect AI feature reliability. Authenticated scanning is available in tiers Starter and above, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced so only domain owners can scan with credentials, and forwarded headers are strictly limited to reduce noise.

middlebrick scan https://api.example.com/openapi.json --auth-type bearer --auth-token YOUR_TOKEN

For ongoing risk management, the Pro tier provides scheduled rescans every 6 hours, daily, weekly, or monthly. It detects diffs between scans, highlighting new findings, resolved issues, and score drift. Alerts are rate-limited to one email per hour per API and can be delivered via HMAC-SHA256 signed webhooks. Integration options include a web dashboard, an npm CLI, a GitHub Action for CI/CD gating, and an MCP server for use with AI coding assistants. These options support rapid feedback when API contracts change before feature releases.

The tool does not fix, patch, or block issues; it reports findings with remediation guidance. It does not perform active SQL injection or command injection testing, nor does it detect business logic flaws that require deep domain understanding. Blind SSRF and out-of-band interactions are out of scope. For AI feature pre-release gates, it is a complementary control that reduces common API risks but cannot replace manual review or penetration testing for high-stakes scenarios. Use it to surface issues early, then apply human expertise for complex logic checks.