42Crunch for AppSec headcount-gap coverage

middleBrick is a self-service API security scanner that operates as a black-box solution. You submit an API endpoint URL and receive a risk score from A to F along with prioritized findings. The scanner uses only read-only methods such as GET and HEAD, with text-only POST allowed for LLM probes. It runs in under a minute and requires no agents, SDKs, or code access, making it applicable to any language, framework, or cloud environment.

The scanner evaluates 12 security categories aligned to OWASP API Top 10 (2023). These include authentication bypass, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation through admin endpoint probing, property over-exposure, input validation issues like CORS wildcard usage, rate limiting and oversized responses, data exposure including PII and API key patterns, encryption and HSTS misconfigurations, SSRF against URL-accepting parameters, inventory issues such as missing versioning, and LLM/AI security probes across tiered scan depths. Findings map to OWASP API Top 10, help you prepare for SOC 2 Type II, and validate controls described in PCI-DSS 4.0.

Authenticated scanning is available from the Starter tier onward, supporting Bearer tokens, API keys, Basic auth, and cookies. Before credentials are accepted, a domain verification gate confirms ownership via DNS TXT record or an HTTP well-known file, ensuring only the domain owner can scan with credentials. The scanner forwards a restricted set of headers, including Authorization, X-API-Key, Cookie, and X-Custom-* headers, limiting exposure during authenticated scans.

Products include a Web Dashboard for reviewing scans and tracking score trends, a CLI via the middlebrick npm package for local execution, a GitHub Action that can fail builds when scores drop below a threshold, an MCP Server for AI coding assistants, and a programmable API for custom integrations. Pro tier adds continuous monitoring with scheduled rescans every six hours, daily, weekly, or monthly, diff detection between scans, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures.

middleBrick does not fix, patch, block, or remediate findings; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside its scope. Business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, and certain infrastructure fingerprinting are not detected. The tool is designed to complement, not replace, human-led testing for high-stakes audits.

Free tier offers three scans per month with CLI access. Starter at 99 dollars per month supports 15 APIs, monthly scans, dashboard access, email alerts, and the MCP Server. Pro at 499 dollars per month covers 100 APIs with additional APIs billed separately, continuous monitoring, CI/CD integration, Slack or Teams alerts, compliance reports, and signed webhooks. Enterprise at 2000 dollars per month provides unlimited APIs, custom rules, SSO, audit logs, SLA, and dedicated support. Scan data is deletable on demand and purged within 30 days of cancellation; data is never sold or used for model training.