42Crunch for Government

The tool operates as a black-box scanner. You submit an API endpoint, and it returns a risk score from A to F along with prioritized findings. It does not require agents, code access, SDKs, or build artifacts, and works with any language, framework, or cloud environment. Scans complete in under a minute using read-only methods such as GET and HEAD, with text-only POST support for LLM probes.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023), including authentication bypass, JWT misconfigurations, BOLA and IDOR, BFLA and privilege escalation, property authorization, input validation, rate limiting, data exposure, encryption issues, SSRF, inventory management, and unsafe consumption. It also covers LLM / AI Security through 18 adversarial probes across Quick, Standard, and Deep scan tiers, addressing system prompt extraction, instruction override, jailbreaks, data exfiltration, and token smuggling.

For regulated environments, the findings map directly to frameworks such as PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other controls, it helps you prepare for and supports audit evidence related to security practices, while surfacing findings relevant to broader regulatory alignment.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents, resolving recursive $ref references, and cross-references spec definitions against runtime behavior to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Authenticated scanning is available from the Starter tier upward, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can scan with credentials. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.

The Web Dashboard centralizes scan management, report viewing, score trend tracking, and branded compliance PDF downloads. The CLI, distributed as an npm package, enables commands such as middlebrick scan <url> with JSON or text output. A GitHub Action provides CI/CD gating, failing builds when the score drops below a defined threshold. An MCP Server allows scanning from AI coding assistants such as Claude and Cursor.

Pro tier includes continuous monitoring with scheduled rescans every 6 hours, daily, weekly, or monthly. It provides diff detection across scans to highlight new findings, resolved issues, and score drift. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks can be configured with auto-disable after five consecutive failures.

The tool does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside its scope. It also does not detect business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, or replace human pentesters for high-stakes audits.

Safety measures include read-only scanning with no destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation. Data is never sold and is not used for model training.