42Crunch for Auditor-requested API inventory

What middleBrick covers

Black-box API scanning with risk scoring and prioritized findings
Coverage of OWASP API Top 10, PCI-DSS 4.0, and SOC 2 Type II
OpenAPI 3.0/3.1 and Swagger 2.0 parsing with recursive $ref resolution
Authenticated scanning with header allowlist and domain verification
Web dashboard, CLI, and GitHub Action integration options
Pro tier continuous monitoring with diff detection and webhooks

API Inventory From an Auditor Perspective

Auditors require a reliable, repeatable inventory of APIs and their security posture. The scanner supports this workflow by ingesting a target URL and returning a risk score with prioritized findings. Black-box scanning means there is no dependency on language, framework, or cloud provider, making it suitable for heterogeneous environments where centralized agents are impractical.

Coverage of Standards and Frameworks

The scanner maps findings to three frameworks commonly referenced in audit contexts: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other regulatory references, the tool supports audit evidence collection and aligns with security controls described in relevant guidelines. Detection includes authentication bypass, JWT misconfigurations such as alg=none, security header issues, authorization flaws like BOLA and BFLA, input validation checks, data exposure patterns including PII and API key formats, and SSRF probes.

OpenAPI Specification Analysis

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents, resolving recursive $ref references. It cross-references the specification against runtime behavior to highlight undefined security schemes, sensitive field exposure, deprecated operations, and missing pagination. This helps auditors compare intended design with actual implementation while identifying surface area that may not be covered by manual review.

Authenticated Scanning and Safety Controls

Authenticated scanning is available in Starter tier and above, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification through DNS TXT records or HTTP well-known files ensures that only domain owners can scan with credentials. The scanner uses a read-only methods policy, with network-level blocks for private IPs, localhost, and cloud metadata endpoints. Customer data can be deleted on demand and is purged within 30 days of cancellation.

Delivery Formats and Continuous Monitoring

Results are delivered through a web dashboard with score trends, branded compliance PDFs, and detailed finding reports. The CLI provides JSON and text output for integration into scripts, and a GitHub Action can gate CI/CD pipelines based on score thresholds. Pro tier adds scheduled rescans, diff detection across runs, HMAC-SHA256 signed webhooks, and alert rate limiting. Note that the tool detects issues and provides remediation guidance but does not perform active exploitation, code patching, or replace human pentesters for high-stakes audits.

Frequently Asked Questions

Can the scanner replace a human pentester for audit-level assessments?

No. The tool is designed to detect and report issues with remediation guidance, but it does not perform intrusive payloads or evaluate business logic. A human pentester remains necessary for high-stakes audits.

Does the scanner support authenticated scans for API inventory workflows?

Yes, Bearer, API key, Basic auth, and cookie authentication are supported. Domain ownership must be verified before credentials are accepted.

How are compliance mappings handled for regulations not listed in the core frameworks?

For frameworks outside the mapped set, the tool surfaces findings relevant to audit evidence and helps prepare documentation. It does not claim certification or compliance with specific regulations.

What happens to scan data after account cancellation?

Customer scan data is deletable on demand and is permanently purged within 30 days of cancellation. Data is never sold or used for model training.