42Crunch for Microservice mesh boundary audit

A mesh boundary audit requires visibility into ingress and egress paths, policy enforcement points, and runtime behavior between services. This scanner is a black-box tool that submits read-only requests to an API surface and analyzes responses. It does not inspect service meshes, sidecars, or network policies, and it cannot validate mutual TLS or traffic routing configurations. For a mesh boundary audit, use it as a surface-level indicator of exposure, not as a replacement for mesh instrumentation or architecture review.

The scanner maps findings to OWASP API Top 10 (2023), supports audit evidence for SOC 2 Type II, and maps findings to PCI-DSS 4.0. It does not claim compliance with any other framework. For regulations such as HIPAA, GDPR, ISO 27001, NIST, CCPA, or DORA, the tool may help you prepare for audits by surfacing findings relevant to security controls described in those frameworks, but it does not ensure or certify compliance. Use the output to inform risk assessments rather than as an audit sign-off.

The scanner detects issues across twelve categories aligned to OWASP API Top 10. It identifies authentication bypasses and JWT misconfigurations such as alg=none or expired tokens. It probes for BOLA and IDOR via sequential ID enumeration and active adjacent-ID checks. It tests for BFLA and privilege escalation by attempting admin endpoints and observing role leakage. Other checks include CORS wildcard usage, unsafe HTTP methods, rate-limit header visibility, PII and API key exposure, missing versioning, and unsafe third-party webhook surfaces. For LLM-facing APIs, it runs 18 adversarial probes across Quick, Standard, and Deep tiers to test for prompt injection, jailbreak, data exfiltration, and token smuggling scenarios.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution and cross-references spec definitions against runtime behavior. It can highlight undefined security schemes, deprecated operations, and missing pagination that may contribute to over-exposure. Authenticated scanning supports Bearer, API key, Basic auth, and cookies. Access requires domain verification via DNS TXT record or an HTTP well-known file to ensure only the domain owner can submit credentials. Only a limited set of headers is forwarded to reduce noise and limit side effects.

Each scan completes in under a minute using read-only methods, with no agents, SDKs, or code access required. The tool blocks private IPs, localhost, and cloud metadata endpoints at multiple layers and never sends destructive payloads. It does not perform active SQL injection or command injection tests, nor does it detect blind SSRF without out-of-band infrastructure. Business logic vulnerabilities require human expertise and are outside the scope of automated checks. The scanner reports what it observes and provides remediation guidance but does not fix, patch, or block anything.