42Crunch for M&A due diligence audit

M&A due diligence requires a fast overview of external attack surface without disrupting production systems. This scanner operates as a black-box service that submits only read-only requests to the target API. It does not execute intrusive payloads such as SQL injection or command injection, and it does not attempt to exploit business logic.

For this workflow, the tool maps findings to OWASP API Top 10 (2023) and surfaces findings relevant to SOC 2 Type II audit evidence. It does not replace a human pentester for high-stakes audits, nor does it detect blind SSRF or guarantee compliance with any regulation.

Organizations should treat this as one input among many, correlating scanner output with architecture reviews and contract analysis. Expect a concise risk profile within a minute per endpoint, not a deep business logic review.

The scanner evaluates authentication mechanisms and authorization boundaries using common schemes such as Bearer, API key, Basic auth, and Cookie. It checks for JWT misconfigurations including alg=none, weak HS256 keys, expired tokens, missing claims, and sensitive data in claims.

Example authenticated call using the CLI:

middlebrick scan https://api.example.com --auth-type bearer --token YOUR_TOKEN

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents and resolves recursive $ref references. It cross-references spec definitions against runtime behavior to identify undefined security schemes, sensitive fields in responses, deprecated operations, and missing pagination.

This helps teams validate that the published contract matches the live implementation, a common gap during acquisitions. The output highlights deviations such as publicly exposed internal fields or missing rate-limiting declarations that may indicate incomplete hardening.

Sample CLI output snippet:

{"endpoints_analyzed": 128, "undefined_security_schemes": 3, "missing_pagination": ["/v1/users"]}

The scanner covers 12 categories aligned to OWASP API Top 10, including Input Validation (CORS wildcard with credentials, dangerous HTTP methods, debug endpoints), Data Exposure (PII patterns such as email and context-aware SSN, API key formats for AWS, Stripe, GitHub, Slack), and Encryption (HTTPS redirect, HSTS, cookie flags, mixed content).

It also flags SSRF-prone URL-accepting parameters and body fields with internal IP detection, and inventory issues like missing versioning and server fingerprinting. For LLM/AI-related endpoints, it runs 18 adversarial probes across Quick, Standard, and Deep tiers, testing for system prompt extraction, instruction override, jailbreak patterns, token smuggling, and PII extraction.

No active exploitation is performed; findings come with remediation guidance to help developers triage and fix.

Scan duration is under a minute per target, with read-only methods only. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation; it is never sold or used for model training.

The platform integrates into M&A workflows via a Web Dashboard for scanning and tracking score trends, a CLI for scripting assessments, and a GitHub Action to gate CI/CD when scores drop below a threshold. The Pro tier adds continuous monitoring with scheduled rescans, diff detection, email alerts, signed webhooks, and compliance report downloads.